General
-
Target
NEW ORDER.xlsx
-
Size
229KB
-
Sample
211206-ham55sddfp
-
MD5
dd939aae349dc2b9add3f26114da4a73
-
SHA1
160a127eecd37636c220f5c149913259d017717a
-
SHA256
c2a82bda3c388a3797d84e1078b1b66ee74430aa4f26afb46cd190f2fc8b68ab
-
SHA512
3acfb39ccd30f17eb390229200ad92301e17cb84ff726ff587e8644c1b96f610cc4913e2f59c0409a6c53546ea7d262e79732a938b2171e74d9daed47914b52f
Static task
static1
Behavioral task
behavioral1
Sample
NEW ORDER.xlsx
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
NEW ORDER.xlsx
Resource
win10-en-20211014
Malware Config
Extracted
lokibot
http://secure01-redirect.net/gb22/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
NEW ORDER.xlsx
-
Size
229KB
-
MD5
dd939aae349dc2b9add3f26114da4a73
-
SHA1
160a127eecd37636c220f5c149913259d017717a
-
SHA256
c2a82bda3c388a3797d84e1078b1b66ee74430aa4f26afb46cd190f2fc8b68ab
-
SHA512
3acfb39ccd30f17eb390229200ad92301e17cb84ff726ff587e8644c1b96f610cc4913e2f59c0409a6c53546ea7d262e79732a938b2171e74d9daed47914b52f
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-