General
-
Target
SecuriteInfo.com.Exploit.CVE-2018-0798.4.11595.10672.rtf
-
Size
336KB
-
Sample
240509-lbbqaadd85
-
MD5
e11c85d6890e5b25aa448b3a8ed79057
-
SHA1
cf57b870f9e4f516fa35205cf4047548d8985abc
-
SHA256
96cf27ee35af69887dc20d882b0e2b82c21ead56700b776beadbd99ab6d27d16
-
SHA512
27f18b3409d318979633c23620ecdf4f859c7411e5cce23c04da06063f06b4af3b0fc6136ac024348fe0ea394902538e6dd5448c0e0f47cbb6caf9019678f0be
-
SSDEEP
6144:EwAYwAYwAYwAYwAYwAYwAYwAYwAYwAWr4nd+1FKiZ:K
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.CVE-2018-0798.4.11595.10672.rtf
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Exploit.CVE-2018-0798.4.11595.10672.rtf
Resource
win10v2004-20240508-en
Malware Config
Extracted
lokibot
http://sempersim.su/d4/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
SecuriteInfo.com.Exploit.CVE-2018-0798.4.11595.10672.rtf
-
Size
336KB
-
MD5
e11c85d6890e5b25aa448b3a8ed79057
-
SHA1
cf57b870f9e4f516fa35205cf4047548d8985abc
-
SHA256
96cf27ee35af69887dc20d882b0e2b82c21ead56700b776beadbd99ab6d27d16
-
SHA512
27f18b3409d318979633c23620ecdf4f859c7411e5cce23c04da06063f06b4af3b0fc6136ac024348fe0ea394902538e6dd5448c0e0f47cbb6caf9019678f0be
-
SSDEEP
6144:EwAYwAYwAYwAYwAYwAYwAYwAYwAYwAWr4nd+1FKiZ:K
Score10/10-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Process spawned suspicious child process
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
-
Suspicious use of SetThreadContext
-