General
-
Target
Cfr Valencia.xll
-
Size
638KB
-
Sample
220120-sm8mqaadh3
-
MD5
6310f37fbd1aa534f7b9f1460abdd71e
-
SHA1
884f46e90911f189468b85edae4f8e062041e7f0
-
SHA256
d760728ecf0507ccbae3243c53b608953d00f90b8c66a8bb9d24f6c2ae2195d3
-
SHA512
c7292ec258f2d12d1d39c6aedecc8fc8427256115c36953b0a38d373fe23fb0a466ddbc98e5ab1fe6d1583ad8b6e1b756df9bb55cbe083157d7052b5698cc314
Static task
static1
Behavioral task
behavioral1
Sample
Cfr Valencia.xll
Resource
win7-en-20211208
Malware Config
Extracted
Extracted
lokibot
http://windowssecuritycheck.gdn/gx/l/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
pony
http://windowssecuritycheck.gdn/gx/p/gate.php
Targets
-
-
Target
Cfr Valencia.xll
-
Size
638KB
-
MD5
6310f37fbd1aa534f7b9f1460abdd71e
-
SHA1
884f46e90911f189468b85edae4f8e062041e7f0
-
SHA256
d760728ecf0507ccbae3243c53b608953d00f90b8c66a8bb9d24f6c2ae2195d3
-
SHA512
c7292ec258f2d12d1d39c6aedecc8fc8427256115c36953b0a38d373fe23fb0a466ddbc98e5ab1fe6d1583ad8b6e1b756df9bb55cbe083157d7052b5698cc314
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-