General
-
Target
Pago Factura.xls
-
Size
160KB
-
Sample
200630-knpevy6mk2
-
MD5
03b1061e0a0cdf717e60708f1051d156
-
SHA1
2c3a07752cb73e1b0bd80f2b6554f0ec4bed2ba8
-
SHA256
b2716ac6169dc9ab6107117a9f88e4e30b1dd8cf7563f26cfec15ed3ee0fd2e0
-
SHA512
98129c7d88a3f079595846d3e00eac3d7f6b7e35151f1dd80d4e31b1290fc6dee88129f53e903b3956be3ac69606d696c86ee540f654d7b72701d2744bdcd3fd
Static task
static1
Behavioral task
behavioral1
Sample
Pago Factura.xls
Resource
win7
Malware Config
Extracted
lokibot
http://46.21.147.175/FtgPlac/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Pago Factura.xls
-
Size
160KB
-
MD5
03b1061e0a0cdf717e60708f1051d156
-
SHA1
2c3a07752cb73e1b0bd80f2b6554f0ec4bed2ba8
-
SHA256
b2716ac6169dc9ab6107117a9f88e4e30b1dd8cf7563f26cfec15ed3ee0fd2e0
-
SHA512
98129c7d88a3f079595846d3e00eac3d7f6b7e35151f1dd80d4e31b1290fc6dee88129f53e903b3956be3ac69606d696c86ee540f654d7b72701d2744bdcd3fd
-
Looks for VirtualBox Guest Additions in registry
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-