General
-
Target
533ec2002e6dcf5cc585823bacd4647a1fb83758993ba716be76f24c0a2fa2ae.zip
-
Size
7KB
-
Sample
230208-ly8crsab49
-
MD5
5729e3fa88f81662f1abe463045b3ea6
-
SHA1
0ddf0742cddcc6870b9d9df4630e49ee65b98948
-
SHA256
c2086058502d0cfaf13a240feccd047fb8dd996086bd6cf1b253f2d196cb7567
-
SHA512
ad28e3a64a82870ce95894cff0a227df1d13d3b78a195055d85d6099a5b04f85687aed782933dd371534dc1a56d5fa595a39e0ba4ff00e8cb7a330e6e76f2b2b
-
SSDEEP
192:GJOsHbet/HEpgpB4Ny3Coyiz9bpPRbFYjh6I6W:qO6e/HEnNALhtY96dW
Static task
static1
Behavioral task
behavioral1
Sample
533ec2002e6dcf5cc585823bacd4647a1fb83758993ba716be76f24c0a2fa2ae.docx
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
533ec2002e6dcf5cc585823bacd4647a1fb83758993ba716be76f24c0a2fa2ae.docx
Resource
win10v2004-20221111-en
Malware Config
Extracted
http://dgdfg00000000hfjf0000000ghfghfgh000000gfhfg0000hfgsdgfggd0000fgdfge00000rtdfgd00000fg00dfg@3221479282/78.doc
Extracted
lokibot
https://sempersim.su/ha1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
533ec2002e6dcf5cc585823bacd4647a1fb83758993ba716be76f24c0a2fa2ae.doc
-
Size
10KB
-
MD5
d07eb11e2f72bde21377460c4eaebfa4
-
SHA1
729b4f7d337e88ea40c0d417bd2808f275de733e
-
SHA256
533ec2002e6dcf5cc585823bacd4647a1fb83758993ba716be76f24c0a2fa2ae
-
SHA512
7a0f0fdecbdc2a8c9b78791b776c95d9a58fb857be65bc0d57b28508eab0080a44f0a16e0d1114e7b2146705186376dbffef22bc0a4ef918ae51c2087db2b66a
-
SSDEEP
192:ScIMmtP5hG/b7XN+eO/xXkO+5+5F7Jar/YEChI3UqR:SPXRE7XtOJXk7wtar/YECOUe
Score10/10-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-