lokibot | ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c

General

Target

ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe
Size

1.4MB
MD5

6e4ac22170c939c2a9df7562cce08c24
SHA1

b22fdae7fc8753e4af513a5b940b6b7862c6ec98
SHA256

ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c
SHA512

85cc50f51c87ff479d0a174842071f2e547e41a489b4fda197935a24c56ff8c5525d75dd284dd6e50b4c68ce6290baf4a5675e1f39c7a89058bf21f4523e17cd

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://becharnise.ir/fa2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Suspicious use of SetThreadContext 1 IoCs

Processes:

ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe

description	pid	process	target process
PID 1788 set thread context of 784	1788	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe

pid process

784 ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe

description pid process

Token: SeDebugPrivilege 784 ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe

pid	process
784	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe

description	pid	process
Token: SeDebugPrivilege	784	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe

description	pid	process	target process
PID 1788 wrote to memory of 784	1788	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe
PID 1788 wrote to memory of 784	1788	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe
PID 1788 wrote to memory of 784	1788	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe
PID 1788 wrote to memory of 784	1788	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe
PID 1788 wrote to memory of 784	1788	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe
PID 1788 wrote to memory of 784	1788	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe
PID 1788 wrote to memory of 784	1788	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe
PID 1788 wrote to memory of 784	1788	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe
PID 1788 wrote to memory of 784	1788	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe
PID 1788 wrote to memory of 784	1788	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe	ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe

C:\Users\Admin\AppData\Local\Temp\ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe
"C:\Users\Admin\AppData\Local\Temp\ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1788

C:\Users\Admin\AppData\Local\Temp\ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe
"C:\Users\Admin\AppData\Local\Temp\ddba7f7f2dfc3893af0230bfffacaffb3bb01a118bdc9a2a7bcdbdd53f1a4f4c.exe"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-8-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/784-9-0x00000000004139DE-mapping.dmp

Download
memory/784-10-0x0000000074D11000-0x0000000074D13000-memory.dmp

Filesize
8KB

Download
memory/784-11-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/828-12-0x000007FEF5B70000-0x000007FEF5DEA000-memory.dmp

Filesize
2.5MB

Download
memory/1788-2-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/1788-3-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/1788-5-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/1788-6-0x0000000000240000-0x0000000000253000-memory.dmp

Filesize
76KB

Download
memory/1788-7-0x0000000000A40000-0x0000000000ADC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing