lokibot | c224aee225d2b4980133a3329d8c9b2100987cfaa12342dc745b8d74d669f3f9

General

Target

duka.rtf
Size

720KB
MD5

76569c5b4afa68005a85dc89be17c202
SHA1

faf59d22868e0a31e8a26487a3c698713a6098b1
SHA256

c224aee225d2b4980133a3329d8c9b2100987cfaa12342dc745b8d74d669f3f9
SHA512

1e9749e6ca3b9496710c2762c87a109c2f08bb9113c8ba938a3ff800a3d4e9699833c9eef397da880cf8846dd8bad1da8814a2bd35104707d67a7448791f5958
SSDEEP

6144:VGuqGuqGuqGuqGuqGuqGuqGuqGuqGuqGuqGuqGuqGuqGuqGuqGuqGuqGuqGuqGuS:+

Score

10^/10

lokibot collection execution spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://104.248.205.66/index.php/wp?s=831

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	2820	EQNEDT32.EXE
6	2820	EQNEDT32.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2608	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2824	dukas39199.scr
2392	dukas39199.scr

Loads dropped DLL 1 IoCs

pid	Process
2820	EQNEDT32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	dukas39199.scr
Key opened	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dukas39199.scr
Key opened	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dukas39199.scr

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2824 set thread context of 2392	2824	dukas39199.scr	34

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2820	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3044	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2608	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2392	dukas39199.scr

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3044	WINWORD.EXE
3044	WINWORD.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2824	2820	EQNEDT32.EXE	30
PID 2820 wrote to memory of 2824	2820	EQNEDT32.EXE	30
PID 2820 wrote to memory of 2824	2820	EQNEDT32.EXE	30
PID 2820 wrote to memory of 2824	2820	EQNEDT32.EXE	30
PID 3044 wrote to memory of 2240	3044	WINWORD.EXE	32
PID 3044 wrote to memory of 2240	3044	WINWORD.EXE	32
PID 3044 wrote to memory of 2240	3044	WINWORD.EXE	32
PID 3044 wrote to memory of 2240	3044	WINWORD.EXE	32
PID 2824 wrote to memory of 2608	2824	dukas39199.scr	33
PID 2824 wrote to memory of 2608	2824	dukas39199.scr	33
PID 2824 wrote to memory of 2608	2824	dukas39199.scr	33
PID 2824 wrote to memory of 2608	2824	dukas39199.scr	33
PID 2824 wrote to memory of 2392	2824	dukas39199.scr	34
PID 2824 wrote to memory of 2392	2824	dukas39199.scr	34
PID 2824 wrote to memory of 2392	2824	dukas39199.scr	34
PID 2824 wrote to memory of 2392	2824	dukas39199.scr	34
PID 2824 wrote to memory of 2392	2824	dukas39199.scr	34
PID 2824 wrote to memory of 2392	2824	dukas39199.scr	34
PID 2824 wrote to memory of 2392	2824	dukas39199.scr	34
PID 2824 wrote to memory of 2392	2824	dukas39199.scr	34
PID 2824 wrote to memory of 2392	2824	dukas39199.scr	34
PID 2824 wrote to memory of 2392	2824	dukas39199.scr	34

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	dukas39199.scr

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	dukas39199.scr

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\duka.rtf"
1⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2240

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Roaming\dukas39199.scr
  "C:\Users\Admin\AppData\Roaming\dukas39199.scr"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dukas39199.scr"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Users\Admin\AppData\Roaming\dukas39199.scr
    "C:\Users\Admin\AppData\Roaming\dukas39199.scr"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2660163958-4080398480-1122754539-1000\0f5007522459c86e95ffcc62f32308f1_635445d0-2fc2-4150-8a92-100f79c7c9d7

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2660163958-4080398480-1122754539-1000\0f5007522459c86e95ffcc62f32308f1_635445d0-2fc2-4150-8a92-100f79c7c9d7

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
7e97da4cd05b151c3490a61933f3b247

SHA1
3fe0ec9e5f46fa2b97a59954b4d8c8fd7c96f2c6

SHA256
810b55cc3910a1927a8d8854b8cd00237399bfd327e3206f3d12de76d84212a2

SHA512
0e158937a4a333d9090f8d321f4a55a723f883ed37680867d278adef3352242175097ee81b37ec00ddd74d3645d6bbf8b2fe2875f3ac226bbb4376535890e402

Download Submit
C:\Users\Admin\AppData\Roaming\dukas39199.scr

Filesize
549KB

MD5
8842ebb96a902d9dc28296d45abbbf53

SHA1
4a1a850f093f2f97a7afabe0a8bdb33fed886fc8

SHA256
c19b70dbb4f6b4c1d33175598d82df4fd0798955a6c26a3d5f787cfc5566734c

SHA512
7e38b1a428d637d16c8279f17e2a13723d7b5a888cb038505e9e0956c060a31923f7533f9547743da89e6ba676b1874f13920f86968af94518c2de522d9f2b9b

Download Submit
memory/2392-39-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2392-35-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2392-77-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2392-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2392-46-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2392-44-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2392-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2392-41-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2392-37-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2392-33-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2824-30-0x00000000003A0000-0x00000000003BA000-memory.dmp

Filesize
104KB

Download
memory/2824-29-0x00000000001C0000-0x000000000024C000-memory.dmp

Filesize
560KB

Download
memory/2824-32-0x0000000004250000-0x00000000042B2000-memory.dmp

Filesize
392KB

Download
memory/2824-31-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/3044-0-0x000000002FD11000-0x000000002FD12000-memory.dmp

Filesize
4KB

Download
memory/3044-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3044-69-0x0000000071A7D000-0x0000000071A88000-memory.dmp

Filesize
44KB

Download
memory/3044-2-0x0000000071A7D000-0x0000000071A88000-memory.dmp

Filesize
44KB

Download
memory/3044-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing