lokibot | b2716ac6169dc9ab6107117a9f88e4e30b1dd8cf7563f26cfec15ed3ee0fd2e0

General

Target

Pago Factura.xls
Size

160KB
MD5

03b1061e0a0cdf717e60708f1051d156
SHA1

2c3a07752cb73e1b0bd80f2b6554f0ec4bed2ba8
SHA256

b2716ac6169dc9ab6107117a9f88e4e30b1dd8cf7563f26cfec15ed3ee0fd2e0
SHA512

98129c7d88a3f079595846d3e00eac3d7f6b7e35151f1dd80d4e31b1290fc6dee88129f53e903b3956be3ac69606d696c86ee540f654d7b72701d2744bdcd3fd

Score

10^/10

evasion spyware trojan stealer lokibot

Malware Config

Extracted

Family

lokibot

C2

http://46.21.147.175/FtgPlac/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1424 EXCEL.EXE
Executes dropped EXE 2 IoCs

Processes:

cssrs.execssrs.exe

pid process

1816 cssrs.exe
1268 cssrs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cssrs.exe

description pid process

Token: SeDebugPrivilege 1268 cssrs.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1424	EXCEL.EXE

pid	process
1816	cssrs.exe
1268	cssrs.exe

description	pid	process
Token: SeDebugPrivilege	1268	cssrs.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

EXCEL.EXEcssrs.exe

description	pid	process	target process
PID 1424 wrote to memory of 1816	1424	EXCEL.EXE	cssrs.exe
PID 1424 wrote to memory of 1816	1424	EXCEL.EXE	cssrs.exe
PID 1424 wrote to memory of 1816	1424	EXCEL.EXE	cssrs.exe
PID 1424 wrote to memory of 1816	1424	EXCEL.EXE	cssrs.exe
PID 1816 wrote to memory of 1268	1816	cssrs.exe	cssrs.exe
PID 1816 wrote to memory of 1268	1816	cssrs.exe	cssrs.exe
PID 1816 wrote to memory of 1268	1816	cssrs.exe	cssrs.exe
PID 1816 wrote to memory of 1268	1816	cssrs.exe	cssrs.exe
PID 1816 wrote to memory of 1268	1816	cssrs.exe	cssrs.exe
PID 1816 wrote to memory of 1268	1816	cssrs.exe	cssrs.exe
PID 1816 wrote to memory of 1268	1816	cssrs.exe	cssrs.exe
PID 1816 wrote to memory of 1268	1816	cssrs.exe	cssrs.exe
PID 1816 wrote to memory of 1268	1816	cssrs.exe	cssrs.exe
PID 1816 wrote to memory of 1268	1816	cssrs.exe	cssrs.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	EXCEL.EXE

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cssrs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cssrs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cssrs.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

cssrs.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions cssrs.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1424 EXCEL.EXE
1424 EXCEL.EXE
1424 EXCEL.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

cssrs.exe

description pid process target process

PID 1816 set thread context of 1268 1816 cssrs.exe cssrs.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

cssrs.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools cssrs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	cssrs.exe

pid	process
1424	EXCEL.EXE
1424	EXCEL.EXE
1424	EXCEL.EXE

description	pid	process	target process
PID 1816 set thread context of 1268	1816	cssrs.exe	cssrs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	cssrs.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cssrs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	cssrs.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	cssrs.exe

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Office loads VBA resources, possible macro or embedded object present

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Pago Factura.xls"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:1424

C:\Users\Admin\AppData\Roaming\cssrs.exe
"C:\Users\Admin\AppData\Roaming\cssrs.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Checks BIOS information in registry
- Looks for VirtualBox Guest Additions in registry
- Suspicious use of SetThreadContext
- Looks for VMWare Tools registry key
- Maps connected drives based on registry
PID:1816

C:\Users\Admin\AppData\Roaming\cssrs.exe
"{path}"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\cssrs.exe

Download Submit
C:\Users\Admin\AppData\Roaming\cssrs.exe

Download Submit
C:\Users\Admin\AppData\Roaming\cssrs.exe

Download Submit
memory/1268-6-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1268-7-0x00000000004139DE-mapping.dmp

Download
memory/1268-9-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1424-0-0x0000000007110000-0x0000000007210000-memory.dmp

Filesize
1024KB

Download
memory/1424-1-0x0000000007110000-0x0000000007210000-memory.dmp

Filesize
1024KB

Download
memory/1424-2-0x0000000007110000-0x0000000007210000-memory.dmp

Filesize
1024KB

Download
memory/1816-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads