General
-
Target
VDI-QUOTATION-PAYMENT.xlsx
-
Size
229KB
-
Sample
211125-vgv6jsfhdj
-
MD5
1325c1dc4db5e238475858c2feaa326a
-
SHA1
9f611b8cfd41c1dc854ab0f3bad6437bcc309a74
-
SHA256
c84daab0159e54c17bbb8ff7c7d61111fef8588a9a540f5b5f74eb66aa1d1265
-
SHA512
4a42596ff13261dd7779d0b6213520370b8e0ef4ba2e8e237c74cb5969693dea720e28d2197c22dde74e264989fe61fc1af98da6581d0a65f2921b990d235847
Static task
static1
Behavioral task
behavioral1
Sample
VDI-QUOTATION-PAYMENT.xlsx
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
VDI-QUOTATION-PAYMENT.xlsx
Resource
win10-en-20211104
Malware Config
Extracted
lokibot
http://secure01-redirect.net/fd4/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
VDI-QUOTATION-PAYMENT.xlsx
-
Size
229KB
-
MD5
1325c1dc4db5e238475858c2feaa326a
-
SHA1
9f611b8cfd41c1dc854ab0f3bad6437bcc309a74
-
SHA256
c84daab0159e54c17bbb8ff7c7d61111fef8588a9a540f5b5f74eb66aa1d1265
-
SHA512
4a42596ff13261dd7779d0b6213520370b8e0ef4ba2e8e237c74cb5969693dea720e28d2197c22dde74e264989fe61fc1af98da6581d0a65f2921b990d235847
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-