lokibot | 87ae90b4bcea2975bbd1ff50473088c164a459c54de7b0285180ab66529bd615

General

Target

Purchase Order NO_16732.xlsx
Size

707KB
MD5

163bb3b38532d77a90179771fe6f9c56
SHA1

6f54b781306c271e01056b07b3906f992de72d1a
SHA256

87ae90b4bcea2975bbd1ff50473088c164a459c54de7b0285180ab66529bd615
SHA512

5e1fa9eb521cd15430cdd2ac49d9061a3a9d0d12e56132bfb77f2a049e9ab4d0f68d1432b993af84909b5ae2931cd9eb2bed83242f2d263f2eac50b87ccafe71

Score

10^/10

lokibot spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://arku.xyz/tkrr/T1/w2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

6 1640 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

ruondaw.exeruondaw.exe

pid process

912 ruondaw.exe
1592 ruondaw.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1640 EQNEDT32.EXE
1640 EQNEDT32.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

ruondaw.exe

description pid process target process

PID 912 set thread context of 1592 912 ruondaw.exe ruondaw.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1640 EQNEDT32.EXE

flow	pid	process
6	1640	EQNEDT32.EXE

pid	process
912	ruondaw.exe
1592	ruondaw.exe

pid	process
1640	EQNEDT32.EXE
1640	EQNEDT32.EXE

description	pid	process	target process
PID 912 set thread context of 1592	912	ruondaw.exe	ruondaw.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1640	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

288 EXCEL.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

EXCEL.EXE

pid process

288 EXCEL.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ruondaw.exe

pid process

912 ruondaw.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ruondaw.exeEXCEL.EXE

description pid process

Token: SeDebugPrivilege 1592 ruondaw.exe
Token: SeShutdownPrivilege 288 EXCEL.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

EXCEL.EXE

pid process

288 EXCEL.EXE
288 EXCEL.EXE
288 EXCEL.EXE
288 EXCEL.EXE
288 EXCEL.EXE
288 EXCEL.EXE
288 EXCEL.EXE

pid	process
288	EXCEL.EXE

pid	process
288	EXCEL.EXE

pid	process
912	ruondaw.exe

description	pid	process
Token: SeDebugPrivilege	1592	ruondaw.exe
Token: SeShutdownPrivilege	288	EXCEL.EXE

pid	process
288	EXCEL.EXE
288	EXCEL.EXE
288	EXCEL.EXE
288	EXCEL.EXE
288	EXCEL.EXE
288	EXCEL.EXE
288	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

EQNEDT32.EXEruondaw.exe

description	pid	process	target process
PID 1640 wrote to memory of 912	1640	EQNEDT32.EXE	ruondaw.exe
PID 1640 wrote to memory of 912	1640	EQNEDT32.EXE	ruondaw.exe
PID 1640 wrote to memory of 912	1640	EQNEDT32.EXE	ruondaw.exe
PID 1640 wrote to memory of 912	1640	EQNEDT32.EXE	ruondaw.exe
PID 912 wrote to memory of 1592	912	ruondaw.exe	ruondaw.exe
PID 912 wrote to memory of 1592	912	ruondaw.exe	ruondaw.exe
PID 912 wrote to memory of 1592	912	ruondaw.exe	ruondaw.exe
PID 912 wrote to memory of 1592	912	ruondaw.exe	ruondaw.exe
PID 912 wrote to memory of 1592	912	ruondaw.exe	ruondaw.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Purchase Order NO_16732.xlsx"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:288

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Roaming\ruondaw.exe
C:\Users\Admin\AppData\Roaming\ruondaw.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:912

C:\Users\Admin\AppData\Roaming\ruondaw.exe
C:\Users\Admin\AppData\Roaming\ruondaw.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ruondaw.exe

MD5
292850d686018e089718a2d098dd3632

SHA1
640a1e27d1c7067f73c48cfb1f8ac22adc258abc

SHA256
94a9d432e193314c164a3c6d909b69bbacf81649e9b99e9f311536714ef01d5a

SHA512
7265257135750ee9ff05f7ef44f2f92c6c793ff43ea0fef4634aa00d244c8706bda7ef05198ab0c76061cd5b4e1a0996c2ad8fed502404ee64f6b8e84ed83389

Download Submit
C:\Users\Admin\AppData\Roaming\ruondaw.exe

MD5
292850d686018e089718a2d098dd3632

SHA1
640a1e27d1c7067f73c48cfb1f8ac22adc258abc

SHA256
94a9d432e193314c164a3c6d909b69bbacf81649e9b99e9f311536714ef01d5a

SHA512
7265257135750ee9ff05f7ef44f2f92c6c793ff43ea0fef4634aa00d244c8706bda7ef05198ab0c76061cd5b4e1a0996c2ad8fed502404ee64f6b8e84ed83389

Download Submit
C:\Users\Admin\AppData\Roaming\ruondaw.exe

MD5
292850d686018e089718a2d098dd3632

SHA1
640a1e27d1c7067f73c48cfb1f8ac22adc258abc

SHA256
94a9d432e193314c164a3c6d909b69bbacf81649e9b99e9f311536714ef01d5a

SHA512
7265257135750ee9ff05f7ef44f2f92c6c793ff43ea0fef4634aa00d244c8706bda7ef05198ab0c76061cd5b4e1a0996c2ad8fed502404ee64f6b8e84ed83389

Download Submit
\Users\Admin\AppData\Roaming\ruondaw.exe

MD5
292850d686018e089718a2d098dd3632

SHA1
640a1e27d1c7067f73c48cfb1f8ac22adc258abc

SHA256
94a9d432e193314c164a3c6d909b69bbacf81649e9b99e9f311536714ef01d5a

SHA512
7265257135750ee9ff05f7ef44f2f92c6c793ff43ea0fef4634aa00d244c8706bda7ef05198ab0c76061cd5b4e1a0996c2ad8fed502404ee64f6b8e84ed83389

Download Submit
\Users\Admin\AppData\Roaming\ruondaw.exe

MD5
292850d686018e089718a2d098dd3632

SHA1
640a1e27d1c7067f73c48cfb1f8ac22adc258abc

SHA256
94a9d432e193314c164a3c6d909b69bbacf81649e9b99e9f311536714ef01d5a

SHA512
7265257135750ee9ff05f7ef44f2f92c6c793ff43ea0fef4634aa00d244c8706bda7ef05198ab0c76061cd5b4e1a0996c2ad8fed502404ee64f6b8e84ed83389

Download Submit
memory/288-60-0x0000000071581000-0x0000000071583000-memory.dmp

Filesize
8KB

Download
memory/288-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/288-59-0x000000002F301000-0x000000002F304000-memory.dmp

Filesize
12KB

Download
memory/912-72-0x0000000000310000-0x0000000000312000-memory.dmp

Filesize
8KB

Download
memory/912-65-0x0000000000000000-mapping.dmp

Download
memory/1592-69-0x00000000004139DE-mapping.dmp

Download
memory/1592-73-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1640-62-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing