General
-
Target
ORDINE.7z
-
Size
1KB
-
Sample
220725-kszb8sbfek
-
MD5
efd2320e0e7f981e03994d68d8285853
-
SHA1
7912a8c9a31ad0506535f44001444f010f256ce6
-
SHA256
abb023216cf01005730aefe0b0948043285674f51036ab6c568bb76c49ac438c
-
SHA512
71f53da29618ceec4151326229a70c2537998e7a985d8ab53d07b7f0b73bac109c3225eb04ae2a3685edc130458c48624a38bb392fe260c8e877e4a9a1ac5889
Static task
static1
Behavioral task
behavioral1
Sample
ORDINE.vbs
Resource
win7-20220715-en
Malware Config
Extracted
http://20.7.14.99/dll/14-07-2022.mp4
Extracted
lokibot
http://vlascx.xyz/luck/cx/kai.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
ORDINE.vbs
-
Size
231KB
-
MD5
e020cd23ba91c3f6ad9c9ed3d6f391b5
-
SHA1
c924b29e61a4765cee969e841a76e304b646c168
-
SHA256
d985cfc667c76c46662c1de784d8d8844af661f9fe421ab9f0a4f8d704002738
-
SHA512
6f01979834b8de6979bb485edaff44079ca58923b2e333e6e089ef76f73b13e6b5c51d2220163c0a216bc1f5576be4c0fc30867743e7f1ef70054868b083ff86
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE Powershell commands sent B64 3
suricata: ET MALWARE Powershell commands sent B64 3
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-