General
-
Target
9bbe182140b6af04643743f81eb71d82d48cead690cd4084abee411c28d82f22.doc
-
Size
112KB
-
Sample
240517-b6z19abf21
-
MD5
55c3359d759c2add57718754f1ca2b35
-
SHA1
7e5a49c7f57ccac5fc56646c4bcb0932ab75f8d2
-
SHA256
9bbe182140b6af04643743f81eb71d82d48cead690cd4084abee411c28d82f22
-
SHA512
c3edd20f852989a6ffde13a4cb6f0bf66ea7c6eca42a1b2d2e0ff48df8860963fe6314df140056f1257a8ea7953a6a60ae30b27a7e30e5368a3350c42687c0e7
-
SSDEEP
768:swAbZSibMX9gRWjtwAbZSibMX9gRWjtwAbZSibMX9gRWjtwAbZSibMX9gRWjuSSF:swAlRkwAlRkwAlRkwAlR0SemINra+P2
Static task
static1
Behavioral task
behavioral1
Sample
9bbe182140b6af04643743f81eb71d82d48cead690cd4084abee411c28d82f22.rtf
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
9bbe182140b6af04643743f81eb71d82d48cead690cd4084abee411c28d82f22.rtf
Resource
win10v2004-20240508-en
Malware Config
Extracted
lokibot
http://rocheholding.top/evie3/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
9bbe182140b6af04643743f81eb71d82d48cead690cd4084abee411c28d82f22.doc
-
Size
112KB
-
MD5
55c3359d759c2add57718754f1ca2b35
-
SHA1
7e5a49c7f57ccac5fc56646c4bcb0932ab75f8d2
-
SHA256
9bbe182140b6af04643743f81eb71d82d48cead690cd4084abee411c28d82f22
-
SHA512
c3edd20f852989a6ffde13a4cb6f0bf66ea7c6eca42a1b2d2e0ff48df8860963fe6314df140056f1257a8ea7953a6a60ae30b27a7e30e5368a3350c42687c0e7
-
SSDEEP
768:swAbZSibMX9gRWjtwAbZSibMX9gRWjtwAbZSibMX9gRWjtwAbZSibMX9gRWjuSSF:swAlRkwAlRkwAlRkwAlR0SemINra+P2
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables containing common artifacts observed in infostealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-