Malicious
Classifications
Spyware Downloader Exploit
Threat Names
Lokibot Lokibot.v2 Mal/HTMLGen-A
Dynamic Analysis Report
Created on 2024-06-10T06:33:48+00:00
Purchase Order.doc
Word Document
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
Filters: |
There are no files for this filter
There are no files in this analysis
File Name | Category | Type | Verdict | Actions |
---|
C:\Users\RDhJ0CNFevzX\Desktop\Purchase Order.doc | Sample File | Word Document |
Malicious
|
...
|
»
Office Information
»
Creator | Modexcomm |
Last Modified By | Modexcomm |
Revision | 7 |
Create Time | 2023-03-27 22:13 (UTC) |
Modify Time | 2023-08-16 13:25 (UTC) |
Application | Microsoft Office Word |
App Version | 12.0000 |
Template | Normal.dotm |
Document Security | NONE |
Editing Time | 19.0 |
Page Count | 7 |
Line Count | 150 |
Paragraph Count | 42 |
Word Count | 3177 |
Character Count | 18113 |
Chars With Spaces | 21248 |
ScaleCrop | False |
SharedDoc | False |
Document Content Snippet
»
dMBCBESONDERHEDE BESONDERHEDE VIR HIERDIE MAANDDRAENDE NR. HOEV30208 NBC DRAAG 30 STK30308 NBC DRAAG 6 STK32007X NBC DRAAG 74 STK33005 NBC wat 5 stelle dra52799 / 800U (25877/21) NBC wat 30 PCS dra6001 NBC wat 100 stuks dra6004 NBC wat 180 stuks dra6006 NBC wat 30 PCS dra6011 C3 NBC wat 10 stuks dra6202 NBC wat 280 stuks dra6203 NBC DRAAG 330 STK6205 (Stel) NBC DRAER 224 STK6205ZZ NBC DRAAG 8 STELS6207 NBC DRAER 32 STK6207N NBC wat 10 stuks dra6207ZZ NBC DRAER 52 STK6209 NBC wat 24 stuks dra6209N NBC wat 10 stuks dra6211 NBC met 26 st6212 NBC met 24 st6213 C3 NBC wat 20 stuks dra6215 C3 NBC wat 10 stuks dra628RSS NBC wat 120 stuks dra6300 NBC wat 180 stuks dra6304 (Kit) NBC DRAER 4 STK6307ZZ NBC wat 10 stuks dra6308 C3 NBC DRAAG 40 STK6308ZZ NBC wat 10 stuks dra6311 NBC wat 10 stuks dra6312 NBC wat 10 stuks dra6312ZZ C3 NBC DRAER 6 STK6902 C3 NBC wat 20 stuks draLM48548 / 510 NBC DRAER 96 STKNJ309 NBC DRAER 6 STK1988/1922 (NSPP01) .NC 706304.BEARING SET (NPP02) 11230209 (NSPP01) .NC 20 |
Extracted URLs (1)
»
URL | WHOIS Data | Reputation Status | Recursively Submitted | Actions |
---|---|---|---|---|
https://dukeenergyltd.top/alpha.doc |
Show WHOIS
|
Malicious
|
- |
...
|
C:\Users\RDhJ0CNFevzX\AppData\Roaming\alpha73882.scr | Downloaded File | Binary |
Malicious
|
...
|
»
PE Information
»
Image Base | 0x00400000 |
Entry Point | 0x0048C06E |
Size Of Code | 0x0008A800 |
Size Of Initialized Data | 0x00002800 |
File Type | IMAGE_FILE_EXECUTABLE_IMAGE |
Subsystem | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Machine Type | IMAGE_FILE_MACHINE_I386 |
Compile Timestamp | 2024-06-10 02:42 (UTC) |
Version Information (7)
»
FileDescription | |
FileVersion | 0.0.0.0 |
InternalName | lHje.exe |
LegalCopyright | |
OriginalFilename | lHje.exe |
ProductVersion | 0.0.0.0 |
Assembly Version | 0.0.0.0 |
Sections (3)
»
Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
---|---|---|---|---|---|---|
.text | 0x00402000 | 0x0008A074 | 0x0008A800 | 0x00000800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.95 |
.rsrc | 0x0048E000 | 0x00001ECC | 0x00002000 | 0x0008B000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.22 |
.reloc | 0x00490000 | 0x0000000C | 0x00000800 | 0x0008D000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.03 |
Imports (1)
»
mscoree.dll (1)
»
API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
---|---|---|---|---|---|
_CorExeMain | - | 0x00402000 | 0x0008C044 | 0x0008A844 | 0x00000000 |
Digital Signature Information
»
Verification Status | Failed |
Certificate: Simon Tatham
»
Issued by | Simon Tatham |
Parent Certificate | COMODO RSA Code Signing CA |
Country Name | GB |
Valid From | 2018-11-13 00:00 (UTC) |
Valid Until | 2021-11-08 23:59 (UTC) |
Algorithm | sha256_rsa |
Serial Number | 7C 11 18 CB BA DC 95 DA 37 52 C4 6E 47 A2 74 38 |
Thumbprint | 5B 9E 27 3C F1 19 41 FD 8C 6B E3 F0 38 C4 79 7B BE 88 42 68 |
Certificate: COMODO RSA Code Signing CA
»
Issued by | COMODO RSA Code Signing CA |
Parent Certificate | COMODO RSA Certification Authority |
Country Name | GB |
Valid From | 2013-05-09 00:00 (UTC) |
Valid Until | 2028-05-08 23:59 (UTC) |
Algorithm | sha384_rsa |
Serial Number | 2E 7C 87 CC 0E 93 4A 52 FE 94 FD 1C B7 CD 34 AF |
Thumbprint | B6 9E 75 2B BE 88 B4 45 82 00 A7 C0 F4 F5 B3 CC E6 F3 5B 47 |
Certificate: COMODO RSA Certification Authority
»
Issued by | COMODO RSA Certification Authority |
Country Name | GB |
Valid From | 2010-01-19 00:00 (UTC) |
Valid Until | 2038-01-18 23:59 (UTC) |
Algorithm | sha384_rsa |
Serial Number | 4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D |
Thumbprint | AF E5 D2 44 A8 D1 19 42 30 FF 47 9F E2 F8 97 BB CD 7A 8C B4 |
Memory Dumps (7)
»
Name | Process ID | Start VA | End VA | Dump Reason | PE Rebuild | Bitness | Entry Point | YARA | Actions |
---|---|---|---|---|---|---|---|---|---|
alpha73882.scr | 6 | 0x004F0000 | 0x00581FFF | Relevant Image | 32-bit | - |
...
|
||
buffer | 6 | 0x022E0000 | 0x022FBFFF | Reflectively Loaded .NET Assembly | 32-bit | - |
...
|
||
buffer | 6 | 0x005A0000 | 0x005A9FFF | Reflectively Loaded .NET Assembly | 32-bit | - |
...
|
||
buffer | 6 | 0x02180000 | 0x021DBFFF | Reflectively Loaded .NET Assembly | 32-bit | - |
...
|
||
alpha73882.scr | 6 | 0x004F0000 | 0x00581FFF | Final Dump | 32-bit | - |
...
|
||
buffer | 10 | 0x00400000 | 0x004A1FFF | Content Changed | 32-bit | 0x004139DE |
...
|
||
alpha73882.scr | 10 | 0x00890000 | 0x00921FFF | Relevant Image | 32-bit | - |
...
|
C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\tmpB75D.tmp | Dropped File | Text |
Clean
|
...
|
»
f743a86539017023aae3ea9c35d42f092b42dc9ea8bc90154e4b88c6f57fd1f1 | Downloaded File | RTF |
Clean
|
...
|
»
Office Information
»
Document Content Snippet
»
82650751please click Enable editing from the yellow bar above.The independent auditors’ opinion says the financial statements are fairly stated in accordance with the basis of accounting used by your organization. So why are the auditors giving you that other letter In an audit of financial statements, professional standards require that auditors obtain an understanding of internal controls to the extent necessary to plan the audit. Auditors use this understanding of internal controls to assess the risk of material misstatement of the financial statements and to design appropriate audit procedures to minimize that risk.The definition of good internal controls is that they allow errors and other misstatements to be prevented or detected and corrected by (the nonprofit’s) employees in the normal course of performing their duties. If the auditors detect an unexpected material misstatement during your audit, it could indicate that your internal controls are not functioning properly. Conver |
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat | Modified File | Stream |
Clean
|
...
|
»
f6797c5f8ded41e638543afccb2ef254dfb2b61e8eddf5f23e8e0bac7c0a99f6 | Extracted File | Image |
Clean
|
...
|
»