lokibot | 9634a4f19306cf8e57396c40e99612888f2663cfe261e3640b836ad488cfe95b

General

Target

SCAN-HSBC-PAYMENT-ADVICE.xls
Size

751KB
MD5

32eb79369e1e7e135906f146b9d35457
SHA1

cf00749dc8097014fa6f94dba1b400e600cd92d8
SHA256

9634a4f19306cf8e57396c40e99612888f2663cfe261e3640b836ad488cfe95b
SHA512

808b364e5688dc85565411933fb03dbed3b21d0043776585e133f4ad817079fee36c02f1b530fbc0b260e4970ed3b13f6d5deacf39b9cd7a85420dec50c14904
SSDEEP

12288:0qFzu4LSZU2QdSZKHuntvZctbyyWgFfX202BToNcq7nqDljjTvyd8NPi9zS+i:Nzu4LLxdSZw0vZEbciX20KTZ++ljjTDD

Score

10^/10

lokibot collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://overclockingmachines.info/bally/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Blocklisted process makes network request 1 IoCs

flow	pid	Process
12	588	EQNEDT32.EXE

Downloads MZ/PE file

Abuses OpenXML format to download file from external location 2 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\14.0\Common	EXCEL.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\Common\Offline\Files\http://tny.wtf/iFpoP	WINWORD.EXE

Executes dropped EXE 2 IoCs

pid	Process
1964	winiti.exe
2320	winiti.exe

Loads dropped DLL 1 IoCs

pid	Process
588	EQNEDT32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	winiti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	winiti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	winiti.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1964 set thread context of 2320	1964	winiti.exe	34

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
588	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2256	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	winiti.exe
Token: SeShutdownPrivilege	2468	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2256	EXCEL.EXE
2256	EXCEL.EXE
2256	EXCEL.EXE
2468	WINWORD.EXE
2468	WINWORD.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 588 wrote to memory of 1964	588	EQNEDT32.EXE	32
PID 588 wrote to memory of 1964	588	EQNEDT32.EXE	32
PID 588 wrote to memory of 1964	588	EQNEDT32.EXE	32
PID 588 wrote to memory of 1964	588	EQNEDT32.EXE	32
PID 2468 wrote to memory of 1948	2468	WINWORD.EXE	33
PID 2468 wrote to memory of 1948	2468	WINWORD.EXE	33
PID 2468 wrote to memory of 1948	2468	WINWORD.EXE	33
PID 2468 wrote to memory of 1948	2468	WINWORD.EXE	33
PID 1964 wrote to memory of 2320	1964	winiti.exe	34
PID 1964 wrote to memory of 2320	1964	winiti.exe	34
PID 1964 wrote to memory of 2320	1964	winiti.exe	34
PID 1964 wrote to memory of 2320	1964	winiti.exe	34
PID 1964 wrote to memory of 2320	1964	winiti.exe	34
PID 1964 wrote to memory of 2320	1964	winiti.exe	34
PID 1964 wrote to memory of 2320	1964	winiti.exe	34
PID 1964 wrote to memory of 2320	1964	winiti.exe	34
PID 1964 wrote to memory of 2320	1964	winiti.exe	34
PID 1964 wrote to memory of 2320	1964	winiti.exe	34

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	winiti.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	winiti.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SCAN-HSBC-PAYMENT-ADVICE.xls
1⤵
- Abuses OpenXML format to download file from external location
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2256

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Abuses OpenXML format to download file from external location
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1948

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:588
- C:\Users\Admin\AppData\Roaming\winiti.exe
  "C:\Users\Admin\AppData\Roaming\winiti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Roaming\winiti.exe
    "C:\Users\Admin\AppData\Roaming\winiti.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
2e366dc19a8c92be76a80cf5e86c3270

SHA1
8dd1ca4a379fa4adb77d575a317d5dad02fe266f

SHA256
59de27ea512cf9c8a26db5aa32e15332e64137f347f29240294ccda8b2fbb8cb

SHA512
ff1eddd16d06005941131ba988049133c2c4244b1c54388a00482c112b3948acb02be285bc4f3c0dd03d5a4c178217820bf1ae227b8f40c10dfa4a98b1b10276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
72f3df1251927f461fc4b8757faadeb2

SHA1
759a7f96331011692e3c2185c6236b6654dc67b0

SHA256
b6761594daabbeb3242c441897d3de46273d12c628fd58ab3f1e4bc0e820d3b9

SHA512
45bd27de07e6488e333b10353a435d27087df3c80513cb7f2df127c88fdc0ae8ae791cd73ee7500e9b319b104cf4592b39de23b36baf74921b4d1039dfe544a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NFAY0EOS\megreatwithyourlovertothinkaboutthenewconceptgreaterthanbefore_________ireallylovingthisbewbeautytoinvolvethestructure[1].doc

Filesize
87KB

MD5
29b3fc11ab9d647ec19d3e02364355b2

SHA1
bcacc163004990d917d6402942e3e34609fa33e5

SHA256
2f7014c598a900f828893aeb0c0724d9f48c37c6987dfc12847525df174e0e81

SHA512
68752b58c102c4816859f4e06a9e676509ffba01cbe2772d5694e76da37f4dcdf74bd62d8ecaa33ed42f773693aaf135ad1b4bd940ae2277a7900f0105c57ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CCDA1DBA-5718-4D24-9E6E-5A6449BC1D80}

Filesize
128KB

MD5
c77e5291031aefe04b33bfe097edf34b

SHA1
7ed25f50913fd6d053e62a2f1a12b21ec2fc1be6

SHA256
0531a4fa83af2ccf7c7d6d964831ba9250b59ddd55c0d6afa99a5198266a6d2a

SHA512
053fce5029e2c9c54edb366cb13022089769b34e138426c01d185b893bdaa157b3a4edc340085e84a3cd7cd15c48873b949bd9fa0dc644fa507b206f7ea7ebcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2212144002-1172735686-1556890956-1000\0f5007522459c86e95ffcc62f32308f1_5349ca0f-aec5-405f-83e0-aa034653cb76

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2212144002-1172735686-1556890956-1000\0f5007522459c86e95ffcc62f32308f1_5349ca0f-aec5-405f-83e0-aa034653cb76

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\winiti.exe

Filesize
545KB

MD5
33f3dc03864d8d5cce813683d49ad2dd

SHA1
e8dfde644b945723e2fa9744f114bdd84be8068b

SHA256
84fb2ec298bec7a70493394b6d6caabcd0522a8f5f7753d8e725118c7e08da4e

SHA512
7723efdf7655847710fdf142477d5ff1496cec97f8043a3a14c82a554eb0f56bd1d96b420b118aa265636f59debfb721d950e71c21aec44bf5765e5710d68ded

Download Submit
memory/1964-97-0x00000000004A0000-0x00000000004AE000-memory.dmp

Filesize
56KB

Download
memory/1964-93-0x0000000000450000-0x0000000000464000-memory.dmp

Filesize
80KB

Download
memory/1964-98-0x0000000001260000-0x00000000012C2000-memory.dmp

Filesize
392KB

Download
memory/1964-96-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/1964-92-0x0000000001330000-0x00000000013BE000-memory.dmp

Filesize
568KB

Download
memory/2256-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2256-94-0x0000000071BAD000-0x0000000071BB8000-memory.dmp

Filesize
44KB

Download
memory/2256-8-0x0000000001DE0000-0x0000000001DE2000-memory.dmp

Filesize
8KB

Download
memory/2256-1-0x0000000071BAD000-0x0000000071BB8000-memory.dmp

Filesize
44KB

Download
memory/2320-101-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2320-140-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2320-99-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2320-131-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2320-103-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2320-112-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2320-110-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2320-109-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2320-107-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2320-105-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2468-95-0x0000000071BAD000-0x0000000071BB8000-memory.dmp

Filesize
44KB

Download
memory/2468-3-0x000000002F791000-0x000000002F792000-memory.dmp

Filesize
4KB

Download
memory/2468-5-0x0000000071BAD000-0x0000000071BB8000-memory.dmp

Filesize
44KB

Download
memory/2468-7-0x0000000003880000-0x0000000003882000-memory.dmp

Filesize
8KB

Download
memory/2468-155-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2468-156-0x0000000071BAD000-0x0000000071BB8000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing