General
-
Target
PO-3682036-2022-1-001.xlsx
-
Size
229KB
-
Sample
211207-nmqdxsghgm
-
MD5
0873c7f6af3985eafe315822eed4aa6e
-
SHA1
8c467d276939599c65dff0bff20cb7ee7386f5dc
-
SHA256
b28ba5ece1551484bd5b28fbf7e701d03a4cf7969839b98aca47bbb4d6a0b09e
-
SHA512
66a5f4c26d041c49798f77ac429cca8146535a896d2f43e13c9098142aba053028c6b0dc42d164ec1c3a79de0693a5ef3743ba0ac30b87977b661f65a8c23626
Static task
static1
Behavioral task
behavioral1
Sample
PO-3682036-2022-1-001.xlsx
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
PO-3682036-2022-1-001.xlsx
Resource
win10-en-20211014
Malware Config
Extracted
lokibot
http://secure01-redirect.net/gb11/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
PO-3682036-2022-1-001.xlsx
-
Size
229KB
-
MD5
0873c7f6af3985eafe315822eed4aa6e
-
SHA1
8c467d276939599c65dff0bff20cb7ee7386f5dc
-
SHA256
b28ba5ece1551484bd5b28fbf7e701d03a4cf7969839b98aca47bbb4d6a0b09e
-
SHA512
66a5f4c26d041c49798f77ac429cca8146535a896d2f43e13c9098142aba053028c6b0dc42d164ec1c3a79de0693a5ef3743ba0ac30b87977b661f65a8c23626
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-