General
-
Target
PO 7422.xlsx
-
Size
177KB
-
Sample
220704-jgdeysfchl
-
MD5
4b6244a1bfb04a6e70126f14496df159
-
SHA1
64cb1626e363a7aca0158f853fa6aeae6c9ed334
-
SHA256
2dadabbf7599c51d7fb332314c39ef18d8a2d229f66967402f4870bf97dc1a65
-
SHA512
cec3b56bd95ef86fc9445ca013d2f349680df04108b62ff01381bfe976bd85237e195890425985f7aeef17d15b423794f497e9f9261d263f149225a1f5fb1f76
Static task
static1
Behavioral task
behavioral1
Sample
PO 7422.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO 7422.xlsx
Resource
win10v2004-20220414-en
Malware Config
Extracted
lokibot
http://185.102.170.20/demo/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
PO 7422.xlsx
-
Size
177KB
-
MD5
4b6244a1bfb04a6e70126f14496df159
-
SHA1
64cb1626e363a7aca0158f853fa6aeae6c9ed334
-
SHA256
2dadabbf7599c51d7fb332314c39ef18d8a2d229f66967402f4870bf97dc1a65
-
SHA512
cec3b56bd95ef86fc9445ca013d2f349680df04108b62ff01381bfe976bd85237e195890425985f7aeef17d15b423794f497e9f9261d263f149225a1f5fb1f76
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-