General
-
Target
982811bd1fb10c1efb72f21a21f9a1e9.bin
-
Size
39KB
-
Sample
230605-n8mvxsge27
-
MD5
d1709bde8244f0c67d36cae714233764
-
SHA1
d308255bd95e37e87cae112a62cef1fc70df9589
-
SHA256
e76516e2d4e6640c63238e3bf20af15d964f5f560807b84519ad30abeab229d2
-
SHA512
03cb0f81d18a6a0db355dddbda8bf2e54806841dec818bee9f6c575cdbc83d58dd82f4ca762712436a80054cb7b64459a24a79253f4d1c5db7802458e44fcfd8
-
SSDEEP
768:XNZiOT+8rI4x4vagCe5VOGhMhLAh/e+SnbEPdpRIqEnN1Z:zn+8cRag4EaoxIqW
Static task
static1
Behavioral task
behavioral1
Sample
9f95cdb078e60a80bdd71e706885ad253f43fe98b4b61868600799a3becb41e5.vbs
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
9f95cdb078e60a80bdd71e706885ad253f43fe98b4b61868600799a3becb41e5.vbs
Resource
win10v2004-20230220-en
Malware Config
Extracted
https://firebasestorage.googleapis.com/v0/b/fsociety-ec922.appspot.com/o/rump.txt?alt=media&token=0643a2d7-350d-484f-8dbe-97a53621d0c2
Extracted
lokibot
http://161.35.102.56/~nikol/?p=2132
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
9f95cdb078e60a80bdd71e706885ad253f43fe98b4b61868600799a3becb41e5.vbs
-
Size
411KB
-
MD5
982811bd1fb10c1efb72f21a21f9a1e9
-
SHA1
7b3d89bd7f559af1a1269fb64298dccf149547c7
-
SHA256
9f95cdb078e60a80bdd71e706885ad253f43fe98b4b61868600799a3becb41e5
-
SHA512
08ee91b90079bbdd9ee9525dd61c0f5a778390a1dac7b5ca2ea9fed6ef8328974c184534f1c93ed6eae0dfddf7e736391f25d63694c5fc830e434fec53179f11
-
SSDEEP
3072:8HGRwfHYFvhNe4VTdRnTT8w4TWb4qsIgZdpe+og0S7wQzS18f8d6bb/g52r:XwfHYFJ4qc
Score10/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-