General
-
Target
0022.xlsx
-
Size
1.1MB
-
Sample
211029-ptgk2aaadj
-
MD5
f423597222898a097d30adbc3d168a87
-
SHA1
e199e53576397ee7296e3b0f5ad3cee1ca147e06
-
SHA256
ce8ca35bad6b0e2c5aeefed0b34b09dff56fdce32d14246c011d9401bc6e3ba2
-
SHA512
3753f25a9f431770053e0ec55af590979b05fd936b8f5a9fd712d69dbe0f3e177640aff6c08cb65232b5ee70a35894f27b3d0c2a201491cbe87cb055d54e8843
Static task
static1
Behavioral task
behavioral1
Sample
0022.xlsx
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
0022.xlsx
Resource
win10-en-20211014
Malware Config
Extracted
lokibot
http://63.250.40.204/~wpdemo/file.php?search=9099522
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
0022.xlsx
-
Size
1.1MB
-
MD5
f423597222898a097d30adbc3d168a87
-
SHA1
e199e53576397ee7296e3b0f5ad3cee1ca147e06
-
SHA256
ce8ca35bad6b0e2c5aeefed0b34b09dff56fdce32d14246c011d9401bc6e3ba2
-
SHA512
3753f25a9f431770053e0ec55af590979b05fd936b8f5a9fd712d69dbe0f3e177640aff6c08cb65232b5ee70a35894f27b3d0c2a201491cbe87cb055d54e8843
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-