lokibot | dee188a1e94375c2ca0b7f82bb3f2d12ccfebd302fdf7ce1b21a15ca3c2e55d2

General

Target

Packing List,BL & Final Invoice.xls
Size

367KB
MD5

4afe5f193bbd9b656d67cafd0fd6d960
SHA1

038909d0d08a77de28f7f75d61fa4419bf975a00
SHA256

dee188a1e94375c2ca0b7f82bb3f2d12ccfebd302fdf7ce1b21a15ca3c2e55d2
SHA512

967f22f3b72ad4ebde157fe0ba9337dace1cee5a5639eaab2487d7839e5b0d64057b72406eef3ecca99225aa89118e8e1c51d3622384ec7b452b06dc7f9028cd
SSDEEP

6144:868TzqKnj5KO7ASrFHKzrK2cg7yRI7reRkbrrIxtLxIISHBWp7rMMnP+nIg3oBoH:cmaYO71FHKzrK2aI7SePrIxRxIISHBI+

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://dashboardproducts.info/bally/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Blocklisted process makes network request 1 IoCs

flow	pid	Process
23	2208	EQNEDT32.EXE

Downloads MZ/PE file

Abuses OpenXML format to download file from external location 2 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Office\14.0\Common	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Office\Common\Offline\Files\http://sini.la/c40mh	WINWORD.EXE

Executes dropped EXE 3 IoCs

pid	Process
1788	igcc.exe
1740	igcc.exe
1180	igcc.exe

Loads dropped DLL 2 IoCs

pid	Process
2208	EQNEDT32.EXE
2208	EQNEDT32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	igcc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	igcc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	igcc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1788 set thread context of 1180	1788	igcc.exe	38

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2208	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2436	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1788	igcc.exe
1788	igcc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	igcc.exe
Token: SeDebugPrivilege	1180	igcc.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2436	EXCEL.EXE
2436	EXCEL.EXE
2436	EXCEL.EXE
2936	WINWORD.EXE
2936	WINWORD.EXE
2436	EXCEL.EXE
2436	EXCEL.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1788	2208	EQNEDT32.EXE	35
PID 2208 wrote to memory of 1788	2208	EQNEDT32.EXE	35
PID 2208 wrote to memory of 1788	2208	EQNEDT32.EXE	35
PID 2208 wrote to memory of 1788	2208	EQNEDT32.EXE	35
PID 2936 wrote to memory of 1092	2936	WINWORD.EXE	36
PID 2936 wrote to memory of 1092	2936	WINWORD.EXE	36
PID 2936 wrote to memory of 1092	2936	WINWORD.EXE	36
PID 2936 wrote to memory of 1092	2936	WINWORD.EXE	36
PID 1788 wrote to memory of 1740	1788	igcc.exe	37
PID 1788 wrote to memory of 1740	1788	igcc.exe	37
PID 1788 wrote to memory of 1740	1788	igcc.exe	37
PID 1788 wrote to memory of 1740	1788	igcc.exe	37
PID 1788 wrote to memory of 1180	1788	igcc.exe	38
PID 1788 wrote to memory of 1180	1788	igcc.exe	38
PID 1788 wrote to memory of 1180	1788	igcc.exe	38
PID 1788 wrote to memory of 1180	1788	igcc.exe	38
PID 1788 wrote to memory of 1180	1788	igcc.exe	38
PID 1788 wrote to memory of 1180	1788	igcc.exe	38
PID 1788 wrote to memory of 1180	1788	igcc.exe	38
PID 1788 wrote to memory of 1180	1788	igcc.exe	38
PID 1788 wrote to memory of 1180	1788	igcc.exe	38
PID 1788 wrote to memory of 1180	1788	igcc.exe	38

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	igcc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	igcc.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Packing List,BL & Final Invoice.xls"
1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2436

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1092

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Roaming\igcc.exe
  "C:\Users\Admin\AppData\Roaming\igcc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Users\Admin\AppData\Roaming\igcc.exe
    "C:\Users\Admin\AppData\Roaming\igcc.exe"
    3⤵
    - Executes dropped EXE
    PID:1740
- - C:\Users\Admin\AppData\Roaming\igcc.exe
    "C:\Users\Admin\AppData\Roaming\igcc.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{252B0510-E153-4C09-A835-17C540F3EF59}.FSD

Filesize
128KB

MD5
41b1675e722653175163eca2a6071c13

SHA1
16a07d50ddee55025c67d8760c92b23336dced15

SHA256
90a95a3f986667b21b557dc75d892b41ba68941e9e8e63f6c00768a886596d8f

SHA512
34d263833fd358e1f814ca28b977733243b0c48135d9eb42728609678c5978a4397841dec4347cab8164bc6b0cfb4d3368f519b104a7eac929711201db93bd20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
24c722cc92c9138a33bedf8f8d743146

SHA1
1cfc75f8f995950759ba467602e48e9fd3fa3f2a

SHA256
475107cc1aa64372b3e777edc16191c40730e867d7bb283da3c816f3991f57c5

SHA512
f37c8db8ae41c24b44e9f236672369c81c6af9517ff35e200fbecff8e8d65174e97e8db80dcdeae8fda5c4844226f26441ed0580a3bd6aa00f3398b6b28a1d67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{114563D8-FF81-4E09-B294-02779FBE9CCA}.FSD

Filesize
128KB

MD5
4e1e0b2cb4987722cd336a5e2d9f237b

SHA1
ec90f3050e406d6134778b030417a58dfe13b836

SHA256
f2987f5d069914b68099fc957d914e88855e9add7f73d4db5f33f59247175ddd

SHA512
c69cd4c222b92c4acdb68012ff6cfb86b1f48053c6d3483069e62f7bd8023e448fb7fc16a9003b589d59dd08a1faf1e925790750d1d9847ca1b883def9236ac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I31L8UE7\mk.mk.mk.mkmkmk[1].doc

Filesize
63KB

MD5
f48645f93407473fccd3d921827b876e

SHA1
9d81d6c22da289fc2b04c0f7cef803debccbf72d

SHA256
14ea26a775bf7cd9c438c726ec846bf9cdce4d76c918ad5ed3774376b0de3619

SHA512
dbf232cf00ad890c4710e1ec80c2c430d5aa7e252aac0b658e527d74eff3b4595ead6f784754aeaaf219b7323a7ee69bcfe06d5a1afaa3720ea44d5aae96cbf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2829C0EE-DF5B-4C89-A3FA-438A92CA75F7}

Filesize
128KB

MD5
d3e0a8952ee6ad4a31cff23988393694

SHA1
6b93fdf210711c7a10743b416b91e09c3a6b88cc

SHA256
e56add8d5de301e8adbc92d0e14a7f28001f32b85d67aa839181884d7fe64a49

SHA512
bb4ce6832d04824841a9e19c64d15cc43ba302cd339d6098c38213d74e4c467c4bb5cd36559786e07c48c8bf51caf4e77d802e32c91cd78cf9df0412b6c28ec8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2660163958-4080398480-1122754539-1000\0f5007522459c86e95ffcc62f32308f1_635445d0-2fc2-4150-8a92-100f79c7c9d7

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2660163958-4080398480-1122754539-1000\0f5007522459c86e95ffcc62f32308f1_635445d0-2fc2-4150-8a92-100f79c7c9d7

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\igcc.exe

Filesize
584KB

MD5
a554456e1e06f544244e44e7b23d869f

SHA1
08cb3cf3384ec48bd96f87dda6dfef17e80182e9

SHA256
06a66d13076422b3fae0da8a08324fbcf9a2dbc6fa042ee72e90058690f47dc3

SHA512
8ac6eb37e39c727a1f7eab782a13d1dccd0f6d8164e2eb809ba4726b1a28a752943393615df3b68911af942197a206901bd83880a45db798433b0f61cff48e93

Download Submit
memory/1180-118-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1180-119-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1180-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1180-108-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1180-110-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1180-114-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1180-121-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1180-116-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1180-112-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1788-101-0x0000000000040000-0x00000000000D8000-memory.dmp

Filesize
608KB

Download
memory/1788-102-0x00000000047B0000-0x0000000004852000-memory.dmp

Filesize
648KB

Download
memory/1788-106-0x0000000004CE0000-0x0000000004D42000-memory.dmp

Filesize
392KB

Download
memory/1788-104-0x00000000007A0000-0x00000000007A8000-memory.dmp

Filesize
32KB

Download
memory/1788-105-0x00000000007B0000-0x00000000007BE000-memory.dmp

Filesize
56KB

Download
memory/1788-103-0x0000000000370000-0x0000000000382000-memory.dmp

Filesize
72KB

Download
memory/2436-26-0x0000000002D60000-0x0000000002D62000-memory.dmp

Filesize
8KB

Download
memory/2436-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2436-20-0x000000007228D000-0x0000000072298000-memory.dmp

Filesize
44KB

Download
memory/2436-1-0x000000007228D000-0x0000000072298000-memory.dmp

Filesize
44KB

Download
memory/2936-21-0x000000002FF71000-0x000000002FF72000-memory.dmp

Filesize
4KB

Download
memory/2936-23-0x000000007228D000-0x0000000072298000-memory.dmp

Filesize
44KB

Download
memory/2936-85-0x000000007228D000-0x0000000072298000-memory.dmp

Filesize
44KB

Download
memory/2936-25-0x0000000003810000-0x0000000003812000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing