General
-
Target
RFP20220707DX1.xlsx
-
Size
176KB
-
Sample
220706-gh8w5sheak
-
MD5
56216ff6352da0391772dbfcc6048c60
-
SHA1
1f25f87f68748566062820ec293f7c1678d301ce
-
SHA256
82e7f3f4e817a291abb29ae2698c1242d3d53f39a37f1530d4210573f26fade9
-
SHA512
e9fd9b0b7f82889d7e81cb29d9dfbf5832f32e909f79209dd594631292622972728dcf898d875d42f47554071b0b12fba6486eeabc668f716ea84f92790c3de2
Static task
static1
Behavioral task
behavioral1
Sample
RFP20220707DX1.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
RFP20220707DX1.xlsx
Resource
win10v2004-20220414-en
Malware Config
Extracted
lokibot
http://45.133.1.20/rostov2/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://�����������Ѝ������Й���Й��я��
Targets
-
-
Target
RFP20220707DX1.xlsx
-
Size
176KB
-
MD5
56216ff6352da0391772dbfcc6048c60
-
SHA1
1f25f87f68748566062820ec293f7c1678d301ce
-
SHA256
82e7f3f4e817a291abb29ae2698c1242d3d53f39a37f1530d4210573f26fade9
-
SHA512
e9fd9b0b7f82889d7e81cb29d9dfbf5832f32e909f79209dd594631292622972728dcf898d875d42f47554071b0b12fba6486eeabc668f716ea84f92790c3de2
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
-
suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-