lokibot | 56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d

General

Target

56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
Size

632KB
MD5

f6c704a0363a8b530d9beb4e07cea5de
SHA1

2c3096f67064ffa63e785dd34b4b0ecdce975e77
SHA256

56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d
SHA512

619c49e75074d696759a4cb4ce1f95eb9f1295c8870b73864dea9452fb6e88adeebdda5c32b79eb909bd336cf319baeb8f01f5323c761651eacff803f6382b7a

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://webtex.ga/rojas/gate.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Suspicious use of SetThreadContext 1 IoCs

Processes:

56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe

description	pid	process	target process
PID 2024 set thread context of 1016	2024	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe

pid process

1016 56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe

description pid process

Token: SeDebugPrivilege 1016 56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe

pid	process
1016	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe

description	pid	process
Token: SeDebugPrivilege	1016	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe

description	pid	process	target process
PID 2024 wrote to memory of 1016	2024	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
PID 2024 wrote to memory of 1016	2024	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
PID 2024 wrote to memory of 1016	2024	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
PID 2024 wrote to memory of 1016	2024	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
PID 2024 wrote to memory of 1016	2024	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
PID 2024 wrote to memory of 1016	2024	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
PID 2024 wrote to memory of 1016	2024	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
PID 2024 wrote to memory of 1016	2024	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
PID 2024 wrote to memory of 1016	2024	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
PID 2024 wrote to memory of 1016	2024	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe

C:\Users\Admin\AppData\Local\Temp\56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
"C:\Users\Admin\AppData\Local\Temp\56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
"{path}"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/552-10-0x000007FEF77C0000-0x000007FEF7A3A000-memory.dmp

Filesize
2.5MB

Download
memory/1016-7-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1016-8-0x00000000004139DE-mapping.dmp

Download
memory/1016-9-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2024-2-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/2024-3-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/2024-5-0x00000000004F0000-0x00000000004FE000-memory.dmp

Filesize
56KB

Download
memory/2024-6-0x0000000004BE0000-0x0000000004C2E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing