lokibot | c66970bdd757e643f76b613a6302a14c6ea6eb6032aebc6b4cfc84fc265c485f

Analysis

max time kernel
102s
max time network
127s
platform
windows7_x64
resource
win7v20201028
submitted
28-12-2020 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pago Fecha 2021.xls
Size

126KB
MD5

35c9dbe44c092a5ebb101e1600736228
SHA1

21083aa36e32aea90469131690c3d93f0f7f6c85
SHA256

c66970bdd757e643f76b613a6302a14c6ea6eb6032aebc6b4cfc84fc265c485f
SHA512

ed78404ea84ac4023e8c9459cef3178e8c5bea8fcddecef49d31a4fc01699f6203f9af11ffe13f66d4ca060e5a1412465b8411cb2df86d858788651ca2958103

Score

10^/10

lokibot modiloader persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://45.81.7.81/filopkm/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Executes dropped EXE 2 IoCs

Processes:

RNUZQQ.exeRNUZQQ.exe

pid process

952 RNUZQQ.exe
1520 RNUZQQ.exe
Loads dropped DLL 4 IoCs

Processes:

EXCEL.EXE

pid process

1580 EXCEL.EXE
1580 EXCEL.EXE
1580 EXCEL.EXE
1580 EXCEL.EXE

pid	process
952	RNUZQQ.exe
1520	RNUZQQ.exe

pid	process
1580	EXCEL.EXE
1580	EXCEL.EXE
1580	EXCEL.EXE
1580	EXCEL.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RNUZQQ.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\jxfU = "C:\\Users\\Admin\\AppData\\Local\\jxfU.url"	RNUZQQ.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

RNUZQQ.exe

description pid process target process

PID 952 set thread context of 1520 952 RNUZQQ.exe RNUZQQ.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	pid	process	target process
PID 952 set thread context of 1520	952	RNUZQQ.exe	RNUZQQ.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1580 EXCEL.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RNUZQQ.exe

description pid process

Token: SeDebugPrivilege 1520 RNUZQQ.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1580 EXCEL.EXE
1580 EXCEL.EXE
1580 EXCEL.EXE

pid	process
1580	EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	1520	RNUZQQ.exe

pid	process
1580	EXCEL.EXE
1580	EXCEL.EXE
1580	EXCEL.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

EXCEL.EXERNUZQQ.exe

description	pid	process	target process
PID 1580 wrote to memory of 952	1580	EXCEL.EXE	RNUZQQ.exe
PID 1580 wrote to memory of 952	1580	EXCEL.EXE	RNUZQQ.exe
PID 1580 wrote to memory of 952	1580	EXCEL.EXE	RNUZQQ.exe
PID 1580 wrote to memory of 952	1580	EXCEL.EXE	RNUZQQ.exe
PID 952 wrote to memory of 1520	952	RNUZQQ.exe	RNUZQQ.exe
PID 952 wrote to memory of 1520	952	RNUZQQ.exe	RNUZQQ.exe
PID 952 wrote to memory of 1520	952	RNUZQQ.exe	RNUZQQ.exe
PID 952 wrote to memory of 1520	952	RNUZQQ.exe	RNUZQQ.exe
PID 952 wrote to memory of 1520	952	RNUZQQ.exe	RNUZQQ.exe
PID 952 wrote to memory of 1520	952	RNUZQQ.exe	RNUZQQ.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Pago Fecha 2021.xls"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:952

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0C69B3EC323321743CE66F959E80BAB4
MD5
caac01419b320ba251fe4a72086f7036

SHA1
5ec02ecb48895bc20889e0edf6089cb7d8ec55b4

SHA256
18cbf78539febda1b4874c87f344281882ecc7601af3c4241227644f5a9603a2

SHA512
5298d065396ef1b00959fb18b9168c43dcf40a2d103d0be9bc38dc5aaa61310f77a3951a16be3f67789d58fc23e0e790b21295271a62180161ac712867396fe1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
MD5
953f2125a88eced630fa3f95e287b02f

SHA1
441e0e319ee73efd0621095d74e75b6a16239c48

SHA256
251e9ca5f4e6580fe9014e843ac3e054aa45d6a8e7cef4f5c7512fc31fc354fa

SHA512
b685e7d725dc2bf210c906b744445f1ad59a54a4ee251825f39b12522d98f02be49f4bce3fa1832bb7e08f8e118bfc1ed7c1bd76cb054b24223eb863103c0050

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0C69B3EC323321743CE66F959E80BAB4
MD5
785b6021bea3291544736457b5ea4752

SHA1
c99cfcb8d4c8a21907f6b6e3785be5374ce80b62

SHA256
741ff6c084d8ec116eec77d7f3e95c11689e7996064486e1177ff62d3f503b86

SHA512
be3f3c18a25c6b4fb8a448e92db10bfbea874882de0d35789a0ed4640ddbbdef77893948561b5689616db420fceaabaf85b4fbf59498f9452bfcf2bb210353ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
MD5
c8396178a25a70892a4cf6820c5f5635

SHA1
55a717721a306cb66f33aa7c65113205935b2ae2

SHA256
11db563b30043a54540f594550d3ff91f3b1eeb5c838f0b12e5c88673352143f

SHA512
178ed8aa2e4dfbb6313b133412ad093f2f90ec6bc035f15445c0f8a074816dfbcab502b58cad4cae599b965221a3ff3e370b4a8d75beb984d74b824894fe428d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
90e52ffb12f8e24be5393ec47396bec6

SHA1
cdafe25220ad4b9c15b0e25078b8717bd2b8a219

SHA256
1657362d6c75c0da68177f24b977783ca4de26803dde9152d50f856cfe373574

SHA512
e7aed40f0a811c8f2a08ff401fc499316369875173efbf3bb84c56c5275517344d2b25f39ab18b0903b697f5e47db6e4af872988c98743f6b3a6820ac02ef976

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exe
MD5
906fa6e4a672e38a8baa367e53b2e45d

SHA1
307394cf29f2569747c52903fc7f6c02aabc9c1b

SHA256
07d8c65abd0cec498fb44c61779a15b436bd0cb3f8be404435589d8aeb3bbe4d

SHA512
e99cff4e957ad38c204edc7e68dcf17e6c57006c26b9bf68a34230bf65614e817dd46c6070f7dbadd9890ffc7281fd0a3ce94e9f8f49198fdb4fa68a4a566b01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exe
MD5
906fa6e4a672e38a8baa367e53b2e45d

SHA1
307394cf29f2569747c52903fc7f6c02aabc9c1b

SHA256
07d8c65abd0cec498fb44c61779a15b436bd0cb3f8be404435589d8aeb3bbe4d

SHA512
e99cff4e957ad38c204edc7e68dcf17e6c57006c26b9bf68a34230bf65614e817dd46c6070f7dbadd9890ffc7281fd0a3ce94e9f8f49198fdb4fa68a4a566b01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exe
MD5
906fa6e4a672e38a8baa367e53b2e45d

SHA1
307394cf29f2569747c52903fc7f6c02aabc9c1b

SHA256
07d8c65abd0cec498fb44c61779a15b436bd0cb3f8be404435589d8aeb3bbe4d

SHA512
e99cff4e957ad38c204edc7e68dcf17e6c57006c26b9bf68a34230bf65614e817dd46c6070f7dbadd9890ffc7281fd0a3ce94e9f8f49198fdb4fa68a4a566b01

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exe
MD5
906fa6e4a672e38a8baa367e53b2e45d

SHA1
307394cf29f2569747c52903fc7f6c02aabc9c1b

SHA256
07d8c65abd0cec498fb44c61779a15b436bd0cb3f8be404435589d8aeb3bbe4d

SHA512
e99cff4e957ad38c204edc7e68dcf17e6c57006c26b9bf68a34230bf65614e817dd46c6070f7dbadd9890ffc7281fd0a3ce94e9f8f49198fdb4fa68a4a566b01

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exe
MD5
906fa6e4a672e38a8baa367e53b2e45d

SHA1
307394cf29f2569747c52903fc7f6c02aabc9c1b

SHA256
07d8c65abd0cec498fb44c61779a15b436bd0cb3f8be404435589d8aeb3bbe4d

SHA512
e99cff4e957ad38c204edc7e68dcf17e6c57006c26b9bf68a34230bf65614e817dd46c6070f7dbadd9890ffc7281fd0a3ce94e9f8f49198fdb4fa68a4a566b01

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exe
MD5
906fa6e4a672e38a8baa367e53b2e45d

SHA1
307394cf29f2569747c52903fc7f6c02aabc9c1b

SHA256
07d8c65abd0cec498fb44c61779a15b436bd0cb3f8be404435589d8aeb3bbe4d

SHA512
e99cff4e957ad38c204edc7e68dcf17e6c57006c26b9bf68a34230bf65614e817dd46c6070f7dbadd9890ffc7281fd0a3ce94e9f8f49198fdb4fa68a4a566b01

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exe
MD5
906fa6e4a672e38a8baa367e53b2e45d

SHA1
307394cf29f2569747c52903fc7f6c02aabc9c1b

SHA256
07d8c65abd0cec498fb44c61779a15b436bd0cb3f8be404435589d8aeb3bbe4d

SHA512
e99cff4e957ad38c204edc7e68dcf17e6c57006c26b9bf68a34230bf65614e817dd46c6070f7dbadd9890ffc7281fd0a3ce94e9f8f49198fdb4fa68a4a566b01

Download Submit
memory/952-7-0x0000000000000000-mapping.dmp

Download
memory/1520-16-0x00000000004139DE-mapping.dmp

Download
memory/1520-15-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1520-18-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1996-2-0x000007FEF6780000-0x000007FEF69FA000-memory.dmp

Filesize
2.5MB

Download