General
-
Target
rPedidodeOfertadePre__o_USP2307-17BR___pdf.exe
-
Size
740KB
-
Sample
230718-erc5qagb93
-
MD5
45940981fe909cc104ec39b580478b4e
-
SHA1
8e488051c1c83b3d2d907bfe44f091089a1fa02a
-
SHA256
e315436194fc3393c84aac01a11d3bc646eba90cb6a1a103e60c1774bc7e2b4b
-
SHA512
301f8da8ee665bc1de148f5dc2468702a5d0df20ef73ef80b40dcc09238c6fba93a0ac2e49ed0ebae3cb670e306ee4775878420096c7763127878f0179b2169b
-
SSDEEP
12288:Tg9mdK89EERUXCS3rDsFYih//SZUnkdovlo1MfxmVISRfwelsIDS5pEA81ZM6:UmdK2naCqrwrh3xkd2x6gelQf2
Static task
static1
Behavioral task
behavioral1
Sample
rPedidodeOfertadePre__o_USP2307-17BR___pdf.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
rPedidodeOfertadePre__o_USP2307-17BR___pdf.exe
Resource
win10v2004-20230703-en
Malware Config
Extracted
lokibot
http://138.68.56.139/?p=62556427884317
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
rPedidodeOfertadePre__o_USP2307-17BR___pdf.exe
-
Size
740KB
-
MD5
45940981fe909cc104ec39b580478b4e
-
SHA1
8e488051c1c83b3d2d907bfe44f091089a1fa02a
-
SHA256
e315436194fc3393c84aac01a11d3bc646eba90cb6a1a103e60c1774bc7e2b4b
-
SHA512
301f8da8ee665bc1de148f5dc2468702a5d0df20ef73ef80b40dcc09238c6fba93a0ac2e49ed0ebae3cb670e306ee4775878420096c7763127878f0179b2169b
-
SSDEEP
12288:Tg9mdK89EERUXCS3rDsFYih//SZUnkdovlo1MfxmVISRfwelsIDS5pEA81ZM6:UmdK2naCqrwrh3xkd2x6gelQf2
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-