General

  • Target

    TOMBIG - 9004898 - Ponuka·pdf.vbs

  • Size

    179KB

  • Sample

    240328-xama6seb76

  • MD5

    194dde165c8011d301784d1ddaced170

  • SHA1

    f9ee1b100dd1fe983685c1750b5c0e0bf1482fa1

  • SHA256

    4310bf502a623205fed084012e87eec8b6a6f5803695b3f27367cdb5b7dd1b45

  • SHA512

    52446abd43dada5cd84e3d70ddf034a967ece23078b492de2f82eeaa5d7622cb07adc107fc35db72488a213a2f748eb6198d3250b5f80ff0c3174f52e70707f4

  • SSDEEP

    3072:XPvtrVR7t/zhP5AbvMZoxnRcRKKh14t8EIuvQcVi1l8ok/1fyLbvj/3s0oV++hyK:/vdVR7tLhxAbvMZoxnRcsK3M8EIOQcV7

Malware Config

Targets

    • Target

      TOMBIG - 9004898 - Ponuka·pdf.vbs

    • Size

      179KB

    • MD5

      194dde165c8011d301784d1ddaced170

    • SHA1

      f9ee1b100dd1fe983685c1750b5c0e0bf1482fa1

    • SHA256

      4310bf502a623205fed084012e87eec8b6a6f5803695b3f27367cdb5b7dd1b45

    • SHA512

      52446abd43dada5cd84e3d70ddf034a967ece23078b492de2f82eeaa5d7622cb07adc107fc35db72488a213a2f748eb6198d3250b5f80ff0c3174f52e70707f4

    • SSDEEP

      3072:XPvtrVR7t/zhP5AbvMZoxnRcRKKh14t8EIuvQcVi1l8ok/1fyLbvj/3s0oV++hyK:/vdVR7tLhxAbvMZoxnRcsK3M8EIOQcV7

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks