lokibot | bc4bab61ab8b90451441bacba2edad8c1acd2a93c0318f4f4aa303627c4e7e3a

Analysis

Target

6f11b6baad406aa223f72545d807e8f9.exe
Size

896KB
MD5

6f11b6baad406aa223f72545d807e8f9
SHA1

2536e4e60bf71286db7f8a0c16fcbb68ca6944d1
SHA256

bc4bab61ab8b90451441bacba2edad8c1acd2a93c0318f4f4aa303627c4e7e3a
SHA512

28c0cfbdd1bf5aaf30a63d4f7e5a06e28a9f66356d2ddee297a50cda56a9f895e2036d36efe90d7a9e0cecbe49a518f030d4906b7f3616acfe82ab6b30c4b91b

Score

10^/10

Family

lokibot

https://worldpackmx.com/wfretyuil/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

6f11b6baad406aa223f72545d807e8f9.exe

description pid process target process

PID 640 set thread context of 936 640 6f11b6baad406aa223f72545d807e8f9.exe 6f11b6baad406aa223f72545d807e8f9.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

6f11b6baad406aa223f72545d807e8f9.exe

pid process

936 6f11b6baad406aa223f72545d807e8f9.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6f11b6baad406aa223f72545d807e8f9.exe

description pid process

Token: SeDebugPrivilege 936 6f11b6baad406aa223f72545d807e8f9.exe

description	pid	process	target process
PID 640 set thread context of 936	640	6f11b6baad406aa223f72545d807e8f9.exe	6f11b6baad406aa223f72545d807e8f9.exe

pid	process
936	6f11b6baad406aa223f72545d807e8f9.exe

description	pid	process
Token: SeDebugPrivilege	936	6f11b6baad406aa223f72545d807e8f9.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6f11b6baad406aa223f72545d807e8f9.exe

description	pid	process	target process
PID 640 wrote to memory of 936	640	6f11b6baad406aa223f72545d807e8f9.exe	6f11b6baad406aa223f72545d807e8f9.exe
PID 640 wrote to memory of 936	640	6f11b6baad406aa223f72545d807e8f9.exe	6f11b6baad406aa223f72545d807e8f9.exe
PID 640 wrote to memory of 936	640	6f11b6baad406aa223f72545d807e8f9.exe	6f11b6baad406aa223f72545d807e8f9.exe
PID 640 wrote to memory of 936	640	6f11b6baad406aa223f72545d807e8f9.exe	6f11b6baad406aa223f72545d807e8f9.exe
PID 640 wrote to memory of 936	640	6f11b6baad406aa223f72545d807e8f9.exe	6f11b6baad406aa223f72545d807e8f9.exe
PID 640 wrote to memory of 936	640	6f11b6baad406aa223f72545d807e8f9.exe	6f11b6baad406aa223f72545d807e8f9.exe
PID 640 wrote to memory of 936	640	6f11b6baad406aa223f72545d807e8f9.exe	6f11b6baad406aa223f72545d807e8f9.exe
PID 640 wrote to memory of 936	640	6f11b6baad406aa223f72545d807e8f9.exe	6f11b6baad406aa223f72545d807e8f9.exe
PID 640 wrote to memory of 936	640	6f11b6baad406aa223f72545d807e8f9.exe	6f11b6baad406aa223f72545d807e8f9.exe

memory/936-2-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/936-3-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/936-4-0x00000000004139DE-mapping.dmp

Download