General
-
Target
tmp/b94ec322912fb3585968d01b21a8afac8e06dfc54271697c44b0e80d108c9869.xls
-
Size
229KB
-
Sample
211203-r29mwsghbn
-
MD5
2983133e98fb409fa5aaa175df132696
-
SHA1
54b20dcddc3fdc2d6b35a93159b7738cb42c6f50
-
SHA256
b94ec322912fb3585968d01b21a8afac8e06dfc54271697c44b0e80d108c9869
-
SHA512
f576b435b501509e981f1a50394b44f2474c9a1742e413bf1b977a03abf469ce02d2e100ebc6552bcdca30563a1ed4b54018f1d5542829339c202b4144189fdb
Static task
static1
Behavioral task
behavioral1
Sample
tmp/b94ec322912fb3585968d01b21a8afac8e06dfc54271697c44b0e80d108c9869.xls
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
tmp/b94ec322912fb3585968d01b21a8afac8e06dfc54271697c44b0e80d108c9869.xls
Resource
win10-en-20211014
Malware Config
Extracted
lokibot
http://pticallogz.xyz/oluwa/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
tmp/b94ec322912fb3585968d01b21a8afac8e06dfc54271697c44b0e80d108c9869.xls
-
Size
229KB
-
MD5
2983133e98fb409fa5aaa175df132696
-
SHA1
54b20dcddc3fdc2d6b35a93159b7738cb42c6f50
-
SHA256
b94ec322912fb3585968d01b21a8afac8e06dfc54271697c44b0e80d108c9869
-
SHA512
f576b435b501509e981f1a50394b44f2474c9a1742e413bf1b977a03abf469ce02d2e100ebc6552bcdca30563a1ed4b54018f1d5542829339c202b4144189fdb
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-