General
-
Target
Upit za ponudu cijene (UNIZG 2307-17HR)·pdf.exe
-
Size
771KB
-
Sample
230717-lerkxaba94
-
MD5
6385e97010865068d50af4c15828af3b
-
SHA1
408ed57e0874c3d5c89eb1e22ba295e66df9aeb3
-
SHA256
3d84c7753d68182e7ca22f69dbb983f4015278c2b5843942399be16dbf8f5f7e
-
SHA512
6146c29278af6828697382afce477992b1052160ab07615fe27b43fd22d3af16eebaccf9e0bc688b1c8cbb3ec9ee81338e0c576136fb24f312ad7a195097b368
-
SSDEEP
12288:Yg9BqMsNXoEuR3hAD0AVqRCU62yzfvuJqhKduldKeQLV65wDGu+RNI21mN:ftsqEuLADXdXzvQqwdulA5gZu+RNI2a
Static task
static1
Behavioral task
behavioral1
Sample
Upit za ponudu cijene (UNIZG 2307-17HR)·pdf.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Upit za ponudu cijene (UNIZG 2307-17HR)·pdf.exe
Resource
win10v2004-20230703-en
Malware Config
Extracted
lokibot
http://138.68.56.139/?p=0575678950
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Upit za ponudu cijene (UNIZG 2307-17HR)·pdf.exe
-
Size
771KB
-
MD5
6385e97010865068d50af4c15828af3b
-
SHA1
408ed57e0874c3d5c89eb1e22ba295e66df9aeb3
-
SHA256
3d84c7753d68182e7ca22f69dbb983f4015278c2b5843942399be16dbf8f5f7e
-
SHA512
6146c29278af6828697382afce477992b1052160ab07615fe27b43fd22d3af16eebaccf9e0bc688b1c8cbb3ec9ee81338e0c576136fb24f312ad7a195097b368
-
SSDEEP
12288:Yg9BqMsNXoEuR3hAD0AVqRCU62yzfvuJqhKduldKeQLV65wDGu+RNI21mN:ftsqEuLADXdXzvQqwdulA5gZu+RNI2a
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-