General
-
Target
555c9fab8b1c2180ec0c140d7ef7a072d3848661e47051b4dda5de40a61465b7.xls
-
Size
1.1MB
-
Sample
241119-e6shys1dkk
-
MD5
f69d18b27ddddb4274a97434c6a01ae2
-
SHA1
79a2cf394e8fe22341922a6490e9d58a87e2f748
-
SHA256
555c9fab8b1c2180ec0c140d7ef7a072d3848661e47051b4dda5de40a61465b7
-
SHA512
32acd768dc2ec5095216e946f8cd119174ee252d4691d4816f91881a3c5439db68feffe24bc85a16dcdf9caf3d53b82fa89f35b89540148e8c862664c851a77c
-
SSDEEP
24576:6uq9PLiijE2Z5Z2amowshXCdQtF84LJQohVsx7ACKg0q9JfCazDVNPCTy2vo:6uEPLiij7Z5ZKowsAsFjLJQohVKEg0qR
Static task
static1
Behavioral task
behavioral1
Sample
555c9fab8b1c2180ec0c140d7ef7a072d3848661e47051b4dda5de40a61465b7.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
555c9fab8b1c2180ec0c140d7ef7a072d3848661e47051b4dda5de40a61465b7.xls
Resource
win10v2004-20241007-en
Malware Config
Extracted
lokibot
http://94.156.177.95/maxzi/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
555c9fab8b1c2180ec0c140d7ef7a072d3848661e47051b4dda5de40a61465b7.xls
-
Size
1.1MB
-
MD5
f69d18b27ddddb4274a97434c6a01ae2
-
SHA1
79a2cf394e8fe22341922a6490e9d58a87e2f748
-
SHA256
555c9fab8b1c2180ec0c140d7ef7a072d3848661e47051b4dda5de40a61465b7
-
SHA512
32acd768dc2ec5095216e946f8cd119174ee252d4691d4816f91881a3c5439db68feffe24bc85a16dcdf9caf3d53b82fa89f35b89540148e8c862664c851a77c
-
SSDEEP
24576:6uq9PLiijE2Z5Z2amowshXCdQtF84LJQohVsx7ACKg0q9JfCazDVNPCTy2vo:6uEPLiij7Z5ZKowsAsFjLJQohVKEg0qR
-
Lokibot family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Evasion via Device Credential Deployment
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-