General
-
Target
Swift Copy.doc
-
Size
149KB
-
Sample
240528-hw3sqabe64
-
MD5
9b8874549759e715edf254f395617e84
-
SHA1
1f5efa3b2ee547ff9db075a2b239b54b363cf194
-
SHA256
cd63eb1a31e10d44ddf34b2eace72a0f5f0443b863163f6cddd442380388bab9
-
SHA512
8cf842504ff360b098e0da571bb399e40b5efb8899dba5212eea478017b7fd9427678c2e8d057566a4b19961e5ec7dae847dddf2d7479e4578576199be329ac8
-
SSDEEP
1536:BwAlRkwAlRkwAlRkwAlR/FSoVWq+jHKzqqe:BwAlawAlawAlawAl5FSoVvgqqqe
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy.rtf
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Swift Copy.rtf
Resource
win10v2004-20240508-en
Malware Config
Extracted
lokibot
http://rocheholding.top/evie3/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Swift Copy.doc
-
Size
149KB
-
MD5
9b8874549759e715edf254f395617e84
-
SHA1
1f5efa3b2ee547ff9db075a2b239b54b363cf194
-
SHA256
cd63eb1a31e10d44ddf34b2eace72a0f5f0443b863163f6cddd442380388bab9
-
SHA512
8cf842504ff360b098e0da571bb399e40b5efb8899dba5212eea478017b7fd9427678c2e8d057566a4b19961e5ec7dae847dddf2d7479e4578576199be329ac8
-
SSDEEP
1536:BwAlRkwAlRkwAlRkwAlR/FSoVWq+jHKzqqe:BwAlawAlawAlawAl5FSoVvgqqqe
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-