lokibot | d236ee873e8191d24434226bc7b80f0542db7ed43323181b5ee8bc3a3de052cc

General

Target

d6fc664bb8081dbf36630f415ec96dcf.exe
Size

979KB
MD5

d6fc664bb8081dbf36630f415ec96dcf
SHA1

d6252d55da7f1036fe33049dbb65b1b68c477599
SHA256

d236ee873e8191d24434226bc7b80f0542db7ed43323181b5ee8bc3a3de052cc
SHA512

e8a5d33a45c73a0e7fe1d9afe158921af332055399b69893d9d1727375da259429eb2805b424a992618077f1d4bf0c9ff782b81025f2ca5021826bc49bd30a39

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://azme-contractors.com/chief/kev/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

d6fc664bb8081dbf36630f415ec96dcf.exe

description pid process target process

PID 808 set thread context of 676 808 d6fc664bb8081dbf36630f415ec96dcf.exe d6fc664bb8081dbf36630f415ec96dcf.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d6fc664bb8081dbf36630f415ec96dcf.exe

pid process

808 d6fc664bb8081dbf36630f415ec96dcf.exe
808 d6fc664bb8081dbf36630f415ec96dcf.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

d6fc664bb8081dbf36630f415ec96dcf.exe

pid process

676 d6fc664bb8081dbf36630f415ec96dcf.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d6fc664bb8081dbf36630f415ec96dcf.exed6fc664bb8081dbf36630f415ec96dcf.exe

description pid process

Token: SeDebugPrivilege 808 d6fc664bb8081dbf36630f415ec96dcf.exe
Token: SeDebugPrivilege 676 d6fc664bb8081dbf36630f415ec96dcf.exe

description	pid	process	target process
PID 808 set thread context of 676	808	d6fc664bb8081dbf36630f415ec96dcf.exe	d6fc664bb8081dbf36630f415ec96dcf.exe

pid	process
808	d6fc664bb8081dbf36630f415ec96dcf.exe
808	d6fc664bb8081dbf36630f415ec96dcf.exe

pid	process
676	d6fc664bb8081dbf36630f415ec96dcf.exe

description	pid	process
Token: SeDebugPrivilege	808	d6fc664bb8081dbf36630f415ec96dcf.exe
Token: SeDebugPrivilege	676	d6fc664bb8081dbf36630f415ec96dcf.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

d6fc664bb8081dbf36630f415ec96dcf.exe

description	pid	process	target process
PID 808 wrote to memory of 516	808	d6fc664bb8081dbf36630f415ec96dcf.exe	d6fc664bb8081dbf36630f415ec96dcf.exe
PID 808 wrote to memory of 516	808	d6fc664bb8081dbf36630f415ec96dcf.exe	d6fc664bb8081dbf36630f415ec96dcf.exe
PID 808 wrote to memory of 516	808	d6fc664bb8081dbf36630f415ec96dcf.exe	d6fc664bb8081dbf36630f415ec96dcf.exe
PID 808 wrote to memory of 516	808	d6fc664bb8081dbf36630f415ec96dcf.exe	d6fc664bb8081dbf36630f415ec96dcf.exe
PID 808 wrote to memory of 676	808	d6fc664bb8081dbf36630f415ec96dcf.exe	d6fc664bb8081dbf36630f415ec96dcf.exe
PID 808 wrote to memory of 676	808	d6fc664bb8081dbf36630f415ec96dcf.exe	d6fc664bb8081dbf36630f415ec96dcf.exe
PID 808 wrote to memory of 676	808	d6fc664bb8081dbf36630f415ec96dcf.exe	d6fc664bb8081dbf36630f415ec96dcf.exe
PID 808 wrote to memory of 676	808	d6fc664bb8081dbf36630f415ec96dcf.exe	d6fc664bb8081dbf36630f415ec96dcf.exe
PID 808 wrote to memory of 676	808	d6fc664bb8081dbf36630f415ec96dcf.exe	d6fc664bb8081dbf36630f415ec96dcf.exe
PID 808 wrote to memory of 676	808	d6fc664bb8081dbf36630f415ec96dcf.exe	d6fc664bb8081dbf36630f415ec96dcf.exe
PID 808 wrote to memory of 676	808	d6fc664bb8081dbf36630f415ec96dcf.exe	d6fc664bb8081dbf36630f415ec96dcf.exe
PID 808 wrote to memory of 676	808	d6fc664bb8081dbf36630f415ec96dcf.exe	d6fc664bb8081dbf36630f415ec96dcf.exe
PID 808 wrote to memory of 676	808	d6fc664bb8081dbf36630f415ec96dcf.exe	d6fc664bb8081dbf36630f415ec96dcf.exe
PID 808 wrote to memory of 676	808	d6fc664bb8081dbf36630f415ec96dcf.exe	d6fc664bb8081dbf36630f415ec96dcf.exe

C:\Users\Admin\AppData\Local\Temp\d6fc664bb8081dbf36630f415ec96dcf.exe
"C:\Users\Admin\AppData\Local\Temp\d6fc664bb8081dbf36630f415ec96dcf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808
- C:\Users\Admin\AppData\Local\Temp\d6fc664bb8081dbf36630f415ec96dcf.exe
  "C:\Users\Admin\AppData\Local\Temp\d6fc664bb8081dbf36630f415ec96dcf.exe"
  2⤵
  PID:516
- C:\Users\Admin\AppData\Local\Temp\d6fc664bb8081dbf36630f415ec96dcf.exe
  "C:\Users\Admin\AppData\Local\Temp\d6fc664bb8081dbf36630f415ec96dcf.exe"
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  PID:676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/676-7-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/676-8-0x00000000004139DE-mapping.dmp

Download
memory/676-9-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/808-2-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/808-3-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/808-5-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/808-6-0x0000000004E60000-0x0000000004EB7000-memory.dmp

Filesize
348KB

Download
memory/1092-10-0x000007FEF5BD0000-0x000007FEF5E4A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing