Overview

overview

10

Static

static

Bank Details.xlsx

windows7_x64

10

Bank Details.xlsx

windows10_x64

1

Analysis

  • max time kernel
    138s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    14-10-2021 05:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bank Details.xlsx

  • Size

    327KB

  • MD5

    1cdbd552294df147d59c7098ce40584d

  • SHA1

    665ce5496ea7db7e44c01f6b6f448765d75e989f

  • SHA256

    c19f592d9185040912a2901fdd4910ff4ebfd6c6b6ac3b41a1153d93828b1841

  • SHA512

    ce4546f66e9c718ec270d2798add97581127d06232b424f74e1ef17e4b6af2c98c14092d4d2e5ee4fa31bbccfb1b1c57ae90ed5c26aca276b68b2d473feca877

Score
10/10
lokibotcollectionspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 12 IoCs
    installer
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Bank Details.xlsx"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1528
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:680
    • C:\Users\Public\vbc.exe
      "C:\Users\Public\vbc.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\vbc.exe
    MD5

    70d177abc7455c709ae9710630b9ea49

    SHA1

    4d81e55880a35c0157046560eca20b9f528838f4

    SHA256

    b87ecdb8035fa8b5ce87570d757265182a9f49122a02e77dc7f414816cf4b511

    SHA512

    25fd5fa3de0e8bfb89695b3ce55dbeb059eaaaef4a8d9cd4e503f1ccda379cc0ba550354aee59445876c1ea1244d3d696ecfd7e964f3ce0f328a83f48c5ce24c

    Download Submit
  • C:\Users\Public\vbc.exe
    MD5

    70d177abc7455c709ae9710630b9ea49

    SHA1

    4d81e55880a35c0157046560eca20b9f528838f4

    SHA256

    b87ecdb8035fa8b5ce87570d757265182a9f49122a02e77dc7f414816cf4b511

    SHA512

    25fd5fa3de0e8bfb89695b3ce55dbeb059eaaaef4a8d9cd4e503f1ccda379cc0ba550354aee59445876c1ea1244d3d696ecfd7e964f3ce0f328a83f48c5ce24c

    Download Submit
  • C:\Users\Public\vbc.exe
    MD5

    70d177abc7455c709ae9710630b9ea49

    SHA1

    4d81e55880a35c0157046560eca20b9f528838f4

    SHA256

    b87ecdb8035fa8b5ce87570d757265182a9f49122a02e77dc7f414816cf4b511

    SHA512

    25fd5fa3de0e8bfb89695b3ce55dbeb059eaaaef4a8d9cd4e503f1ccda379cc0ba550354aee59445876c1ea1244d3d696ecfd7e964f3ce0f328a83f48c5ce24c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsdF1EE.tmp\mahyiit.dll
    MD5

    b5d0f9fbb3df9a1a42b479fdd334417c

    SHA1

    f0780dbafbdb20235c97a28cc0ad8e1abc1547f3

    SHA256

    0eaec60342b2074da968f010e592ad52c8b7dbfd72759b97f999f0eb88861136

    SHA512

    3bd39726feb5b0b946e6b29c17a12ba044bf2d0e5374c217527542a6a6f09f65e3944007d0427936178e5c485bede8631caa5738d0be50ac291759fcdd4ec26f

    Download Submit
  • \Users\Public\vbc.exe
    MD5

    70d177abc7455c709ae9710630b9ea49

    SHA1

    4d81e55880a35c0157046560eca20b9f528838f4

    SHA256

    b87ecdb8035fa8b5ce87570d757265182a9f49122a02e77dc7f414816cf4b511

    SHA512

    25fd5fa3de0e8bfb89695b3ce55dbeb059eaaaef4a8d9cd4e503f1ccda379cc0ba550354aee59445876c1ea1244d3d696ecfd7e964f3ce0f328a83f48c5ce24c

    Download Submit
  • \Users\Public\vbc.exe
    MD5

    70d177abc7455c709ae9710630b9ea49

    SHA1

    4d81e55880a35c0157046560eca20b9f528838f4

    SHA256

    b87ecdb8035fa8b5ce87570d757265182a9f49122a02e77dc7f414816cf4b511

    SHA512

    25fd5fa3de0e8bfb89695b3ce55dbeb059eaaaef4a8d9cd4e503f1ccda379cc0ba550354aee59445876c1ea1244d3d696ecfd7e964f3ce0f328a83f48c5ce24c

    Download Submit
  • \Users\Public\vbc.exe
    MD5

    70d177abc7455c709ae9710630b9ea49

    SHA1

    4d81e55880a35c0157046560eca20b9f528838f4

    SHA256

    b87ecdb8035fa8b5ce87570d757265182a9f49122a02e77dc7f414816cf4b511

    SHA512

    25fd5fa3de0e8bfb89695b3ce55dbeb059eaaaef4a8d9cd4e503f1ccda379cc0ba550354aee59445876c1ea1244d3d696ecfd7e964f3ce0f328a83f48c5ce24c

    Download Submit
  • memory/680-56-0x0000000074B91000-0x0000000074B93000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1528-53-0x000000002FE61000-0x000000002FE64000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1528-55-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1528-54-0x0000000070F01000-0x0000000070F03000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1528-70-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1832-65-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/1832-66-0x00000000004139DE-mapping.dmp
    Download
  • memory/1832-69-0x0000000000400000-0x00000000004A2000-memory.dmp
    Filesize

    648KB

    Download
  • memory/1932-60-0x0000000000000000-mapping.dmp
    Download