lokibot | e665d8433c9e96b567470eb29b4f2857911001759b66cafb40c1123befdaf458

General

Target

c31ead8d90b9c54c190ca138cd2676be.exe
Size

811KB
MD5

c31ead8d90b9c54c190ca138cd2676be
SHA1

59ee610052c95f4ba5215cdbf0ea4bad33d28815
SHA256

e665d8433c9e96b567470eb29b4f2857911001759b66cafb40c1123befdaf458
SHA512

b1e84eaf7d03810d3adfb6814ca4a4894aa8516ab80b13d7868bd56682382b2960848aa9f8d2f1b252de2658a29be1e991b3e3642fd9ff01e695a8f1146fbd72

Score

10^/10

Family

lokibot

C2

http://blueriiver-eu.com/chief/offor/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

c31ead8d90b9c54c190ca138cd2676be.exe

description pid process target process

PID 1748 set thread context of 848 1748 c31ead8d90b9c54c190ca138cd2676be.exe c31ead8d90b9c54c190ca138cd2676be.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

c31ead8d90b9c54c190ca138cd2676be.exe

pid process

848 c31ead8d90b9c54c190ca138cd2676be.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c31ead8d90b9c54c190ca138cd2676be.exe

description pid process

Token: SeDebugPrivilege 848 c31ead8d90b9c54c190ca138cd2676be.exe

description	pid	process	target process
PID 1748 set thread context of 848	1748	c31ead8d90b9c54c190ca138cd2676be.exe	c31ead8d90b9c54c190ca138cd2676be.exe

pid	process
848	c31ead8d90b9c54c190ca138cd2676be.exe

description	pid	process
Token: SeDebugPrivilege	848	c31ead8d90b9c54c190ca138cd2676be.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

c31ead8d90b9c54c190ca138cd2676be.exe

description	pid	process	target process
PID 1748 wrote to memory of 848	1748	c31ead8d90b9c54c190ca138cd2676be.exe	c31ead8d90b9c54c190ca138cd2676be.exe
PID 1748 wrote to memory of 848	1748	c31ead8d90b9c54c190ca138cd2676be.exe	c31ead8d90b9c54c190ca138cd2676be.exe
PID 1748 wrote to memory of 848	1748	c31ead8d90b9c54c190ca138cd2676be.exe	c31ead8d90b9c54c190ca138cd2676be.exe
PID 1748 wrote to memory of 848	1748	c31ead8d90b9c54c190ca138cd2676be.exe	c31ead8d90b9c54c190ca138cd2676be.exe
PID 1748 wrote to memory of 848	1748	c31ead8d90b9c54c190ca138cd2676be.exe	c31ead8d90b9c54c190ca138cd2676be.exe
PID 1748 wrote to memory of 848	1748	c31ead8d90b9c54c190ca138cd2676be.exe	c31ead8d90b9c54c190ca138cd2676be.exe
PID 1748 wrote to memory of 848	1748	c31ead8d90b9c54c190ca138cd2676be.exe	c31ead8d90b9c54c190ca138cd2676be.exe
PID 1748 wrote to memory of 848	1748	c31ead8d90b9c54c190ca138cd2676be.exe	c31ead8d90b9c54c190ca138cd2676be.exe
PID 1748 wrote to memory of 848	1748	c31ead8d90b9c54c190ca138cd2676be.exe	c31ead8d90b9c54c190ca138cd2676be.exe
PID 1748 wrote to memory of 848	1748	c31ead8d90b9c54c190ca138cd2676be.exe	c31ead8d90b9c54c190ca138cd2676be.exe

memory/848-7-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/848-8-0x00000000004139DE-mapping.dmp

Download
memory/848-9-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1164-10-0x000007FEF7040000-0x000007FEF72BA000-memory.dmp

Filesize
2.5MB

Download
memory/1748-2-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/1748-3-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1748-5-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/1748-6-0x00000000053F0000-0x0000000005443000-memory.dmp

Filesize
332KB

Download