General
-
Target
SecuriteInfo.com.Exploit.MathType-Obfs.Gen.8027.17789.xlsx
-
Size
184KB
-
Sample
230120-cx1f4adc3y
-
MD5
11755fd7597fe1225eee8f2a91b02f72
-
SHA1
e76614f8b9d2da386f0e45664c769792e6a6101c
-
SHA256
263485c2c9e4da2fa483d9bf845262fe0faebaf19ffc2c9b8fe5b3e86bea1c67
-
SHA512
9b7fe6e0e2aef976022074231261593276a0a8d0e61a779362a98e5197c5e152bf7ffc3da2fb850ed221544aae17a3a34f4e5c20a146a47ca03e060777ffcd6e
-
SSDEEP
3072:dt9hc1mt9hcuNfZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAnkheagLYvOHBIkt1Lf1:Tc10cuNZ+RwPONXoRjDhIcp0fDlavx+E
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.MathType-Obfs.Gen.8027.17789.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Exploit.MathType-Obfs.Gen.8027.17789.xls
Resource
win10v2004-20221111-en
Malware Config
Extracted
lokibot
https://sempersim.su/ha3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
SecuriteInfo.com.Exploit.MathType-Obfs.Gen.8027.17789.xlsx
-
Size
184KB
-
MD5
11755fd7597fe1225eee8f2a91b02f72
-
SHA1
e76614f8b9d2da386f0e45664c769792e6a6101c
-
SHA256
263485c2c9e4da2fa483d9bf845262fe0faebaf19ffc2c9b8fe5b3e86bea1c67
-
SHA512
9b7fe6e0e2aef976022074231261593276a0a8d0e61a779362a98e5197c5e152bf7ffc3da2fb850ed221544aae17a3a34f4e5c20a146a47ca03e060777ffcd6e
-
SSDEEP
3072:dt9hc1mt9hcuNfZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAnkheagLYvOHBIkt1Lf1:Tc10cuNZ+RwPONXoRjDhIcp0fDlavx+E
Score10/10-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-