lokibot | f58cdcc753abc5e59a1d6367b421517b89992a43b41b9bccdb277ef69de4d6b0

Analysis

Target

TNT Original Invoice.exe
Size

858KB
MD5

5c7188426a084631737fc8792926945e
SHA1

3f9548fca35c6439b2f9ecc621cfb98c2be6ebc2
SHA256

f58cdcc753abc5e59a1d6367b421517b89992a43b41b9bccdb277ef69de4d6b0
SHA512

97e4a513fa6bdceff46c012efb1cb74906fa3ac94903107594c0a436d6b815f15d57588113ad7917d56a2ff6e5adc96fd3f2233bc53e34ee751b1b53e1cfa4e1

Score

10^/10

Family

lokibot

http://51.195.53.221/p.php/cfOoZYb0LXPms

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

TNT Original Invoice.exe

description pid process target process

PID 1744 set thread context of 1660 1744 TNT Original Invoice.exe TNT Original Invoice.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

TNT Original Invoice.exe

pid process

1660 TNT Original Invoice.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

TNT Original Invoice.exe

description pid process

Token: SeDebugPrivilege 1660 TNT Original Invoice.exe

description	pid	process	target process
PID 1744 set thread context of 1660	1744	TNT Original Invoice.exe	TNT Original Invoice.exe

pid	process
1660	TNT Original Invoice.exe

description	pid	process
Token: SeDebugPrivilege	1660	TNT Original Invoice.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

TNT Original Invoice.exe

description	pid	process	target process
PID 1744 wrote to memory of 1660	1744	TNT Original Invoice.exe	TNT Original Invoice.exe
PID 1744 wrote to memory of 1660	1744	TNT Original Invoice.exe	TNT Original Invoice.exe
PID 1744 wrote to memory of 1660	1744	TNT Original Invoice.exe	TNT Original Invoice.exe
PID 1744 wrote to memory of 1660	1744	TNT Original Invoice.exe	TNT Original Invoice.exe
PID 1744 wrote to memory of 1660	1744	TNT Original Invoice.exe	TNT Original Invoice.exe
PID 1744 wrote to memory of 1660	1744	TNT Original Invoice.exe	TNT Original Invoice.exe
PID 1744 wrote to memory of 1660	1744	TNT Original Invoice.exe	TNT Original Invoice.exe
PID 1744 wrote to memory of 1660	1744	TNT Original Invoice.exe	TNT Original Invoice.exe
PID 1744 wrote to memory of 1660	1744	TNT Original Invoice.exe	TNT Original Invoice.exe
PID 1744 wrote to memory of 1660	1744	TNT Original Invoice.exe	TNT Original Invoice.exe

memory/332-10-0x000007FEF7730000-0x000007FEF79AA000-memory.dmp

Filesize
2.5MB

Download
memory/1660-7-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1660-8-0x00000000004139DE-mapping.dmp

Download
memory/1660-9-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1744-2-0x00000000741A0000-0x000000007488E000-memory.dmp

Filesize
6.9MB

Download
memory/1744-3-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1744-5-0x0000000000350000-0x000000000035E000-memory.dmp

Filesize
56KB

Download
memory/1744-6-0x0000000002210000-0x0000000002248000-memory.dmp

Filesize
224KB

Download