General
-
Target
1b4be675b849a4b047e6f582a162fe97
-
Size
246KB
-
Sample
220707-f71rdsfhe4
-
MD5
1b4be675b849a4b047e6f582a162fe97
-
SHA1
5289b3e3947012da23cdab07f4e14ee82725b5e2
-
SHA256
1880b6af42560176e6386ac74fef094bc61fb4baa7c949af61856a3602341c8a
-
SHA512
85841185a7d7bf08f54c5be8b4246d78d41a2e24e1cdba54db998a69a1db0233b4549e25225082faca34ce59869e2def5b989df24b8f797b5290f38465a425c1
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Payment Advice.xlsx
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
decrypted.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
decrypted.xlsx
Resource
win10v2004-20220414-en
Malware Config
Extracted
lokibot
http://hyatqfuh9olahvxf.ga/BN1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Payment Advice.xlsx
-
Size
177KB
-
MD5
a7f141d20c017dcfc0c0f953ab70849e
-
SHA1
730dc699b2fc062385cb8642c9d32fa792aab3f3
-
SHA256
a218f6790ee850c45bc013ffa81350ff30770d0d06d1d16e0bde8a093fd63969
-
SHA512
5ad0d20ec9ffc2cf6e48067920d6f97cae4787ba8baf3f6a71218fe2be060d167bb20ce9ca822038409114eb688c70de864de7a7e9f687c4d80d477b7e31d2f4
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
-
-
Target
decrypted
-
Size
170KB
-
MD5
68f25039e42b31408e1e22ea9fac7cf7
-
SHA1
a507fcc5d4d7a1bbea2fd893576043bf9279d11d
-
SHA256
71e1418e7cf4790fff7f22539f12ccf1a0d9fb9a419e138034ea7a954f4a9a51
-
SHA512
e9135a676e2c7d5e43896fc8f6b41b5d15ce0940ed60e8de157b4bdd7d8eb09424f43a3cebab8cc21919002558f5ce012589dc61ce3c0e575584bd446a956f2e
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-