General
-
Target
tmp/4360ca67f6b0a71315fc76a1e5fe00f128cf7a26d119b59be292f7c08698aef0.xls
-
Size
229KB
-
Sample
211206-jwgqxsdefm
-
MD5
6dfddc39f73227d50cf184e704a26a97
-
SHA1
575aee5f518defa627ec4945202c1e7ddbe9fade
-
SHA256
4360ca67f6b0a71315fc76a1e5fe00f128cf7a26d119b59be292f7c08698aef0
-
SHA512
a61f5a9ca0369fc9685425214c6b900ac132c1c1020d9f195afb2ca59fe5db11212e358788e8ac84576714a0439e4fa5e9c7dde819e5867982030ecff198b79e
Static task
static1
Behavioral task
behavioral1
Sample
tmp/4360ca67f6b0a71315fc76a1e5fe00f128cf7a26d119b59be292f7c08698aef0.xls
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
tmp/4360ca67f6b0a71315fc76a1e5fe00f128cf7a26d119b59be292f7c08698aef0.xls
Resource
win10-en-20211014
Malware Config
Extracted
lokibot
http://195.133.18.144/main/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
tmp/4360ca67f6b0a71315fc76a1e5fe00f128cf7a26d119b59be292f7c08698aef0.xls
-
Size
229KB
-
MD5
6dfddc39f73227d50cf184e704a26a97
-
SHA1
575aee5f518defa627ec4945202c1e7ddbe9fade
-
SHA256
4360ca67f6b0a71315fc76a1e5fe00f128cf7a26d119b59be292f7c08698aef0
-
SHA512
a61f5a9ca0369fc9685425214c6b900ac132c1c1020d9f195afb2ca59fe5db11212e358788e8ac84576714a0439e4fa5e9c7dde819e5867982030ecff198b79e
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-