General
-
Target
scan-payment-advice.xlsx
-
Size
187KB
-
Sample
220126-prcjasdbg8
-
MD5
1ee28e0a4fb0347903ccba42bfe31a82
-
SHA1
270bb16f351de8ca08a44fe9dbbd583f3bab6542
-
SHA256
fc49b59b9a064969f60a681e7fc0092733b318baa43eaff67ee44536bfae94c5
-
SHA512
0999063541d08479413b49642a4abc60efb4ffbe86f532ff63b9eabba71096612c792739cb0a2c91ba33074ddad4892319be0afc58dc962784afc8d55f931cdc
Static task
static1
Behavioral task
behavioral1
Sample
scan-payment-advice.xlsx
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
scan-payment-advice.xlsx
Resource
win10-en-20211208
Malware Config
Extracted
lokibot
http://62.197.136.186/baba/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
scan-payment-advice.xlsx
-
Size
187KB
-
MD5
1ee28e0a4fb0347903ccba42bfe31a82
-
SHA1
270bb16f351de8ca08a44fe9dbbd583f3bab6542
-
SHA256
fc49b59b9a064969f60a681e7fc0092733b318baa43eaff67ee44536bfae94c5
-
SHA512
0999063541d08479413b49642a4abc60efb4ffbe86f532ff63b9eabba71096612c792739cb0a2c91ba33074ddad4892319be0afc58dc962784afc8d55f931cdc
-
Detect Neshta Payload
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-