lokibot | 1ce46f86a092a55271cc028739981ea665f13482a9b8361959a0c8a70c626e4e

Analysis

max time kernel
144s
max time network
143s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
04-08-2023 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ce46f86a092a55271cc028739981ea665f13482a9b8361959a0c8a70c626e4exls_JC.xls
Size

444KB
MD5

de2866f237dbf0a2b85e26d80c56279b
SHA1

f717129b1873e90e78173794e51ee056fb0dd342
SHA256

1ce46f86a092a55271cc028739981ea665f13482a9b8361959a0c8a70c626e4e
SHA512

249dec13bb83cb8b797b1cafb85b0b557b2d3cd5b090817f1a871039f7362647f8bfa19320ed8db8bbdd7b733bef18355a8117b76b1a54322cc41173aa7c8f38
SSDEEP

12288:4SwooWQmmme6v3QLQuEeArYz/4eVRFqPhvGE75S:UWQmmav30x/NVRFqJvG

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://2.59.254.19/fresh2/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	1516	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2260	IE_NetInet.exe

Loads dropped DLL 2 IoCs

pid	Process
1516	EQNEDT32.EXE
1516	EQNEDT32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1516	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2572	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	IE_NetInet.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2572	EXCEL.EXE
2572	EXCEL.EXE
2572	EXCEL.EXE
2592	WINWORD.EXE
2592	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 2260	1516	EQNEDT32.EXE	31
PID 1516 wrote to memory of 2260	1516	EQNEDT32.EXE	31
PID 1516 wrote to memory of 2260	1516	EQNEDT32.EXE	31
PID 1516 wrote to memory of 2260	1516	EQNEDT32.EXE	31
PID 2592 wrote to memory of 2988	2592	WINWORD.EXE	32
PID 2592 wrote to memory of 2988	2592	WINWORD.EXE	32
PID 2592 wrote to memory of 2988	2592	WINWORD.EXE	32
PID 2592 wrote to memory of 2988	2592	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\1ce46f86a092a55271cc028739981ea665f13482a9b8361959a0c8a70c626e4exls_JC.xls
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2572

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2988

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\IE_NetInet.exe
  "C:\Users\Admin\AppData\Local\Temp\IE_NetInet.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

Filesize
128KB

MD5
6bb6cc07566d75f0820b00c74895960b

SHA1
d98829e3583bc636cde9b959037007185ff1d083

SHA256
ae8998e02b88468e10603a833685a68df635f0c089d87fe0d2c42cff5ded3e51

SHA512
08c0069657222dde5e8ab8bd2aa061dc96c4764a64c06c66cd6beca3d268388e55698a22e94c8fed9521c4f484b88689e81457a88fcde0dc2b78d6d726e2c169

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{4C44D333-7D63-49CF-9527-B6D12A141656}.FSD

Filesize
128KB

MD5
a05a87d0fb372022482d45c6362ebfab

SHA1
ba4d859bb9695d109daae4f8d89072083d7183e3

SHA256
2198b8df684a02fffe85888b6296ba78fbabc1bf0bd7a1ebc3db88a423be20b9

SHA512
5560e3aa7cdb3a0473694e872435985ad8871955186d932f5267fc49c3d1025062ff7d5ebe6cf569cd6fa8cc95cc9bdf23b05f09e4e67c1d76fcac8111855c59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U6AGJ71Z\Document_20022949450#[1].doc

Filesize
42KB

MD5
5c90c56d044b8660bd78f51bec0b4795

SHA1
57a3c136ff7fcb1dcd234425f882d1ccd187e308

SHA256
4367de34635c09b60a24d8575d1253aabbe878daafaa6ee0e4504d7567332e45

SHA512
e6e0be75077e9a1234a2be515e4f10ad9461ca06e0b1709727f1203d1629afddc51aa79e2e308d8f20f40e2f50398ac12179198cac9f114f098c7a85fefe83c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\110E8DC2.doc

Filesize
42KB

MD5
5c90c56d044b8660bd78f51bec0b4795

SHA1
57a3c136ff7fcb1dcd234425f882d1ccd187e308

SHA256
4367de34635c09b60a24d8575d1253aabbe878daafaa6ee0e4504d7567332e45

SHA512
e6e0be75077e9a1234a2be515e4f10ad9461ca06e0b1709727f1203d1629afddc51aa79e2e308d8f20f40e2f50398ac12179198cac9f114f098c7a85fefe83c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IE_NetInet.exe

Filesize
271KB

MD5
4268288fb3dbf0b63cf0836a4201135d

SHA1
5e2f695f8bf5c1fcd5086818554a15cb5da08bcd

SHA256
5eee327c9547654d3cc01473d65113b1346801acfaa70e2e79bf24b3eb226521

SHA512
a719a11fe5e6fe6a79597edcec0041d42e1cee6b41bf092aafdec093a6a2ed630c1eda952d4baddeed82e2d7080a06f489dcd182842da27fbdcf528f20990994

Download Submit
C:\Users\Admin\AppData\Local\Temp\IE_NetInet.exe

Filesize
271KB

MD5
4268288fb3dbf0b63cf0836a4201135d

SHA1
5e2f695f8bf5c1fcd5086818554a15cb5da08bcd

SHA256
5eee327c9547654d3cc01473d65113b1346801acfaa70e2e79bf24b3eb226521

SHA512
a719a11fe5e6fe6a79597edcec0041d42e1cee6b41bf092aafdec093a6a2ed630c1eda952d4baddeed82e2d7080a06f489dcd182842da27fbdcf528f20990994

Download Submit
C:\Users\Admin\AppData\Local\Temp\ie_netinet.exe

Filesize
271KB

MD5
4268288fb3dbf0b63cf0836a4201135d

SHA1
5e2f695f8bf5c1fcd5086818554a15cb5da08bcd

SHA256
5eee327c9547654d3cc01473d65113b1346801acfaa70e2e79bf24b3eb226521

SHA512
a719a11fe5e6fe6a79597edcec0041d42e1cee6b41bf092aafdec093a6a2ed630c1eda952d4baddeed82e2d7080a06f489dcd182842da27fbdcf528f20990994

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EA0BFC7D-7B9C-441A-9905-080DF43ECC8F}

Filesize
128KB

MD5
bd08d7933164e79e7282c8705f931977

SHA1
e204ccee6a5ad75b49cf9294c80bcafcf5f23e04

SHA256
1846e8f14dad19eab383df6f466448fa38296d46ebaa531f92213da8519e0cf9

SHA512
61b311df45e3da0ce758da0d41c987507c46acffbc069731fefa3ad49ca959e4551f73c356234efda3e4ff000f43e4156e1cb45aa74b08e61f0b600f04ccffe9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4159544280-4273523227-683900707-1000\0f5007522459c86e95ffcc62f32308f1_e736eb29-4310-49a0-93f5-e68114db9bc9

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4159544280-4273523227-683900707-1000\0f5007522459c86e95ffcc62f32308f1_e736eb29-4310-49a0-93f5-e68114db9bc9

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
\Users\Admin\AppData\Local\Temp\IE_NetInet.exe

Filesize
271KB

MD5
4268288fb3dbf0b63cf0836a4201135d

SHA1
5e2f695f8bf5c1fcd5086818554a15cb5da08bcd

SHA256
5eee327c9547654d3cc01473d65113b1346801acfaa70e2e79bf24b3eb226521

SHA512
a719a11fe5e6fe6a79597edcec0041d42e1cee6b41bf092aafdec093a6a2ed630c1eda952d4baddeed82e2d7080a06f489dcd182842da27fbdcf528f20990994

Download Submit
\Users\Admin\AppData\Local\Temp\IE_NetInet.exe

Filesize
271KB

MD5
4268288fb3dbf0b63cf0836a4201135d

SHA1
5e2f695f8bf5c1fcd5086818554a15cb5da08bcd

SHA256
5eee327c9547654d3cc01473d65113b1346801acfaa70e2e79bf24b3eb226521

SHA512
a719a11fe5e6fe6a79597edcec0041d42e1cee6b41bf092aafdec093a6a2ed630c1eda952d4baddeed82e2d7080a06f489dcd182842da27fbdcf528f20990994

Download Submit
memory/2260-178-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/2260-157-0x0000000000240000-0x000000000025B000-memory.dmp

Filesize
108KB

Download
memory/2260-171-0x0000000000400000-0x0000000002433000-memory.dmp

Filesize
32.2MB

Download
memory/2260-179-0x0000000000240000-0x000000000025B000-memory.dmp

Filesize
108KB

Download
memory/2260-180-0x0000000000400000-0x0000000002433000-memory.dmp

Filesize
32.2MB

Download
memory/2260-158-0x0000000000400000-0x0000000002433000-memory.dmp

Filesize
32.2MB

Download
memory/2260-156-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/2572-55-0x000000007362D000-0x0000000073638000-memory.dmp

Filesize
44KB

Download
memory/2572-151-0x000000007362D000-0x0000000073638000-memory.dmp

Filesize
44KB

Download
memory/2572-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2572-65-0x0000000002390000-0x0000000002392000-memory.dmp

Filesize
8KB

Download
memory/2592-155-0x000000007362D000-0x0000000073638000-memory.dmp

Filesize
44KB

Download
memory/2592-154-0x000000002F9D0000-0x000000002FB2D000-memory.dmp

Filesize
1.4MB

Download
memory/2592-60-0x000000002F9D0000-0x000000002FB2D000-memory.dmp

Filesize
1.4MB

Download
memory/2592-62-0x000000007362D000-0x0000000073638000-memory.dmp

Filesize
44KB

Download
memory/2592-64-0x0000000002E10000-0x0000000002E12000-memory.dmp

Filesize
8KB

Download