General
-
Target
bf_5star_ramp.zip
-
Size
581KB
-
Sample
240530-q2stpsbg46
-
MD5
7c15fb5351b2b4680e6b9be6cc533245
-
SHA1
90472cc847e9a7230219a44d8ccb3f5a971d8c07
-
SHA256
a70cc7f12aff2a014fcf99cc2ffc7de8e3022c67e966d90b13fdc4f651a326fe
-
SHA512
86437a7328c9a03784bcd414f7b887c8914ee1810924bcc75d794bd1c6b64e445e35c3bfa0f065361f050c3152017c9ed4a4666b72e3df98a2eee82aa04a2fb4
-
SSDEEP
12288:K0KMJpwbJ9TNUKjNeFSQ03JajwO+7RhHWgkmZEDIsWC:rpYxQ03k0L/H6tIRC
Static task
static1
Behavioral task
behavioral1
Sample
bf_5star_ramp.zip
Resource
win10v2004-20240426-en
Malware Config
Extracted
lokibot
http://blesblochem.com/two/gates1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
bf_5star_ramp.zip
-
Size
581KB
-
MD5
7c15fb5351b2b4680e6b9be6cc533245
-
SHA1
90472cc847e9a7230219a44d8ccb3f5a971d8c07
-
SHA256
a70cc7f12aff2a014fcf99cc2ffc7de8e3022c67e966d90b13fdc4f651a326fe
-
SHA512
86437a7328c9a03784bcd414f7b887c8914ee1810924bcc75d794bd1c6b64e445e35c3bfa0f065361f050c3152017c9ed4a4666b72e3df98a2eee82aa04a2fb4
-
SSDEEP
12288:K0KMJpwbJ9TNUKjNeFSQ03JajwO+7RhHWgkmZEDIsWC:rpYxQ03k0L/H6tIRC
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Blocklisted process makes network request
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Office macro that triggers on suspicious action
Office document macro which triggers in special circumstances - often malicious.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1