General
-
Target
SecuriteInfo.com.Exploit.MathType-Obfs.Gen.382.16964.xlsx
-
Size
185KB
-
Sample
230120-cx1f4adc3v
-
MD5
4c47656c02c88cdec7e454b7566750a3
-
SHA1
efc679a688d27742226754433c026fa9c6a59b12
-
SHA256
64629388f660c5b68375082dfbd9aedb1fd86c7aed1db141a6102bbf5d6f8188
-
SHA512
774f9b4c9176d618c6e95c71ace7c4412e1afb63f4970f0416ed135bacbb6a346f14b28a9d2155854b0db0aaaafac5c8aa7104a8a6da25bdae820c67ecff092c
-
SSDEEP
3072:Ft9hc1Ut9hcu/fZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAiv8FsutHrnvZA9AOUde:Lc1+cunZ+RwPONXoRjDhIcp0fDlavx+5
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.MathType-Obfs.Gen.382.16964.xls
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Exploit.MathType-Obfs.Gen.382.16964.xls
Resource
win10v2004-20220812-en
Malware Config
Extracted
lokibot
https://sempersim.su/ha1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
SecuriteInfo.com.Exploit.MathType-Obfs.Gen.382.16964.xlsx
-
Size
185KB
-
MD5
4c47656c02c88cdec7e454b7566750a3
-
SHA1
efc679a688d27742226754433c026fa9c6a59b12
-
SHA256
64629388f660c5b68375082dfbd9aedb1fd86c7aed1db141a6102bbf5d6f8188
-
SHA512
774f9b4c9176d618c6e95c71ace7c4412e1afb63f4970f0416ed135bacbb6a346f14b28a9d2155854b0db0aaaafac5c8aa7104a8a6da25bdae820c67ecff092c
-
SSDEEP
3072:Ft9hc1Ut9hcu/fZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAiv8FsutHrnvZA9AOUde:Lc1+cunZ+RwPONXoRjDhIcp0fDlavx+5
Score10/10-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-