lokibot | c66970bdd757e643f76b613a6302a14c6ea6eb6032aebc6b4cfc84fc265c485f

General

Target

Pago Fecha 2021.xls
Size

126KB
MD5

35c9dbe44c092a5ebb101e1600736228
SHA1

21083aa36e32aea90469131690c3d93f0f7f6c85
SHA256

c66970bdd757e643f76b613a6302a14c6ea6eb6032aebc6b4cfc84fc265c485f
SHA512

ed78404ea84ac4023e8c9459cef3178e8c5bea8fcddecef49d31a4fc01699f6203f9af11ffe13f66d4ca060e5a1412465b8411cb2df86d858788651ca2958103

Score

10^/10

lokibot modiloader persistence spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://45.81.7.81/filopkm/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Executes dropped EXE 2 IoCs

Processes:

RNUZQQ.exeRNUZQQ.exe

pid process

3448 RNUZQQ.exe
3660 RNUZQQ.exe

pid	process
3448	RNUZQQ.exe
3660	RNUZQQ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RNUZQQ.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\jxfU = "C:\\Users\\Admin\\AppData\\Local\\jxfU.url"	RNUZQQ.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

RNUZQQ.exe

description pid process target process

PID 3448 set thread context of 3660 3448 RNUZQQ.exe RNUZQQ.exe

description	pid	process	target process
PID 3448 set thread context of 3660	3448	RNUZQQ.exe	RNUZQQ.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1048 EXCEL.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RNUZQQ.exe

description pid process

Token: SeDebugPrivilege 3660 RNUZQQ.exe

description	pid	process
Token: SeDebugPrivilege	3660	RNUZQQ.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE
1048	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

EXCEL.EXERNUZQQ.exe

description	pid	process	target process
PID 1048 wrote to memory of 3448	1048	EXCEL.EXE	RNUZQQ.exe
PID 1048 wrote to memory of 3448	1048	EXCEL.EXE	RNUZQQ.exe
PID 1048 wrote to memory of 3448	1048	EXCEL.EXE	RNUZQQ.exe
PID 3448 wrote to memory of 3660	3448	RNUZQQ.exe	RNUZQQ.exe
PID 3448 wrote to memory of 3660	3448	RNUZQQ.exe	RNUZQQ.exe
PID 3448 wrote to memory of 3660	3448	RNUZQQ.exe	RNUZQQ.exe
PID 3448 wrote to memory of 3660	3448	RNUZQQ.exe	RNUZQQ.exe
PID 3448 wrote to memory of 3660	3448	RNUZQQ.exe	RNUZQQ.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Pago Fecha 2021.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3448

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0C69B3EC323321743CE66F959E80BAB4
MD5
caac01419b320ba251fe4a72086f7036

SHA1
5ec02ecb48895bc20889e0edf6089cb7d8ec55b4

SHA256
18cbf78539febda1b4874c87f344281882ecc7601af3c4241227644f5a9603a2

SHA512
5298d065396ef1b00959fb18b9168c43dcf40a2d103d0be9bc38dc5aaa61310f77a3951a16be3f67789d58fc23e0e790b21295271a62180161ac712867396fe1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
MD5
953f2125a88eced630fa3f95e287b02f

SHA1
441e0e319ee73efd0621095d74e75b6a16239c48

SHA256
251e9ca5f4e6580fe9014e843ac3e054aa45d6a8e7cef4f5c7512fc31fc354fa

SHA512
b685e7d725dc2bf210c906b744445f1ad59a54a4ee251825f39b12522d98f02be49f4bce3fa1832bb7e08f8e118bfc1ed7c1bd76cb054b24223eb863103c0050

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0C69B3EC323321743CE66F959E80BAB4
MD5
1892b605724f52b33ebc67600be591a6

SHA1
1815b89e112723e90da7d1313c9b4530721c0297

SHA256
1341b4e31e120ede02ba9790dbbd5beecd115242fde5fa0750e5624554b8402c

SHA512
ec4445374ab3dccfda583211e54b323de18a6779efc4a7ff94c6f1beee847876d632531f9c1b02552c0c179582af85a6aa1c48107ecc90decfc68811e8c7b754

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
MD5
046ec60355c832add3a6fc4ef6d20903

SHA1
7f8eac8a78114a32e6d1dc48e32c2028ef41d2e6

SHA256
918f154fa6e4e6711243be7fdd0c2cb77fa1a0b9bbfa9efbaa21daaac636b3f0

SHA512
86dd8fa7e5c18fecde97f5c58323fe2ffbcc99d36610220f89651eea8964dc278c77604891b60973031492ea530d35b456d48c990e4ef7c05171836739b106ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exe
MD5
906fa6e4a672e38a8baa367e53b2e45d

SHA1
307394cf29f2569747c52903fc7f6c02aabc9c1b

SHA256
07d8c65abd0cec498fb44c61779a15b436bd0cb3f8be404435589d8aeb3bbe4d

SHA512
e99cff4e957ad38c204edc7e68dcf17e6c57006c26b9bf68a34230bf65614e817dd46c6070f7dbadd9890ffc7281fd0a3ce94e9f8f49198fdb4fa68a4a566b01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exe
MD5
906fa6e4a672e38a8baa367e53b2e45d

SHA1
307394cf29f2569747c52903fc7f6c02aabc9c1b

SHA256
07d8c65abd0cec498fb44c61779a15b436bd0cb3f8be404435589d8aeb3bbe4d

SHA512
e99cff4e957ad38c204edc7e68dcf17e6c57006c26b9bf68a34230bf65614e817dd46c6070f7dbadd9890ffc7281fd0a3ce94e9f8f49198fdb4fa68a4a566b01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\RNUZQQ.exe
MD5
906fa6e4a672e38a8baa367e53b2e45d

SHA1
307394cf29f2569747c52903fc7f6c02aabc9c1b

SHA256
07d8c65abd0cec498fb44c61779a15b436bd0cb3f8be404435589d8aeb3bbe4d

SHA512
e99cff4e957ad38c204edc7e68dcf17e6c57006c26b9bf68a34230bf65614e817dd46c6070f7dbadd9890ffc7281fd0a3ce94e9f8f49198fdb4fa68a4a566b01

Download Submit
memory/1048-2-0x00007FFEA4270000-0x00007FFEA48A7000-memory.dmp

Filesize
6.2MB

Download
memory/3448-6-0x00000000743C0000-0x0000000074453000-memory.dmp

Filesize
588KB

Download
memory/3448-3-0x0000000000000000-mapping.dmp

Download
memory/3660-11-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3660-12-0x00000000004139DE-mapping.dmp

Download
memory/3660-14-0x00000000743C0000-0x0000000074453000-memory.dmp

Filesize
588KB

Download
memory/3660-15-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads