lokibot | 91f8ad08e33830df10bedd519ccbfc3d910a6456ac964e1e6871838b9558e599

General

Target

DOC0043999675.PDF.bat.exe
Size

891KB
MD5

25fdf23ec9f72498ac683767c12a5145
SHA1

363b35fcb7aa46f536f531ce9c3c1fccacb96e0c
SHA256

91f8ad08e33830df10bedd519ccbfc3d910a6456ac964e1e6871838b9558e599
SHA512

decb4796c57ed86d08fedfdefdc2ba082222b1f983d891cd36d0af1dfefa625ed0f5ae385dbdc8d65e785cfa8edb1f0d76cf777216040e81e565f483ed88162e

Score

10^/10

Family

lokibot

C2

http://51.195.53.221/p.php/dklX59XNxRkB6

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

DOC0043999675.PDF.bat.exe

description pid process target process

PID 4768 set thread context of 4424 4768 DOC0043999675.PDF.bat.exe DOC0043999675.PDF.bat.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

DOC0043999675.PDF.bat.exe

pid process

4424 DOC0043999675.PDF.bat.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DOC0043999675.PDF.bat.exe

description pid process

Token: SeDebugPrivilege 4424 DOC0043999675.PDF.bat.exe

description	pid	process	target process
PID 4768 set thread context of 4424	4768	DOC0043999675.PDF.bat.exe	DOC0043999675.PDF.bat.exe

pid	process
4424	DOC0043999675.PDF.bat.exe

description	pid	process
Token: SeDebugPrivilege	4424	DOC0043999675.PDF.bat.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

DOC0043999675.PDF.bat.exe

description	pid	process	target process
PID 4768 wrote to memory of 4424	4768	DOC0043999675.PDF.bat.exe	DOC0043999675.PDF.bat.exe
PID 4768 wrote to memory of 4424	4768	DOC0043999675.PDF.bat.exe	DOC0043999675.PDF.bat.exe
PID 4768 wrote to memory of 4424	4768	DOC0043999675.PDF.bat.exe	DOC0043999675.PDF.bat.exe
PID 4768 wrote to memory of 4424	4768	DOC0043999675.PDF.bat.exe	DOC0043999675.PDF.bat.exe
PID 4768 wrote to memory of 4424	4768	DOC0043999675.PDF.bat.exe	DOC0043999675.PDF.bat.exe
PID 4768 wrote to memory of 4424	4768	DOC0043999675.PDF.bat.exe	DOC0043999675.PDF.bat.exe
PID 4768 wrote to memory of 4424	4768	DOC0043999675.PDF.bat.exe	DOC0043999675.PDF.bat.exe
PID 4768 wrote to memory of 4424	4768	DOC0043999675.PDF.bat.exe	DOC0043999675.PDF.bat.exe
PID 4768 wrote to memory of 4424	4768	DOC0043999675.PDF.bat.exe	DOC0043999675.PDF.bat.exe

memory/4424-12-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4424-13-0x00000000004139DE-mapping.dmp

Download
memory/4424-14-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4768-2-0x0000000073370000-0x0000000073A5E000-memory.dmp

Filesize
6.9MB

Download
memory/4768-3-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/4768-5-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/4768-6-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/4768-7-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/4768-8-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/4768-9-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/4768-10-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/4768-11-0x0000000005740000-0x0000000005793000-memory.dmp

Filesize
332KB

Download