lokibot | f58cdcc753abc5e59a1d6367b421517b89992a43b41b9bccdb277ef69de4d6b0

General

Target

TNT Original Invoice.exe
Size

858KB
MD5

5c7188426a084631737fc8792926945e
SHA1

3f9548fca35c6439b2f9ecc621cfb98c2be6ebc2
SHA256

f58cdcc753abc5e59a1d6367b421517b89992a43b41b9bccdb277ef69de4d6b0
SHA512

97e4a513fa6bdceff46c012efb1cb74906fa3ac94903107594c0a436d6b815f15d57588113ad7917d56a2ff6e5adc96fd3f2233bc53e34ee751b1b53e1cfa4e1

Score

10^/10

Family

lokibot

C2

http://51.195.53.221/p.php/cfOoZYb0LXPms

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

TNT Original Invoice.exe

description pid process target process

PID 580 set thread context of 3832 580 TNT Original Invoice.exe TNT Original Invoice.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

TNT Original Invoice.exe

pid process

3832 TNT Original Invoice.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

TNT Original Invoice.exe

description pid process

Token: SeDebugPrivilege 3832 TNT Original Invoice.exe

description	pid	process	target process
PID 580 set thread context of 3832	580	TNT Original Invoice.exe	TNT Original Invoice.exe

pid	process
3832	TNT Original Invoice.exe

description	pid	process
Token: SeDebugPrivilege	3832	TNT Original Invoice.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

TNT Original Invoice.exe

description	pid	process	target process
PID 580 wrote to memory of 3832	580	TNT Original Invoice.exe	TNT Original Invoice.exe
PID 580 wrote to memory of 3832	580	TNT Original Invoice.exe	TNT Original Invoice.exe
PID 580 wrote to memory of 3832	580	TNT Original Invoice.exe	TNT Original Invoice.exe
PID 580 wrote to memory of 3832	580	TNT Original Invoice.exe	TNT Original Invoice.exe
PID 580 wrote to memory of 3832	580	TNT Original Invoice.exe	TNT Original Invoice.exe
PID 580 wrote to memory of 3832	580	TNT Original Invoice.exe	TNT Original Invoice.exe
PID 580 wrote to memory of 3832	580	TNT Original Invoice.exe	TNT Original Invoice.exe
PID 580 wrote to memory of 3832	580	TNT Original Invoice.exe	TNT Original Invoice.exe
PID 580 wrote to memory of 3832	580	TNT Original Invoice.exe	TNT Original Invoice.exe

memory/580-2-0x0000000073F30000-0x000000007461E000-memory.dmp

Filesize
6.9MB

Download
memory/580-3-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/580-5-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/580-6-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/580-7-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/580-8-0x0000000005530000-0x000000000553E000-memory.dmp

Filesize
56KB

Download
memory/580-9-0x0000000005F60000-0x0000000005F98000-memory.dmp

Filesize
224KB

Download
memory/580-10-0x0000000006040000-0x0000000006041000-memory.dmp

Filesize
4KB

Download
memory/3832-11-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3832-12-0x00000000004139DE-mapping.dmp

Download
memory/3832-13-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download