lokibot | 2f7014c598a900f828893aeb0c0724d9f48c37c6987dfc12847525df174e0e81

General

Target

2f7014c598a900f828893aeb0c0724d9f48c37c6987dfc12847525df174e0e81.rtf
Size

87KB
MD5

29b3fc11ab9d647ec19d3e02364355b2
SHA1

bcacc163004990d917d6402942e3e34609fa33e5
SHA256

2f7014c598a900f828893aeb0c0724d9f48c37c6987dfc12847525df174e0e81
SHA512

68752b58c102c4816859f4e06a9e676509ffba01cbe2772d5694e76da37f4dcdf74bd62d8ecaa33ed42f773693aaf135ad1b4bd940ae2277a7900f0105c57ba0
SSDEEP

768:l5NZ+md7y9LGWjGT56kqg0PDvoszSzJpmSci/Dcohk:l5OpGWKT5Fx0LwFzJoSci/Nhk

Score

10^/10

lokibot collection credential_access discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://overclockingmachines.info/bally/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	1964	EQNEDT32.EXE

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2712	winiti.exe
1528	winiti.exe

Loads dropped DLL 1 IoCs

pid	Process
1964	EQNEDT32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	winiti.exe
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	winiti.exe
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	winiti.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2712 set thread context of 1528	2712	winiti.exe	36

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winiti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winiti.exe

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1964	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3056	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1528	winiti.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3056	WINWORD.EXE
3056	WINWORD.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2712	1964	EQNEDT32.EXE	33
PID 1964 wrote to memory of 2712	1964	EQNEDT32.EXE	33
PID 1964 wrote to memory of 2712	1964	EQNEDT32.EXE	33
PID 1964 wrote to memory of 2712	1964	EQNEDT32.EXE	33
PID 3056 wrote to memory of 2680	3056	WINWORD.EXE	35
PID 3056 wrote to memory of 2680	3056	WINWORD.EXE	35
PID 3056 wrote to memory of 2680	3056	WINWORD.EXE	35
PID 3056 wrote to memory of 2680	3056	WINWORD.EXE	35
PID 2712 wrote to memory of 1528	2712	winiti.exe	36
PID 2712 wrote to memory of 1528	2712	winiti.exe	36
PID 2712 wrote to memory of 1528	2712	winiti.exe	36
PID 2712 wrote to memory of 1528	2712	winiti.exe	36
PID 2712 wrote to memory of 1528	2712	winiti.exe	36
PID 2712 wrote to memory of 1528	2712	winiti.exe	36
PID 2712 wrote to memory of 1528	2712	winiti.exe	36
PID 2712 wrote to memory of 1528	2712	winiti.exe	36
PID 2712 wrote to memory of 1528	2712	winiti.exe	36
PID 2712 wrote to memory of 1528	2712	winiti.exe	36

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	winiti.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	winiti.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2f7014c598a900f828893aeb0c0724d9f48c37c6987dfc12847525df174e0e81.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2680

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Roaming\winiti.exe
  "C:\Users\Admin\AppData\Roaming\winiti.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Roaming\winiti.exe
    "C:\Users\Admin\AppData\Roaming\winiti.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3502430532-24693940-2469786940-1000\0f5007522459c86e95ffcc62f32308f1_f42ec065-7b23-4f0f-9aa0-d097eed4c26e

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3502430532-24693940-2469786940-1000\0f5007522459c86e95ffcc62f32308f1_f42ec065-7b23-4f0f-9aa0-d097eed4c26e

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
599f177d7d73b209ce3301a566acf622

SHA1
f86483d4e7b2c73b0718a19a4af021ac0185047c

SHA256
027bebc40e732ddcfab0e15c81281955120f25699a5e7b179e96c0190371ba43

SHA512
a54cdc1dea7a661814365a05e5302c48b6d494cfe0215855ffae7e406da7d0e3943e7fa79fd56ae4666c5bb490d11cd9ad0fbe3e63a969325dcc0dadb66ba32d

Download Submit
\Users\Admin\AppData\Roaming\winiti.exe

Filesize
545KB

MD5
33f3dc03864d8d5cce813683d49ad2dd

SHA1
e8dfde644b945723e2fa9744f114bdd84be8068b

SHA256
84fb2ec298bec7a70493394b6d6caabcd0522a8f5f7753d8e725118c7e08da4e

SHA512
7723efdf7655847710fdf142477d5ff1496cec97f8043a3a14c82a554eb0f56bd1d96b420b118aa265636f59debfb721d950e71c21aec44bf5765e5710d68ded

Download Submit
memory/1528-33-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1528-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1528-62-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1528-52-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1528-24-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1528-20-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1528-22-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1528-31-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1528-26-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1528-28-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2712-16-0x00000000002A0000-0x00000000002B4000-memory.dmp

Filesize
80KB

Download
memory/2712-19-0x0000000005090000-0x00000000050F2000-memory.dmp

Filesize
392KB

Download
memory/2712-15-0x0000000000840000-0x00000000008CE000-memory.dmp

Filesize
568KB

Download
memory/2712-17-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/2712-18-0x0000000000460000-0x000000000046E000-memory.dmp

Filesize
56KB

Download
memory/3056-0-0x000000002F921000-0x000000002F922000-memory.dmp

Filesize
4KB

Download
memory/3056-2-0x000000007357D000-0x0000000073588000-memory.dmp

Filesize
44KB

Download
memory/3056-54-0x000000007357D000-0x0000000073588000-memory.dmp

Filesize
44KB

Download
memory/3056-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3056-81-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing