lokibot | bcba831c8adb8887ed3e7e82cb61482f5f6ff19c4b7d84478b6958999c04879c

General

Target

1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe
Size

1.3MB
MD5

4e17636b1b64b2039bae2890d1f85b43
SHA1

1b15c3d1e31b255a45b9c2731f82ac71a866bddd
SHA256

bcba831c8adb8887ed3e7e82cb61482f5f6ff19c4b7d84478b6958999c04879c
SHA512

45ee408ba1958fd645ab58ff0242dacbfdba1711bfac293e8cabadf16a6bce765c3416e086cebffee6bdde91343a3e5a9da6253604a6add25969937043798d04

Score

10^/10

Family

lokibot

C2

http://51.195.53.221/p.php/qElaNgWyezEFV

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Suspicious use of SetThreadContext 1 IoCs

Processes:

1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe

description	pid	process	target process
PID 1732 set thread context of 1564	1732	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe

pid process

1564 1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe

description pid process

Token: SeDebugPrivilege 1564 1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe

pid	process
1564	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe

description	pid	process
Token: SeDebugPrivilege	1564	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe

description	pid	process	target process
PID 1732 wrote to memory of 1564	1732	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe
PID 1732 wrote to memory of 1564	1732	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe
PID 1732 wrote to memory of 1564	1732	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe
PID 1732 wrote to memory of 1564	1732	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe
PID 1732 wrote to memory of 1564	1732	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe
PID 1732 wrote to memory of 1564	1732	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe
PID 1732 wrote to memory of 1564	1732	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe
PID 1732 wrote to memory of 1564	1732	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe
PID 1732 wrote to memory of 1564	1732	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe
PID 1732 wrote to memory of 1564	1732	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe	1b15c3d1e31b255a45b9c2731f82ac71a866bddd.exe

memory/1016-10-0x000007FEF6400000-0x000007FEF667A000-memory.dmp

Filesize
2.5MB

Download
memory/1564-7-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1564-8-0x00000000004139DE-mapping.dmp

Download
memory/1564-9-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1732-2-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/1732-3-0x00000000012D0000-0x00000000012D1000-memory.dmp

Filesize
4KB

Download
memory/1732-5-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/1732-6-0x0000000000B80000-0x0000000000BD8000-memory.dmp

Filesize
352KB

Download