Try VMRay Platform
Malicious
Classifications

Spyware Downloader Exploit

Threat Names

Lokibot Lokibot.v2 Mal/HTMLGen-A

Dynamic Analysis Report

Created on 2024-06-10T06:33:48+00:00

Purchase Order.doc

Word Document
...

Remarks (1/1)

(0x02000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Filters:
File Name Category Type Verdict Actions
C:\Users\RDhJ0CNFevzX\Desktop\Purchase Order.doc Sample File Word Document
Malicious
...
»
MIME Type application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Size 16.04 KB
MD5 58fa856ae520dc6c6e47f4b459e2de5b Copy to Clipboard
SHA1 89c76a3bcb6a83cb1b343f5ea03cfc2da2214e97 Copy to Clipboard
SHA256 425ef5b31a93a014e2ff74d66c148a7b73b0fb2a57ab2e015576cb2272db5dfb Copy to Clipboard
SSDeep 384:IyXnXK3Wgs8PL8wi4OEwH8TIbE91r2fRcJYzviML2nkPt:Icnyb5P3DOqnYJamvtL2nkF Copy to Clipboard
ImpHash -
Office Information
»
Creator Modexcomm
Last Modified By Modexcomm
Revision 7
Create Time 2023-03-27 22:13 (UTC)
Modify Time 2023-08-16 13:25 (UTC)
Application Microsoft Office Word
App Version 12.0000
Template Normal.dotm
Document Security NONE
Editing Time 19.0
Page Count 7
Line Count 150
Paragraph Count 42
Word Count 3177
Character Count 18113
Chars With Spaces 21248
ScaleCrop False
SharedDoc False
Document Content Snippet
» 
dMBCBESONDERHEDE BESONDERHEDE VIR HIERDIE MAANDDRAENDE NR. HOEV30208 NBC DRAAG 30 STK30308 NBC DRAAG 6 STK32007X NBC DRAAG 74 STK33005 NBC wat 5 stelle dra52799 / 800U (25877/21) NBC wat 30 PCS dra6001 NBC wat 100 stuks dra6004 NBC wat 180 stuks dra6006 NBC wat 30 PCS dra6011 C3 NBC wat 10 stuks dra6202 NBC wat 280 stuks dra6203 NBC DRAAG 330 STK6205 (Stel) NBC DRAER 224 STK6205ZZ NBC DRAAG 8 STELS6207 NBC DRAER 32 STK6207N NBC wat 10 stuks dra6207ZZ NBC DRAER 52 STK6209 NBC wat 24 stuks dra6209N NBC wat 10 stuks dra6211 NBC met 26 st6212 NBC met 24 st6213 C3 NBC wat 20 stuks dra6215 C3 NBC wat 10 stuks dra628RSS NBC wat 120 stuks dra6300 NBC wat 180 stuks dra6304 (Kit) NBC DRAER 4 STK6307ZZ NBC wat 10 stuks dra6308 C3 NBC DRAAG 40 STK6308ZZ NBC wat 10 stuks dra6311 NBC wat 10 stuks dra6312 NBC wat 10 stuks dra6312ZZ C3 NBC DRAER 6 STK6902 C3 NBC wat 20 stuks draLM48548 / 510 NBC DRAER 96 STKNJ309 NBC DRAER 6 STK1988/1922 (NSPP01) .NC 706304.BEARING SET (NPP02) 11230209 (NSPP01) .NC 20
Extracted URLs (1)
»
URL WHOIS Data Reputation Status Recursively Submitted Actions
https://dukeenergyltd.top/alpha.doc
Show WHOIS
Malicious
-
...
C:\Users\RDhJ0CNFevzX\AppData\Roaming\alpha73882.scr Downloaded File Binary
Malicious
...
»
Also Known As C:\Users\RDhJ0CNFevzX\AppData\Roaming\xaFodrmIsC.exe (Accessed File)
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\fqx74zx9\alpha[1].scr (Downloaded File, Extracted File)
MIME Type application/vnd.microsoft.portable-executable
File Size 579.50 KB
MD5 9077f5266ac853566779a80d08baefe5 Copy to Clipboard
SHA1 b6acf7eb2ed2202754cdc38eb98275f286a7aa2b Copy to Clipboard
SHA256 91a9acd38a970ddf7fe35f9477d415e9b9befc760c85a4f8e15b045b42a9d689 Copy to Clipboard
SSDeep 12288:TX0pxaV36Di8BtLVLYt1jShfoj9f+VhfbpIGzkrTdEzIlcb0e5IdgXzskR:lBFK4t1WCJf0h+TnlS0EXzb Copy to Clipboard
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744 Copy to Clipboard
PE Information
»
Image Base 0x00400000
Entry Point 0x0048C06E
Size Of Code 0x0008A800
Size Of Initialized Data 0x00002800
File Type IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_I386
Compile Timestamp 2024-06-10 02:42 (UTC)
Version Information (7)
»
FileDescription
FileVersion 0.0.0.0
InternalName lHje.exe
LegalCopyright
OriginalFilename lHje.exe
ProductVersion 0.0.0.0
Assembly Version 0.0.0.0
Sections (3)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x00402000 0x0008A074 0x0008A800 0x00000800 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 7.95
.rsrc 0x0048E000 0x00001ECC 0x00002000 0x0008B000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 7.22
.reloc 0x00490000 0x0000000C 0x00000800 0x0008D000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 0.03
Imports (1)
»
mscoree.dll (1)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
_CorExeMain - 0x00402000 0x0008C044 0x0008A844 0x00000000
Digital Signature Information
»
Verification Status Failed
Certificate: Simon Tatham
»
Issued by Simon Tatham
Parent Certificate COMODO RSA Code Signing CA
Country Name GB
Valid From 2018-11-13 00:00 (UTC)
Valid Until 2021-11-08 23:59 (UTC)
Algorithm sha256_rsa
Serial Number 7C 11 18 CB BA DC 95 DA 37 52 C4 6E 47 A2 74 38
Thumbprint 5B 9E 27 3C F1 19 41 FD 8C 6B E3 F0 38 C4 79 7B BE 88 42 68
Certificate: COMODO RSA Code Signing CA
»
Issued by COMODO RSA Code Signing CA
Parent Certificate COMODO RSA Certification Authority
Country Name GB
Valid From 2013-05-09 00:00 (UTC)
Valid Until 2028-05-08 23:59 (UTC)
Algorithm sha384_rsa
Serial Number 2E 7C 87 CC 0E 93 4A 52 FE 94 FD 1C B7 CD 34 AF
Thumbprint B6 9E 75 2B BE 88 B4 45 82 00 A7 C0 F4 F5 B3 CC E6 F3 5B 47
Certificate: COMODO RSA Certification Authority
»
Issued by COMODO RSA Certification Authority
Country Name GB
Valid From 2010-01-19 00:00 (UTC)
Valid Until 2038-01-18 23:59 (UTC)
Algorithm sha384_rsa
Serial Number 4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D
Thumbprint AF E5 D2 44 A8 D1 19 42 30 FF 47 9F E2 F8 97 BB CD 7A 8C B4
Memory Dumps (7)
»
Name Process ID Start VA End VA Dump Reason PE Rebuild Bitness Entry Point YARA Actions
alpha73882.scr 6 0x004F0000 0x00581FFF Relevant Image False 32-bit - False
...
buffer 6 0x022E0000 0x022FBFFF Reflectively Loaded .NET Assembly False 32-bit - False
...
buffer 6 0x005A0000 0x005A9FFF Reflectively Loaded .NET Assembly False 32-bit - False
...
buffer 6 0x02180000 0x021DBFFF Reflectively Loaded .NET Assembly False 32-bit - False
...
alpha73882.scr 6 0x004F0000 0x00581FFF Final Dump False 32-bit - False
...
buffer 10 0x00400000 0x004A1FFF Content Changed False 32-bit 0x004139DE False
...
alpha73882.scr 10 0x00890000 0x00921FFF Relevant Image False 32-bit - False
...
C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\tmpB75D.tmp Dropped File Text
Clean
...
»
MIME Type text/xml
File Size 1.56 KB
MD5 bbdd38522fc19760f20ddd6d74a169a2 Copy to Clipboard
SHA1 51da4419b34a3a0eef4493ba0df96ed9c635789b Copy to Clipboard
SHA256 9f09da042e0b44a70976b514e26040c38cca89661c63056072a5fca6562e557c Copy to Clipboard
SSDeep 24:2di4+S2qh9Y1Sy1mlUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtSoxvn:cge2UYrFdOFzOzN33ODOiDdKrsuTSIv Copy to Clipboard
ImpHash -
f743a86539017023aae3ea9c35d42f092b42dc9ea8bc90154e4b88c6f57fd1f1 Downloaded File RTF
Clean
...
»
MIME Type text/rtf
File Size 421.77 KB
MD5 4447ab2143a08d8b67f131c4cbd9c316 Copy to Clipboard
SHA1 d2eb154acb987942e6bcaafe2400b7f3926f0422 Copy to Clipboard
SHA256 f743a86539017023aae3ea9c35d42f092b42dc9ea8bc90154e4b88c6f57fd1f1 Copy to Clipboard
SSDeep 6144:qwAYwAYwAYwAYwAYwAYwAYwAYwAYwAmCZg4x:V Copy to Clipboard
ImpHash -
Static Analysis Parser Error invalid control word value pattern
Office Information
»
Document Content Snippet
» 
82650751please click Enable editing from the yellow bar above.The independent auditors’ opinion says the financial statements are fairly stated in accordance with the basis of accounting used by your organization. So why are the auditors giving you that other letter In an audit of financial statements, professional standards require that auditors obtain an understanding of internal controls to the extent necessary to plan the audit. Auditors use this understanding of internal controls to assess the risk of material misstatement of the financial statements and to design appropriate audit procedures to minimize that risk.The definition of good internal controls is that they allow errors and other misstatements to be prevented or detected and corrected by (the nonprofit’s) employees in the normal course of performing their duties. If the auditors detect an unexpected material misstatement during your audit, it could indicate that your internal controls are not functioning properly. Conver
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat Modified File Stream
Clean
...
»
MIME Type application/octet-stream
File Size 128 Bytes
MD5 cc90851958032b8c8bbb7b24ec6271dd Copy to Clipboard
SHA1 e027ad2ea4049374a3b01af2e3626b667dc816bc Copy to Clipboard
SHA256 c2d814a34b184b7cdf10e4e7a4311ff15db99326d6dd8d328b53bf9e19ccf858 Copy to Clipboard
SSDeep 3:Fl: Copy to Clipboard
ImpHash -
f6797c5f8ded41e638543afccb2ef254dfb2b61e8eddf5f23e8e0bac7c0a99f6 Extracted File Image
Clean
...
»
Parent File C:\Users\RDhJ0CNFevzX\AppData\Roaming\alpha73882.scr
MIME Type image/png
File Size 6.33 KB
MD5 6fc3a7078920eced6b8832a62f1b8034 Copy to Clipboard
SHA1 faeb2f7572d4de0e1527fdc8eb9f22ac858db4a8 Copy to Clipboard
SHA256 f6797c5f8ded41e638543afccb2ef254dfb2b61e8eddf5f23e8e0bac7c0a99f6 Copy to Clipboard
SSDeep 96:1SubqcpL3ywPF7AUjze0iFe0nTMZxwEeKV6PzSXb3G4kVg+rSLOpMks0+HFltjQK:1Sub1LywPFl+nT8C2XaTg+Ekj+Hi0pP Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    

     Exit-Icon
    

    

     

      WHOIS Domain Information
     

     

      

       
        Domain Name
       
       
       
      

      

       
        WHOIS Response
       
       
        

       		
      

     

    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image