General
-
Target
564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1.doc
-
Size
251KB
-
Sample
241121-fpjp6aycqe
-
MD5
e6859034a42f217800b6bf0980e93848
-
SHA1
8dcb69dcf727b7a7fbfbf6755492990dc51fd192
-
SHA256
564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1
-
SHA512
778ceefc76571268a7c82c18ec1b6f6661b4f696d2612528b8eb94488383c84c9dba6613cd5b1c715514e64d062d73d28d84395f30dadb4fd2da51cbac372d35
-
SSDEEP
3072:sUcN1DaxXp1sAkC5gCQqCv7L5FokmFJcmrmR3D:slruZ1sA55gCQBL5FokmFyCmR3D
Static task
static1
Behavioral task
behavioral1
Sample
564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1.rtf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1.rtf
Resource
win10v2004-20241007-en
Malware Config
Extracted
lokibot
http://94.156.177.41/maxzi/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1.doc
-
Size
251KB
-
MD5
e6859034a42f217800b6bf0980e93848
-
SHA1
8dcb69dcf727b7a7fbfbf6755492990dc51fd192
-
SHA256
564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1
-
SHA512
778ceefc76571268a7c82c18ec1b6f6661b4f696d2612528b8eb94488383c84c9dba6613cd5b1c715514e64d062d73d28d84395f30dadb4fd2da51cbac372d35
-
SSDEEP
3072:sUcN1DaxXp1sAkC5gCQqCv7L5FokmFJcmrmR3D:slruZ1sA55gCQBL5FokmFyCmR3D
-
Lokibot family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Evasion via Device Credential Deployment
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1