lokibot | 548296865b8b5a459b2b10452f1ae241e0a986f16bb926c0e32abede05382dc8

Resubmissions

02-03-2021 15:34

210302-x28a5s1ble 10

02-03-2021 08:06

210302-bnz4y8jvpe 8

Analysis

max time kernel
108s
max time network
149s
platform
windows7_x64
resource
win7v20201028
submitted
02-03-2021 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Swift.doc
Size

272KB
MD5

7cee2199a1ec8bbd2522215652d29b8a
SHA1

24a45ccf5a2dccc9351e2a7b94ca96de688b23e8
SHA256

548296865b8b5a459b2b10452f1ae241e0a986f16bb926c0e32abede05382dc8
SHA512

b31a57a74321256e81741cacb1c94e7ef53750d93a95a068c043479be42311a68a3785947534d8b1715a923febb897f856ecf0e44111908b87a2a92641dad944

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

https://www.millsmiltinon.com/Ujfhdt/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Executes dropped EXE 3 IoCs

Processes:

CFUBZ.exewfgt.sfx.exewfgt.exe

pid process

1648 CFUBZ.exe
1404 wfgt.sfx.exe
1788 wfgt.exe
Loads dropped DLL 8 IoCs

Processes:

WINWORD.EXEcmd.exewfgt.sfx.exe

pid process

2008 WINWORD.EXE
2008 WINWORD.EXE
2008 WINWORD.EXE
1412 cmd.exe
1404 wfgt.sfx.exe
1404 wfgt.sfx.exe
1404 wfgt.sfx.exe
1404 wfgt.sfx.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

wfgt.exe

description pid process target process

PID 1788 set thread context of 1172 1788 wfgt.exe vbc.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

pid	process
1648	CFUBZ.exe
1404	wfgt.sfx.exe
1788	wfgt.exe

pid	process
2008	WINWORD.EXE
2008	WINWORD.EXE
2008	WINWORD.EXE
1412	cmd.exe
1404	wfgt.sfx.exe
1404	wfgt.sfx.exe
1404	wfgt.sfx.exe
1404	wfgt.sfx.exe

description	pid	process	target process
PID 1788 set thread context of 1172	1788	wfgt.exe	vbc.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\wfgt.exe:ZONE.identifier cmd.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2008 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

wfgt.exe

pid process

1788 wfgt.exe
1788 wfgt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wfgt.exevbc.exe

description pid process

Token: SeDebugPrivilege 1788 wfgt.exe
Token: SeDebugPrivilege 1172 vbc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2008 WINWORD.EXE
2008 WINWORD.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\wfgt.exe:ZONE.identifier	cmd.exe

pid	process
2008	WINWORD.EXE

pid	process
1788	wfgt.exe
1788	wfgt.exe

description	pid	process
Token: SeDebugPrivilege	1788	wfgt.exe
Token: SeDebugPrivilege	1172	vbc.exe

pid	process
2008	WINWORD.EXE
2008	WINWORD.EXE

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

WINWORD.EXECFUBZ.execmd.exewfgt.sfx.exewfgt.exe

description	pid	process	target process
PID 2008 wrote to memory of 1648	2008	WINWORD.EXE	CFUBZ.exe
PID 2008 wrote to memory of 1648	2008	WINWORD.EXE	CFUBZ.exe
PID 2008 wrote to memory of 1648	2008	WINWORD.EXE	CFUBZ.exe
PID 2008 wrote to memory of 1648	2008	WINWORD.EXE	CFUBZ.exe
PID 2008 wrote to memory of 1648	2008	WINWORD.EXE	CFUBZ.exe
PID 2008 wrote to memory of 1648	2008	WINWORD.EXE	CFUBZ.exe
PID 2008 wrote to memory of 1648	2008	WINWORD.EXE	CFUBZ.exe
PID 1648 wrote to memory of 1412	1648	CFUBZ.exe	cmd.exe
PID 1648 wrote to memory of 1412	1648	CFUBZ.exe	cmd.exe
PID 1648 wrote to memory of 1412	1648	CFUBZ.exe	cmd.exe
PID 1648 wrote to memory of 1412	1648	CFUBZ.exe	cmd.exe
PID 1648 wrote to memory of 1412	1648	CFUBZ.exe	cmd.exe
PID 1648 wrote to memory of 1412	1648	CFUBZ.exe	cmd.exe
PID 1648 wrote to memory of 1412	1648	CFUBZ.exe	cmd.exe
PID 1412 wrote to memory of 1404	1412	cmd.exe	wfgt.sfx.exe
PID 1412 wrote to memory of 1404	1412	cmd.exe	wfgt.sfx.exe
PID 1412 wrote to memory of 1404	1412	cmd.exe	wfgt.sfx.exe
PID 1412 wrote to memory of 1404	1412	cmd.exe	wfgt.sfx.exe
PID 1412 wrote to memory of 1404	1412	cmd.exe	wfgt.sfx.exe
PID 1412 wrote to memory of 1404	1412	cmd.exe	wfgt.sfx.exe
PID 1412 wrote to memory of 1404	1412	cmd.exe	wfgt.sfx.exe
PID 1404 wrote to memory of 1788	1404	wfgt.sfx.exe	wfgt.exe
PID 1404 wrote to memory of 1788	1404	wfgt.sfx.exe	wfgt.exe
PID 1404 wrote to memory of 1788	1404	wfgt.sfx.exe	wfgt.exe
PID 1404 wrote to memory of 1788	1404	wfgt.sfx.exe	wfgt.exe
PID 1404 wrote to memory of 1788	1404	wfgt.sfx.exe	wfgt.exe
PID 1404 wrote to memory of 1788	1404	wfgt.sfx.exe	wfgt.exe
PID 1404 wrote to memory of 1788	1404	wfgt.sfx.exe	wfgt.exe
PID 1788 wrote to memory of 1500	1788	wfgt.exe	cmd.exe
PID 1788 wrote to memory of 1500	1788	wfgt.exe	cmd.exe
PID 1788 wrote to memory of 1500	1788	wfgt.exe	cmd.exe
PID 1788 wrote to memory of 1500	1788	wfgt.exe	cmd.exe
PID 1788 wrote to memory of 1500	1788	wfgt.exe	cmd.exe
PID 1788 wrote to memory of 1500	1788	wfgt.exe	cmd.exe
PID 1788 wrote to memory of 1500	1788	wfgt.exe	cmd.exe
PID 1788 wrote to memory of 1172	1788	wfgt.exe	vbc.exe
PID 1788 wrote to memory of 1172	1788	wfgt.exe	vbc.exe
PID 1788 wrote to memory of 1172	1788	wfgt.exe	vbc.exe
PID 1788 wrote to memory of 1172	1788	wfgt.exe	vbc.exe
PID 1788 wrote to memory of 1172	1788	wfgt.exe	vbc.exe
PID 1788 wrote to memory of 1172	1788	wfgt.exe	vbc.exe
PID 1788 wrote to memory of 1172	1788	wfgt.exe	vbc.exe
PID 1788 wrote to memory of 1172	1788	wfgt.exe	vbc.exe
PID 1788 wrote to memory of 1172	1788	wfgt.exe	vbc.exe
PID 1788 wrote to memory of 1172	1788	wfgt.exe	vbc.exe
PID 1788 wrote to memory of 1172	1788	wfgt.exe	vbc.exe
PID 1788 wrote to memory of 1172	1788	wfgt.exe	vbc.exe
PID 1788 wrote to memory of 1172	1788	wfgt.exe	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Swift.doc"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CFUBZ.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CFUBZ.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\wfgt.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Roaming\wfgt.sfx.exe
wfgt.sfx.exe -pShfnfiklokfnPLIKMNbfdhdbHJVHvUjMVdfdEFVGbhnmkOLpikHNVVdeDVgtfvhf -dC:\Users\Admin\AppData\Roaming
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Roaming\wfgt.exe
"C:\Users\Admin\AppData\Roaming\wfgt.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > "C:\Users\Admin\AppData\Roaming\wfgt.exe":ZONE.identifier & exit
6⤵
- NTFS ADS
PID:1500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
cmd.exe
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CFUBZ.exe
MD5
c00f1632498f16a7532e72a3367ff393

SHA1
b30f2019df1fa81513b95aa42b209016abac9bc5

SHA256
ac7e03dba6741513a6669d349efc0317c21f25cdd9ff28c033dfde9b6ffdd818

SHA512
028ed07c20999b496b37b0a5851b16785ed2d3b4f5136c08551ee219bfa15b793d58af3698b166b937ea8e907e3bf38b6e16df5a260ed19fbb1e4679a2f655f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CFUBZ.exe
MD5
c00f1632498f16a7532e72a3367ff393

SHA1
b30f2019df1fa81513b95aa42b209016abac9bc5

SHA256
ac7e03dba6741513a6669d349efc0317c21f25cdd9ff28c033dfde9b6ffdd818

SHA512
028ed07c20999b496b37b0a5851b16785ed2d3b4f5136c08551ee219bfa15b793d58af3698b166b937ea8e907e3bf38b6e16df5a260ed19fbb1e4679a2f655f5

Download Submit
C:\Users\Admin\AppData\Roaming\wfgt.bat
MD5
1e5c8612604a42f2e400c01d1c4c7fe7

SHA1
d1cc8f709c233c99a83a6e1cdd2788092675fb57

SHA256
ae947da02e1c258a1ba931325fbff2fb0ea3c264e2f4c4c8d1f5487ff389019e

SHA512
2665ef8dcf373c76a6e545e5bd6e89db8888fe718d863d050890cdbe91180fb6d24c358de23580aa03bd699bea625067310c27ddf405bce317410549e97ae96c

Download Submit
C:\Users\Admin\AppData\Roaming\wfgt.exe
MD5
98ae673364d5f417f951add7924f3006

SHA1
a3a302e7621fb3805b21bcd023da4c8b259d9311

SHA256
e5f71a03a5951347faa5a3a6d7500010c181e2e6145819779bb86bc57c38c5b5

SHA512
6a9f27c30850354be2c23936fef1cbff09f5697baacb8bd2995f9427c8c13b4017c20000bd76af86c44a46d9c139e58e3e5f3cb600a88cce5bf4b641ddd3aaf4

Download Submit
C:\Users\Admin\AppData\Roaming\wfgt.exe
MD5
98ae673364d5f417f951add7924f3006

SHA1
a3a302e7621fb3805b21bcd023da4c8b259d9311

SHA256
e5f71a03a5951347faa5a3a6d7500010c181e2e6145819779bb86bc57c38c5b5

SHA512
6a9f27c30850354be2c23936fef1cbff09f5697baacb8bd2995f9427c8c13b4017c20000bd76af86c44a46d9c139e58e3e5f3cb600a88cce5bf4b641ddd3aaf4

Download Submit
C:\Users\Admin\AppData\Roaming\wfgt.exe
MD5
98ae673364d5f417f951add7924f3006

SHA1
a3a302e7621fb3805b21bcd023da4c8b259d9311

SHA256
e5f71a03a5951347faa5a3a6d7500010c181e2e6145819779bb86bc57c38c5b5

SHA512
6a9f27c30850354be2c23936fef1cbff09f5697baacb8bd2995f9427c8c13b4017c20000bd76af86c44a46d9c139e58e3e5f3cb600a88cce5bf4b641ddd3aaf4

Download Submit
C:\Users\Admin\AppData\Roaming\wfgt.sfx.exe
MD5
b7e5b552591fdeb9e569c05df47b9404

SHA1
0c5205dd2c75d0852a635e85b0ca9e3f537a6a85

SHA256
2900036db573df247b96fc8e7211ae84dc1cfe28da24fc3890f47c78aa29efdd

SHA512
15f591ac5a0b6d37704a63e0b02fc725bb347a68106d2c99dc1c41ca8fcc54acf666ac112d5b5073eaa6a44217f49902a0ae35bc93f854ea30a8ce90cb79a82a

Download Submit
C:\Users\Admin\AppData\Roaming\wfgt.sfx.exe
MD5
b7e5b552591fdeb9e569c05df47b9404

SHA1
0c5205dd2c75d0852a635e85b0ca9e3f537a6a85

SHA256
2900036db573df247b96fc8e7211ae84dc1cfe28da24fc3890f47c78aa29efdd

SHA512
15f591ac5a0b6d37704a63e0b02fc725bb347a68106d2c99dc1c41ca8fcc54acf666ac112d5b5073eaa6a44217f49902a0ae35bc93f854ea30a8ce90cb79a82a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CFUBZ.exe
MD5
c00f1632498f16a7532e72a3367ff393

SHA1
b30f2019df1fa81513b95aa42b209016abac9bc5

SHA256
ac7e03dba6741513a6669d349efc0317c21f25cdd9ff28c033dfde9b6ffdd818

SHA512
028ed07c20999b496b37b0a5851b16785ed2d3b4f5136c08551ee219bfa15b793d58af3698b166b937ea8e907e3bf38b6e16df5a260ed19fbb1e4679a2f655f5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CFUBZ.exe
MD5
c00f1632498f16a7532e72a3367ff393

SHA1
b30f2019df1fa81513b95aa42b209016abac9bc5

SHA256
ac7e03dba6741513a6669d349efc0317c21f25cdd9ff28c033dfde9b6ffdd818

SHA512
028ed07c20999b496b37b0a5851b16785ed2d3b4f5136c08551ee219bfa15b793d58af3698b166b937ea8e907e3bf38b6e16df5a260ed19fbb1e4679a2f655f5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CFUBZ.exe
MD5
c00f1632498f16a7532e72a3367ff393

SHA1
b30f2019df1fa81513b95aa42b209016abac9bc5

SHA256
ac7e03dba6741513a6669d349efc0317c21f25cdd9ff28c033dfde9b6ffdd818

SHA512
028ed07c20999b496b37b0a5851b16785ed2d3b4f5136c08551ee219bfa15b793d58af3698b166b937ea8e907e3bf38b6e16df5a260ed19fbb1e4679a2f655f5

Download Submit
\Users\Admin\AppData\Roaming\wfgt.exe
MD5
98ae673364d5f417f951add7924f3006

SHA1
a3a302e7621fb3805b21bcd023da4c8b259d9311

SHA256
e5f71a03a5951347faa5a3a6d7500010c181e2e6145819779bb86bc57c38c5b5

SHA512
6a9f27c30850354be2c23936fef1cbff09f5697baacb8bd2995f9427c8c13b4017c20000bd76af86c44a46d9c139e58e3e5f3cb600a88cce5bf4b641ddd3aaf4

Download Submit
\Users\Admin\AppData\Roaming\wfgt.exe
MD5
98ae673364d5f417f951add7924f3006

SHA1
a3a302e7621fb3805b21bcd023da4c8b259d9311

SHA256
e5f71a03a5951347faa5a3a6d7500010c181e2e6145819779bb86bc57c38c5b5

SHA512
6a9f27c30850354be2c23936fef1cbff09f5697baacb8bd2995f9427c8c13b4017c20000bd76af86c44a46d9c139e58e3e5f3cb600a88cce5bf4b641ddd3aaf4

Download Submit
\Users\Admin\AppData\Roaming\wfgt.exe
MD5
98ae673364d5f417f951add7924f3006

SHA1
a3a302e7621fb3805b21bcd023da4c8b259d9311

SHA256
e5f71a03a5951347faa5a3a6d7500010c181e2e6145819779bb86bc57c38c5b5

SHA512
6a9f27c30850354be2c23936fef1cbff09f5697baacb8bd2995f9427c8c13b4017c20000bd76af86c44a46d9c139e58e3e5f3cb600a88cce5bf4b641ddd3aaf4

Download Submit
\Users\Admin\AppData\Roaming\wfgt.exe
MD5
98ae673364d5f417f951add7924f3006

SHA1
a3a302e7621fb3805b21bcd023da4c8b259d9311

SHA256
e5f71a03a5951347faa5a3a6d7500010c181e2e6145819779bb86bc57c38c5b5

SHA512
6a9f27c30850354be2c23936fef1cbff09f5697baacb8bd2995f9427c8c13b4017c20000bd76af86c44a46d9c139e58e3e5f3cb600a88cce5bf4b641ddd3aaf4

Download Submit
\Users\Admin\AppData\Roaming\wfgt.sfx.exe
MD5
b7e5b552591fdeb9e569c05df47b9404

SHA1
0c5205dd2c75d0852a635e85b0ca9e3f537a6a85

SHA256
2900036db573df247b96fc8e7211ae84dc1cfe28da24fc3890f47c78aa29efdd

SHA512
15f591ac5a0b6d37704a63e0b02fc725bb347a68106d2c99dc1c41ca8fcc54acf666ac112d5b5073eaa6a44217f49902a0ae35bc93f854ea30a8ce90cb79a82a

Download Submit
memory/1144-5-0x000007FEF7020000-0x000007FEF729A000-memory.dmp

Filesize
2.5MB

Download
memory/1172-38-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1172-36-0x00000000004139DE-mapping.dmp

Download
memory/1172-35-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1404-18-0x0000000000000000-mapping.dmp

Download
memory/1412-13-0x0000000000000000-mapping.dmp

Download
memory/1500-32-0x0000000000000000-mapping.dmp

Download
memory/1648-11-0x0000000075EA1000-0x0000000075EA3000-memory.dmp

Filesize
8KB

Download
memory/1648-9-0x0000000000000000-mapping.dmp

Download
memory/1788-29-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1788-30-0x0000000000951000-0x0000000000952000-memory.dmp

Filesize
4KB

Download
memory/1788-31-0x0000000000956000-0x0000000000967000-memory.dmp

Filesize
68KB

Download
memory/1788-25-0x0000000000000000-mapping.dmp

Download
memory/2008-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2008-3-0x000000006FD21000-0x000000006FD23000-memory.dmp

Filesize
8KB

Download
memory/2008-2-0x00000000722A1000-0x00000000722A4000-memory.dmp

Filesize
12KB

Download