lokibot | 56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d

General

Target

56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
Size

632KB
MD5

f6c704a0363a8b530d9beb4e07cea5de
SHA1

2c3096f67064ffa63e785dd34b4b0ecdce975e77
SHA256

56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d
SHA512

619c49e75074d696759a4cb4ce1f95eb9f1295c8870b73864dea9452fb6e88adeebdda5c32b79eb909bd336cf319baeb8f01f5323c761651eacff803f6382b7a

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://webtex.ga/rojas/gate.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Suspicious use of SetThreadContext 1 IoCs

Processes:

56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe

description	pid	process	target process
PID 3988 set thread context of 2216	3988	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe

pid process

2216 56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe

description pid process

Token: SeDebugPrivilege 2216 56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe

pid	process
2216	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe

description	pid	process
Token: SeDebugPrivilege	2216	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe

description	pid	process	target process
PID 3988 wrote to memory of 2216	3988	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
PID 3988 wrote to memory of 2216	3988	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
PID 3988 wrote to memory of 2216	3988	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
PID 3988 wrote to memory of 2216	3988	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
PID 3988 wrote to memory of 2216	3988	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
PID 3988 wrote to memory of 2216	3988	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
PID 3988 wrote to memory of 2216	3988	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
PID 3988 wrote to memory of 2216	3988	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
PID 3988 wrote to memory of 2216	3988	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe	56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe

C:\Users\Admin\AppData\Local\Temp\56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
"C:\Users\Admin\AppData\Local\Temp\56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3988

C:\Users\Admin\AppData\Local\Temp\56790883c5da2b30d0f089454ab67a354d98de2a7796e34d0438e0b515a3ec3d.exe
"{path}"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:2216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2216-11-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2216-12-0x00000000004139DE-mapping.dmp

Download
memory/2216-13-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3988-2-0x00000000738E0000-0x0000000073FCE000-memory.dmp

Filesize
6.9MB

Download
memory/3988-3-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/3988-5-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/3988-6-0x0000000005360000-0x000000000536E000-memory.dmp

Filesize
56KB

Download
memory/3988-7-0x0000000005E20000-0x0000000005E21000-memory.dmp

Filesize
4KB

Download
memory/3988-8-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/3988-9-0x0000000006650000-0x000000000669E000-memory.dmp

Filesize
312KB

Download
memory/3988-10-0x0000000006740000-0x0000000006741000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing