lokibot | e9228a345f2d9e7f0fcb8fe091c41e678f743295d723f6141769af47d4d8e082

General

Target

Quotation.xlsx
Size

1.2MB
MD5

7d4d448a7d403b6d949868b89edc010d
SHA1

99c431853b504296c448035ba44d38426572063a
SHA256

e9228a345f2d9e7f0fcb8fe091c41e678f743295d723f6141769af47d4d8e082
SHA512

56e71a502ab779eda9615f3b594d6384dc8397816fc6a04b3278dbc9b51fb14f50a00ba662f9bf88cf297ee9e0a78f6a1171fdf4d4b9d7f93e06560e32f31ee9

Score

10^/10

lokibot spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://manvim.co/fd14/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/760-77-0x0000000000540000-0x000000000054B000-memory.dmp	CustAttr

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

6 1996 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

760 vbc.exe
1008 vbc.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

1996 EQNEDT32.EXE
1996 EQNEDT32.EXE
1996 EQNEDT32.EXE
1996 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 760 set thread context of 1008 760 vbc.exe vbc.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1996 EQNEDT32.EXE

flow	pid	process
6	1996	EQNEDT32.EXE

pid	process
760	vbc.exe
1008	vbc.exe

pid	process
1996	EQNEDT32.EXE
1996	EQNEDT32.EXE
1996	EQNEDT32.EXE
1996	EQNEDT32.EXE

description	pid	process	target process
PID 760 set thread context of 1008	760	vbc.exe	vbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1996	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

784 EXCEL.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 1008 vbc.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

784 EXCEL.EXE
784 EXCEL.EXE
784 EXCEL.EXE

pid	process
784	EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	1008	vbc.exe

pid	process
784	EXCEL.EXE
784	EXCEL.EXE
784	EXCEL.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

EQNEDT32.EXEvbc.exe

description	pid	process	target process
PID 1996 wrote to memory of 760	1996	EQNEDT32.EXE	vbc.exe
PID 1996 wrote to memory of 760	1996	EQNEDT32.EXE	vbc.exe
PID 1996 wrote to memory of 760	1996	EQNEDT32.EXE	vbc.exe
PID 1996 wrote to memory of 760	1996	EQNEDT32.EXE	vbc.exe
PID 760 wrote to memory of 1008	760	vbc.exe	vbc.exe
PID 760 wrote to memory of 1008	760	vbc.exe	vbc.exe
PID 760 wrote to memory of 1008	760	vbc.exe	vbc.exe
PID 760 wrote to memory of 1008	760	vbc.exe	vbc.exe
PID 760 wrote to memory of 1008	760	vbc.exe	vbc.exe
PID 760 wrote to memory of 1008	760	vbc.exe	vbc.exe
PID 760 wrote to memory of 1008	760	vbc.exe	vbc.exe
PID 760 wrote to memory of 1008	760	vbc.exe	vbc.exe
PID 760 wrote to memory of 1008	760	vbc.exe	vbc.exe
PID 760 wrote to memory of 1008	760	vbc.exe	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Quotation.xlsx
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:784

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:760

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
f5ee0c1e0e3dce98edc75024d9dc0d8a

SHA1
88a12fc23d3563d7b3077111da551fc00fbb464a

SHA256
bc3155d96b1b3ea6a925a96ab13abec98fd056b75adbc4ff2a802ac8fda7e6c8

SHA512
e8ea09ba2d87259ebdf7c6446d56d2e14627e536c5f707edb26427e754a091093763bae9f4101b7e839c570a04151aa6139b5938059145fbb35a4691f6544272

Download Submit
C:\Users\Public\vbc.exe
MD5
f5ee0c1e0e3dce98edc75024d9dc0d8a

SHA1
88a12fc23d3563d7b3077111da551fc00fbb464a

SHA256
bc3155d96b1b3ea6a925a96ab13abec98fd056b75adbc4ff2a802ac8fda7e6c8

SHA512
e8ea09ba2d87259ebdf7c6446d56d2e14627e536c5f707edb26427e754a091093763bae9f4101b7e839c570a04151aa6139b5938059145fbb35a4691f6544272

Download Submit
C:\Users\Public\vbc.exe
MD5
f5ee0c1e0e3dce98edc75024d9dc0d8a

SHA1
88a12fc23d3563d7b3077111da551fc00fbb464a

SHA256
bc3155d96b1b3ea6a925a96ab13abec98fd056b75adbc4ff2a802ac8fda7e6c8

SHA512
e8ea09ba2d87259ebdf7c6446d56d2e14627e536c5f707edb26427e754a091093763bae9f4101b7e839c570a04151aa6139b5938059145fbb35a4691f6544272

Download Submit
\Users\Public\vbc.exe
MD5
f5ee0c1e0e3dce98edc75024d9dc0d8a

SHA1
88a12fc23d3563d7b3077111da551fc00fbb464a

SHA256
bc3155d96b1b3ea6a925a96ab13abec98fd056b75adbc4ff2a802ac8fda7e6c8

SHA512
e8ea09ba2d87259ebdf7c6446d56d2e14627e536c5f707edb26427e754a091093763bae9f4101b7e839c570a04151aa6139b5938059145fbb35a4691f6544272

Download Submit
\Users\Public\vbc.exe
MD5
f5ee0c1e0e3dce98edc75024d9dc0d8a

SHA1
88a12fc23d3563d7b3077111da551fc00fbb464a

SHA256
bc3155d96b1b3ea6a925a96ab13abec98fd056b75adbc4ff2a802ac8fda7e6c8

SHA512
e8ea09ba2d87259ebdf7c6446d56d2e14627e536c5f707edb26427e754a091093763bae9f4101b7e839c570a04151aa6139b5938059145fbb35a4691f6544272

Download Submit
\Users\Public\vbc.exe
MD5
f5ee0c1e0e3dce98edc75024d9dc0d8a

SHA1
88a12fc23d3563d7b3077111da551fc00fbb464a

SHA256
bc3155d96b1b3ea6a925a96ab13abec98fd056b75adbc4ff2a802ac8fda7e6c8

SHA512
e8ea09ba2d87259ebdf7c6446d56d2e14627e536c5f707edb26427e754a091093763bae9f4101b7e839c570a04151aa6139b5938059145fbb35a4691f6544272

Download Submit
\Users\Public\vbc.exe
MD5
f5ee0c1e0e3dce98edc75024d9dc0d8a

SHA1
88a12fc23d3563d7b3077111da551fc00fbb464a

SHA256
bc3155d96b1b3ea6a925a96ab13abec98fd056b75adbc4ff2a802ac8fda7e6c8

SHA512
e8ea09ba2d87259ebdf7c6446d56d2e14627e536c5f707edb26427e754a091093763bae9f4101b7e839c570a04151aa6139b5938059145fbb35a4691f6544272

Download Submit
memory/760-73-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/760-77-0x0000000000540000-0x000000000054B000-memory.dmp

Filesize
44KB

Download
memory/760-79-0x00000000005B0000-0x00000000005D1000-memory.dmp

Filesize
132KB

Download
memory/760-78-0x0000000004E20000-0x0000000004E85000-memory.dmp

Filesize
404KB

Download
memory/760-71-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/760-68-0x0000000000000000-mapping.dmp

Download
memory/784-60-0x000000002FCF1000-0x000000002FCF4000-memory.dmp

Filesize
12KB

Download
memory/784-75-0x00000000060B0000-0x0000000006CFA000-memory.dmp

Filesize
12.3MB

Download
memory/784-76-0x00000000060B0000-0x0000000006CFA000-memory.dmp

Filesize
12.3MB

Download
memory/784-74-0x00000000060B0000-0x0000000006CFA000-memory.dmp

Filesize
12.3MB

Download
memory/784-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/784-61-0x0000000071091000-0x0000000071093000-memory.dmp

Filesize
8KB

Download
memory/784-85-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1008-81-0x00000000004139DE-mapping.dmp

Download
memory/1008-80-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1008-84-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1996-63-0x0000000075AA1000-0x0000000075AA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads