lokibot | eaa14ff5cdf3ec428bd1b0c2689272996741a4c93f3c1289934057c3c5cafc78

Analysis

max time kernel
102s
max time network
105s
platform
windows7_x64
resource
win7v20201028
submitted
11-01-2021 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

swift 0182021.xls
Size

215KB
MD5

d5185ca33c490e907fc4fa6b22558890
SHA1

151f729d65c4241ccde8e7055b57d1176d29198d
SHA256

eaa14ff5cdf3ec428bd1b0c2689272996741a4c93f3c1289934057c3c5cafc78
SHA512

b214da4e9284615faebdd60fd45f8f161aabc06428ac40f0cd8ec83a870dd225dfbe9795a6d8e1e192734f748a92b5d7da6f436325e8de60ed4e46fcd41dcbbf

Score

10^/10

lokibot modiloader spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://worldpackmx.com/fretyuil/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader First Stage 8 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe	modiloader_stage1
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe	modiloader_stage1
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe	modiloader_stage1
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe	modiloader_stage1
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe	modiloader_stage1
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe	modiloader_stage1
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe	modiloader_stage1
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe	modiloader_stage1

Executes dropped EXE 2 IoCs

Processes:

CLIDSXX.exeCLIDSXX.exe

pid process

1480 CLIDSXX.exe
1604 CLIDSXX.exe
Loads dropped DLL 5 IoCs

Processes:

EXCEL.EXE

pid process

1204 EXCEL.EXE
1204 EXCEL.EXE
1204 EXCEL.EXE
1204 EXCEL.EXE
1204 EXCEL.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

CLIDSXX.exe

description pid process target process

PID 1480 set thread context of 1604 1480 CLIDSXX.exe CLIDSXX.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
1480	CLIDSXX.exe
1604	CLIDSXX.exe

pid	process
1204	EXCEL.EXE
1204	EXCEL.EXE
1204	EXCEL.EXE
1204	EXCEL.EXE
1204	EXCEL.EXE

description	pid	process	target process
PID 1480 set thread context of 1604	1480	CLIDSXX.exe	CLIDSXX.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1204 EXCEL.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

CLIDSXX.exe

description pid process

Token: SeDebugPrivilege 1604 CLIDSXX.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1204 EXCEL.EXE
1204 EXCEL.EXE
1204 EXCEL.EXE

pid	process
1204	EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	1604	CLIDSXX.exe

pid	process
1204	EXCEL.EXE
1204	EXCEL.EXE
1204	EXCEL.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

EXCEL.EXECLIDSXX.exe

description	pid	process	target process
PID 1204 wrote to memory of 1480	1204	EXCEL.EXE	CLIDSXX.exe
PID 1204 wrote to memory of 1480	1204	EXCEL.EXE	CLIDSXX.exe
PID 1204 wrote to memory of 1480	1204	EXCEL.EXE	CLIDSXX.exe
PID 1204 wrote to memory of 1480	1204	EXCEL.EXE	CLIDSXX.exe
PID 1480 wrote to memory of 1604	1480	CLIDSXX.exe	CLIDSXX.exe
PID 1480 wrote to memory of 1604	1480	CLIDSXX.exe	CLIDSXX.exe
PID 1480 wrote to memory of 1604	1480	CLIDSXX.exe	CLIDSXX.exe
PID 1480 wrote to memory of 1604	1480	CLIDSXX.exe	CLIDSXX.exe
PID 1480 wrote to memory of 1604	1480	CLIDSXX.exe	CLIDSXX.exe
PID 1480 wrote to memory of 1604	1480	CLIDSXX.exe	CLIDSXX.exe
PID 1480 wrote to memory of 1604	1480	CLIDSXX.exe	CLIDSXX.exe
PID 1480 wrote to memory of 1604	1480	CLIDSXX.exe	CLIDSXX.exe
PID 1480 wrote to memory of 1604	1480	CLIDSXX.exe	CLIDSXX.exe
PID 1480 wrote to memory of 1604	1480	CLIDSXX.exe	CLIDSXX.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\swift 0182021.xls"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
MD5
360fbabd1b026cecf94e2727287b802a

SHA1
0f4e121a315d0fe1ff85b8252d3d863a4d828f49

SHA256
da6164e0668bfc439fb6f2f94070fed5f8cf8fe278cff65902f3a560c9b7efe2

SHA512
2de4e4c0147c74e59b39fc6bcc4c036e59946cbb4214f23af49846f036cd323f8ca176532e4e6d21470923e9133783195743965fe7aae14abf5649b1edee6431

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
MD5
8d992c425fa55e2fcec09bb8199a895f

SHA1
5a1ac03435e38dfa00d3380c54565066a1da5b35

SHA256
f00fc8f94be3c245c1b9894124bac03d19699591b9962dbdf2a869ac61e8203d

SHA512
3b19a18b6ee00d494ee79ab78f7f5703005852604127360fad3f7d400f149e6a7e38012b00cc8c8acdcaabf429fa7eaa12d64ca3f3351c2ec5440ac626072e2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
4ac33d00da36f9c1961591e9d7a750ec

SHA1
d4300a15203814f6786978ba689e8e2e3971c4a7

SHA256
4e3a6ab30a9a7eddd33c6493df6fe2022c96061030d2f94001a1e746667651b0

SHA512
be971edf3f7a39a1c0f476bee6588f3448c69eeb269520ee6df4224b417cdb068c4300897bb3a29c054cc3865b4f45d85cdf38f8c6dc8fa14067e9deecbc8781

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe
MD5
d684fa1626b63d9a17c8818a63a23975

SHA1
58b118874ca88dc269d7345fa84fb33e3e42aab7

SHA256
02944dc72a15e92ec94c453c74c9564cb59ac7717dffcb25fa854a2e587fb737

SHA512
5f3a889a73b8ace63b9d48518871a0effb65d3581d4fce0bea28576ffdccef6a5d4f8d974f87bf6047ea514748ed88f52572eea8053b4bf4e17e373725ade20b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe
MD5
d684fa1626b63d9a17c8818a63a23975

SHA1
58b118874ca88dc269d7345fa84fb33e3e42aab7

SHA256
02944dc72a15e92ec94c453c74c9564cb59ac7717dffcb25fa854a2e587fb737

SHA512
5f3a889a73b8ace63b9d48518871a0effb65d3581d4fce0bea28576ffdccef6a5d4f8d974f87bf6047ea514748ed88f52572eea8053b4bf4e17e373725ade20b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe
MD5
d684fa1626b63d9a17c8818a63a23975

SHA1
58b118874ca88dc269d7345fa84fb33e3e42aab7

SHA256
02944dc72a15e92ec94c453c74c9564cb59ac7717dffcb25fa854a2e587fb737

SHA512
5f3a889a73b8ace63b9d48518871a0effb65d3581d4fce0bea28576ffdccef6a5d4f8d974f87bf6047ea514748ed88f52572eea8053b4bf4e17e373725ade20b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe
MD5
d684fa1626b63d9a17c8818a63a23975

SHA1
58b118874ca88dc269d7345fa84fb33e3e42aab7

SHA256
02944dc72a15e92ec94c453c74c9564cb59ac7717dffcb25fa854a2e587fb737

SHA512
5f3a889a73b8ace63b9d48518871a0effb65d3581d4fce0bea28576ffdccef6a5d4f8d974f87bf6047ea514748ed88f52572eea8053b4bf4e17e373725ade20b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe
MD5
d684fa1626b63d9a17c8818a63a23975

SHA1
58b118874ca88dc269d7345fa84fb33e3e42aab7

SHA256
02944dc72a15e92ec94c453c74c9564cb59ac7717dffcb25fa854a2e587fb737

SHA512
5f3a889a73b8ace63b9d48518871a0effb65d3581d4fce0bea28576ffdccef6a5d4f8d974f87bf6047ea514748ed88f52572eea8053b4bf4e17e373725ade20b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe
MD5
d684fa1626b63d9a17c8818a63a23975

SHA1
58b118874ca88dc269d7345fa84fb33e3e42aab7

SHA256
02944dc72a15e92ec94c453c74c9564cb59ac7717dffcb25fa854a2e587fb737

SHA512
5f3a889a73b8ace63b9d48518871a0effb65d3581d4fce0bea28576ffdccef6a5d4f8d974f87bf6047ea514748ed88f52572eea8053b4bf4e17e373725ade20b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe
MD5
d684fa1626b63d9a17c8818a63a23975

SHA1
58b118874ca88dc269d7345fa84fb33e3e42aab7

SHA256
02944dc72a15e92ec94c453c74c9564cb59ac7717dffcb25fa854a2e587fb737

SHA512
5f3a889a73b8ace63b9d48518871a0effb65d3581d4fce0bea28576ffdccef6a5d4f8d974f87bf6047ea514748ed88f52572eea8053b4bf4e17e373725ade20b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CLIDSXX.exe
MD5
d684fa1626b63d9a17c8818a63a23975

SHA1
58b118874ca88dc269d7345fa84fb33e3e42aab7

SHA256
02944dc72a15e92ec94c453c74c9564cb59ac7717dffcb25fa854a2e587fb737

SHA512
5f3a889a73b8ace63b9d48518871a0effb65d3581d4fce0bea28576ffdccef6a5d4f8d974f87bf6047ea514748ed88f52572eea8053b4bf4e17e373725ade20b

Download Submit
memory/1204-23-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/1480-8-0x0000000000000000-mapping.dmp

Download
memory/1604-14-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1604-15-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1604-16-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1604-18-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1604-19-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1604-20-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1604-21-0x00000000004139DE-mapping.dmp

Download
memory/1956-2-0x000007FEF7510000-0x000007FEF778A000-memory.dmp

Filesize
2.5MB

Download