lokibot | 14ea26a775bf7cd9c438c726ec846bf9cdce4d76c918ad5ed3774376b0de3619

General

Target

f48645f93407473fccd3d921827b876e.rtf
Size

63KB
MD5

f48645f93407473fccd3d921827b876e
SHA1

9d81d6c22da289fc2b04c0f7cef803debccbf72d
SHA256

14ea26a775bf7cd9c438c726ec846bf9cdce4d76c918ad5ed3774376b0de3619
SHA512

dbf232cf00ad890c4710e1ec80c2c430d5aa7e252aac0b658e527d74eff3b4595ead6f784754aeaaf219b7323a7ee69bcfe06d5a1afaa3720ea44d5aae96cbf0
SSDEEP

384:ueebxsoUZWX0ivcXPJd0QUSWXqzTJfF+alifsG+sgnBMdbuOTM:ueixsTwgPJqQUSilhfIshuOTM

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://dashboardproducts.info/bally/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2724	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2624	igcc.exe
1116	igcc.exe

Loads dropped DLL 2 IoCs

pid	Process
2724	EQNEDT32.EXE
2724	EQNEDT32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	igcc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	igcc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	igcc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2624 set thread context of 1116	2624	igcc.exe	34

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2724	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2704	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1116	igcc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2704	WINWORD.EXE
2704	WINWORD.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2624	2724	EQNEDT32.EXE	31
PID 2724 wrote to memory of 2624	2724	EQNEDT32.EXE	31
PID 2724 wrote to memory of 2624	2724	EQNEDT32.EXE	31
PID 2724 wrote to memory of 2624	2724	EQNEDT32.EXE	31
PID 2704 wrote to memory of 600	2704	WINWORD.EXE	33
PID 2704 wrote to memory of 600	2704	WINWORD.EXE	33
PID 2704 wrote to memory of 600	2704	WINWORD.EXE	33
PID 2704 wrote to memory of 600	2704	WINWORD.EXE	33
PID 2624 wrote to memory of 1116	2624	igcc.exe	34
PID 2624 wrote to memory of 1116	2624	igcc.exe	34
PID 2624 wrote to memory of 1116	2624	igcc.exe	34
PID 2624 wrote to memory of 1116	2624	igcc.exe	34
PID 2624 wrote to memory of 1116	2624	igcc.exe	34
PID 2624 wrote to memory of 1116	2624	igcc.exe	34
PID 2624 wrote to memory of 1116	2624	igcc.exe	34
PID 2624 wrote to memory of 1116	2624	igcc.exe	34
PID 2624 wrote to memory of 1116	2624	igcc.exe	34
PID 2624 wrote to memory of 1116	2624	igcc.exe	34

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	igcc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	igcc.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f48645f93407473fccd3d921827b876e.rtf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:600

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Users\Admin\AppData\Roaming\igcc.exe
  "C:\Users\Admin\AppData\Roaming\igcc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Users\Admin\AppData\Roaming\igcc.exe
    "C:\Users\Admin\AppData\Roaming\igcc.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1506706701-1246725540-2219210854-1000\0f5007522459c86e95ffcc62f32308f1_62dc4f69-4699-4b35-9f5c-cc69254f52a3

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1506706701-1246725540-2219210854-1000\0f5007522459c86e95ffcc62f32308f1_62dc4f69-4699-4b35-9f5c-cc69254f52a3

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
1f1624d426d43f8718f62c5c986d846c

SHA1
6795f86b67a033a4f2da28eb76b8645af7a54b9e

SHA256
9282092a9c018c2a61dda8bdd1f6e02e7be167c9bffda6d1254e960024a8f6e5

SHA512
b91f66d4a188d3857f6974a0b20c0d980858e072151891b689307c3acd408b7e4e89702d9d0a819edf0f9ce0bba72c16a438fd09910be3a5679c620cea5c9047

Download Submit
C:\Users\Admin\AppData\Roaming\igcc.exe

Filesize
584KB

MD5
a554456e1e06f544244e44e7b23d869f

SHA1
08cb3cf3384ec48bd96f87dda6dfef17e80182e9

SHA256
06a66d13076422b3fae0da8a08324fbcf9a2dbc6fa042ee72e90058690f47dc3

SHA512
8ac6eb37e39c727a1f7eab782a13d1dccd0f6d8164e2eb809ba4726b1a28a752943393615df3b68911af942197a206901bd83880a45db798433b0f61cff48e93

Download Submit
memory/1116-36-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1116-33-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1116-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1116-57-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1116-29-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1116-31-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1116-26-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1116-27-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1116-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1116-38-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2624-19-0x0000000000820000-0x00000000008C2000-memory.dmp

Filesize
648KB

Download
memory/2624-24-0x0000000002270000-0x00000000022D2000-memory.dmp

Filesize
392KB

Download
memory/2624-23-0x0000000000650000-0x000000000065E000-memory.dmp

Filesize
56KB

Download
memory/2624-18-0x0000000000DD0000-0x0000000000E68000-memory.dmp

Filesize
608KB

Download
memory/2624-22-0x0000000000630000-0x0000000000638000-memory.dmp

Filesize
32KB

Download
memory/2624-20-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/2704-0-0x000000002F131000-0x000000002F132000-memory.dmp

Filesize
4KB

Download
memory/2704-2-0x0000000073FBD000-0x0000000073FC8000-memory.dmp

Filesize
44KB

Download
memory/2704-59-0x0000000073FBD000-0x0000000073FC8000-memory.dmp

Filesize
44KB

Download
memory/2704-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2704-86-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing