Overview

overview

10

Static

static

svchost.exe

windows7_x64

10

svchost.exe

windows10_x64

10

Analysis

  • max time kernel
    1s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    09-07-2020 15:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost.exe

  • Size

    263KB

  • MD5

    e1204f68e985164c7c87828095f5bcb6

  • SHA1

    67e5b6c6c5cd7f5fc50d63063de04db9ddfd218e

  • SHA256

    4fcb2d6dd4e6699e31ef782cdb40bdf65c388311c72952702e8f3024c46c2793

  • SHA512

    015962a5572986be335ea9e6691573a3396ee3864fb5b3b7da1f462127b102aef27a772b9b881802e2256edc52ba63c8476d7119326f81797381f3c3f30113d9

Score
10/10
trojanspywarestealerlokibot

Malware Config

Extracted

Family

lokibot

C2

http://195.69.140.147/.op/cr.php/vms5lZmxPBbEN

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

    trojanspywarestealerlokibot
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 96 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    PID:3848
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:3292

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3292-0-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/3292-1-0x00000000004139DE-mapping.dmp

      Download

    • memory/3292-2-0x0000000000400000-0x00000000004A2000-memory.dmp

      Filesize

      648KB

      Download