lokibot | 9010e5361743ddacac6baa4a585ed4d9db9ed3ce65401b012d16923afebe414f

General

Target

dd56737c942385f2ab60a3e80a175ed2.exe
Size

985KB
MD5

dd56737c942385f2ab60a3e80a175ed2
SHA1

1a990bf3c300b119de7b9f6f16b246c6a8848855
SHA256

9010e5361743ddacac6baa4a585ed4d9db9ed3ce65401b012d16923afebe414f
SHA512

e1a5c778629068c23af7884db21f0e96a16ddb52f24934bf1b7a945632db902ad41f4bfb7749d8ed6280c0bc1e1a4fa51598d6f53f7988c0bf65a7b920dc1a1b

Score

10^/10

Family

lokibot

C2

http://azzmtool.com/chief/offor/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

dd56737c942385f2ab60a3e80a175ed2.exe

description pid process target process

PID 1936 set thread context of 920 1936 dd56737c942385f2ab60a3e80a175ed2.exe dd56737c942385f2ab60a3e80a175ed2.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

dd56737c942385f2ab60a3e80a175ed2.exe

pid process

920 dd56737c942385f2ab60a3e80a175ed2.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dd56737c942385f2ab60a3e80a175ed2.exe

description pid process

Token: SeDebugPrivilege 920 dd56737c942385f2ab60a3e80a175ed2.exe

description	pid	process	target process
PID 1936 set thread context of 920	1936	dd56737c942385f2ab60a3e80a175ed2.exe	dd56737c942385f2ab60a3e80a175ed2.exe

pid	process
920	dd56737c942385f2ab60a3e80a175ed2.exe

description	pid	process
Token: SeDebugPrivilege	920	dd56737c942385f2ab60a3e80a175ed2.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

dd56737c942385f2ab60a3e80a175ed2.exe

description	pid	process	target process
PID 1936 wrote to memory of 920	1936	dd56737c942385f2ab60a3e80a175ed2.exe	dd56737c942385f2ab60a3e80a175ed2.exe
PID 1936 wrote to memory of 920	1936	dd56737c942385f2ab60a3e80a175ed2.exe	dd56737c942385f2ab60a3e80a175ed2.exe
PID 1936 wrote to memory of 920	1936	dd56737c942385f2ab60a3e80a175ed2.exe	dd56737c942385f2ab60a3e80a175ed2.exe
PID 1936 wrote to memory of 920	1936	dd56737c942385f2ab60a3e80a175ed2.exe	dd56737c942385f2ab60a3e80a175ed2.exe
PID 1936 wrote to memory of 920	1936	dd56737c942385f2ab60a3e80a175ed2.exe	dd56737c942385f2ab60a3e80a175ed2.exe
PID 1936 wrote to memory of 920	1936	dd56737c942385f2ab60a3e80a175ed2.exe	dd56737c942385f2ab60a3e80a175ed2.exe
PID 1936 wrote to memory of 920	1936	dd56737c942385f2ab60a3e80a175ed2.exe	dd56737c942385f2ab60a3e80a175ed2.exe
PID 1936 wrote to memory of 920	1936	dd56737c942385f2ab60a3e80a175ed2.exe	dd56737c942385f2ab60a3e80a175ed2.exe
PID 1936 wrote to memory of 920	1936	dd56737c942385f2ab60a3e80a175ed2.exe	dd56737c942385f2ab60a3e80a175ed2.exe
PID 1936 wrote to memory of 920	1936	dd56737c942385f2ab60a3e80a175ed2.exe	dd56737c942385f2ab60a3e80a175ed2.exe

memory/436-10-0x000007FEF6E90000-0x000007FEF710A000-memory.dmp

Filesize
2.5MB

Download
memory/920-7-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/920-8-0x00000000004139DE-mapping.dmp

Download
memory/920-9-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1936-2-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1936-3-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/1936-5-0x0000000000320000-0x0000000000332000-memory.dmp

Filesize
72KB

Download
memory/1936-6-0x0000000005330000-0x0000000005388000-memory.dmp

Filesize
352KB

Download