General
-
Target
Draft Of Shipping Docs.xlsm
-
Size
203KB
-
Sample
220705-jbtvrafadp
-
MD5
e0e217bf187d940292bf1e3bd743ed2e
-
SHA1
37698145a8bdf43c3b4dc77f2e234b715f1953ee
-
SHA256
591eabded5e77dfd437b36706f36d41b4f1c580e945a85a9e7904c8e35dc8f7d
-
SHA512
5ac9bc896ec907598688bc3090b07ccd2ecab6ffe7d0be9bf71bfc3e7ecb7e3579b89b45dda199192163baa3fadd00562a3d22948595355dd7f1afbe17d9f452
Static task
static1
Behavioral task
behavioral1
Sample
Draft Of Shipping Docs.xlsm
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Draft Of Shipping Docs.xlsm
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
decrypted.xlsm
Resource
win7-20220414-en
Malware Config
Extracted
lokibot
http://sempersim.su/gf10/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Draft Of Shipping Docs.xlsm
-
Size
203KB
-
MD5
e0e217bf187d940292bf1e3bd743ed2e
-
SHA1
37698145a8bdf43c3b4dc77f2e234b715f1953ee
-
SHA256
591eabded5e77dfd437b36706f36d41b4f1c580e945a85a9e7904c8e35dc8f7d
-
SHA512
5ac9bc896ec907598688bc3090b07ccd2ecab6ffe7d0be9bf71bfc3e7ecb7e3579b89b45dda199192163baa3fadd00562a3d22948595355dd7f1afbe17d9f452
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
decrypted
-
Size
196KB
-
MD5
00f3575ade589b67fa914fc408db0440
-
SHA1
db7fc7b0747bd00c97339dd2640d83b2af20393f
-
SHA256
84abe5ae1fcb927fb52ffd6c0f322fc9e30fad520d09ac7e123354a557de6aeb
-
SHA512
77577de214c1c54829d4a01561c5268779dd137341b939c1e3fa6433f1a5eba155efb1400130abc70ce9fa4e284f62d8eda6641a40aaeea572d8c65050d78e81
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-