General
-
Target
31ff99a4b97bef18dad3afc4d6c97df462228c6f1d3a6bf006b9ba75e37abf4a
-
Size
816KB
-
Sample
220203-rfynhaacbr
-
MD5
397641a6b56196b3ae1564fc21d381e2
-
SHA1
57c72dca7973f7e1f7f441a5ce2bd0337a21a23b
-
SHA256
31ff99a4b97bef18dad3afc4d6c97df462228c6f1d3a6bf006b9ba75e37abf4a
-
SHA512
83b829ea847d1e788383c206c105d5fd00b1b8761eee8b13fbc840bc4edeab1b83af3bc65556355af567486d04594d98a55e93fbc9ddb6164ff40e04bd961a48
Static task
static1
Behavioral task
behavioral1
Sample
INQUIRY & CATALOGUE (price list).exe
Resource
win7-en-20211208
Malware Config
Extracted
lokibot
http://citiline.org.ng/XXD123-TY/TULIP8890890-56788/Panel/five/fre,php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
INQUIRY & CATALOGUE (price list).exe
-
Size
740KB
-
MD5
f5ebcbcd777e4cf6376638ff623efcdd
-
SHA1
f1c66455a554029ff6bd8e4ff07585d595bfd4bf
-
SHA256
742a212032f0a472436cf72ce564e1645fed57a49bed1e63c78697da276e10fe
-
SHA512
e5ac03d519a3ac518d1fe3849a5224c79b7f16ad1405dbe5738a35182958296f8d9b072df50dab37115311611d7c54918003c630e7d3b2729deaecddc8c81bff
-
Detect Neshta Payload
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-