General
-
Target
DOC PO155362A.xls
-
Size
2.1MB
-
Sample
230628-prrm8ahe26
-
MD5
cc405078446d5ea6ce484877138cb735
-
SHA1
aff96898f713888fc18d843729e3350f697ef8e0
-
SHA256
5c6cc2867e0257627d62b4af6e6dd845321e31b383b26796fe82db3a8636ce91
-
SHA512
c1999a61469e18500570e6a0e249e7f081d0c9db929bdc9bd71556da746386fe7e6831df7eeeb684be69829277603b729c1cdc9f155bb01c86dca3f9784cc113
-
SSDEEP
49152:djH+MXV9Qp/in668MXxN757J+MXV9qp/in668MXxN757edNYKf:IEvyi5HhN79EEvEi5HhN79ez
Malware Config
Targets
-
-
Target
DOC PO155362A.xls
-
Size
2.1MB
-
MD5
cc405078446d5ea6ce484877138cb735
-
SHA1
aff96898f713888fc18d843729e3350f697ef8e0
-
SHA256
5c6cc2867e0257627d62b4af6e6dd845321e31b383b26796fe82db3a8636ce91
-
SHA512
c1999a61469e18500570e6a0e249e7f081d0c9db929bdc9bd71556da746386fe7e6831df7eeeb684be69829277603b729c1cdc9f155bb01c86dca3f9784cc113
-
SSDEEP
49152:djH+MXV9Qp/in668MXxN757J+MXV9qp/in668MXxN757edNYKf:IEvyi5HhN79EEvEi5HhN79ez
Score10/10-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-