lokibot | c3343b92155dfd866001b1126374d5d6e6e8efcbb889eccf0699dd6f29be580c

General

Target

pago urgentePDF_____________________.exe
Size

500KB
MD5

3f2edb003456f309c1f24e153cf40755
SHA1

66566ca27fa9ba736231f495b94c57f296ec921a
SHA256

c3343b92155dfd866001b1126374d5d6e6e8efcbb889eccf0699dd6f29be580c
SHA512

ff4ea7ed6386d7dc99eb90147220355a2ecdd62596ae4a09f871d6ff214e6de2bac2b47f22add35314274c804fad3424a5ec5fa9920e45648e93179a2dc994a5

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://51.195.53.221/p.php/qgZUTMW0pWR4Q

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Suspicious use of SetThreadContext 1 IoCs

Processes:

pago urgentePDF_____________________.exe

description	pid	process	target process
PID 792 set thread context of 644	792	pago urgentePDF_____________________.exe	pago urgentePDF_____________________.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

pago urgentePDF_____________________.exe

pid process

792 pago urgentePDF_____________________.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

pago urgentePDF_____________________.exe

pid process

644 pago urgentePDF_____________________.exe

pid	process
792	pago urgentePDF_____________________.exe

pid	process
644	pago urgentePDF_____________________.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pago urgentePDF_____________________.exepago urgentePDF_____________________.exe

description	pid	process
Token: SeDebugPrivilege	792	pago urgentePDF_____________________.exe
Token: SeDebugPrivilege	644	pago urgentePDF_____________________.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

pago urgentePDF_____________________.exe

description	pid	process	target process
PID 792 wrote to memory of 1456	792	pago urgentePDF_____________________.exe	pago urgentePDF_____________________.exe
PID 792 wrote to memory of 1456	792	pago urgentePDF_____________________.exe	pago urgentePDF_____________________.exe
PID 792 wrote to memory of 1456	792	pago urgentePDF_____________________.exe	pago urgentePDF_____________________.exe
PID 792 wrote to memory of 1456	792	pago urgentePDF_____________________.exe	pago urgentePDF_____________________.exe
PID 792 wrote to memory of 644	792	pago urgentePDF_____________________.exe	pago urgentePDF_____________________.exe
PID 792 wrote to memory of 644	792	pago urgentePDF_____________________.exe	pago urgentePDF_____________________.exe
PID 792 wrote to memory of 644	792	pago urgentePDF_____________________.exe	pago urgentePDF_____________________.exe
PID 792 wrote to memory of 644	792	pago urgentePDF_____________________.exe	pago urgentePDF_____________________.exe
PID 792 wrote to memory of 644	792	pago urgentePDF_____________________.exe	pago urgentePDF_____________________.exe
PID 792 wrote to memory of 644	792	pago urgentePDF_____________________.exe	pago urgentePDF_____________________.exe
PID 792 wrote to memory of 644	792	pago urgentePDF_____________________.exe	pago urgentePDF_____________________.exe
PID 792 wrote to memory of 644	792	pago urgentePDF_____________________.exe	pago urgentePDF_____________________.exe
PID 792 wrote to memory of 644	792	pago urgentePDF_____________________.exe	pago urgentePDF_____________________.exe
PID 792 wrote to memory of 644	792	pago urgentePDF_____________________.exe	pago urgentePDF_____________________.exe

C:\Users\Admin\AppData\Local\Temp\pago urgentePDF_____________________.exe
"C:\Users\Admin\AppData\Local\Temp\pago urgentePDF_____________________.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Local\Temp\pago urgentePDF_____________________.exe
"C:\Users\Admin\AppData\Local\Temp\pago urgentePDF_____________________.exe"
2⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\pago urgentePDF_____________________.exe
"C:\Users\Admin\AppData\Local\Temp\pago urgentePDF_____________________.exe"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/644-8-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/644-9-0x00000000004139DE-mapping.dmp

Download
memory/644-10-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/644-11-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/792-2-0x0000000074DD0000-0x00000000754BE000-memory.dmp

Filesize
6.9MB

Download
memory/792-3-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/792-5-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/792-6-0x0000000000430000-0x0000000000433000-memory.dmp

Filesize
12KB

Download
memory/792-7-0x0000000004B90000-0x0000000004BD0000-memory.dmp

Filesize
256KB

Download
memory/1596-12-0x000007FEF7F80000-0x000007FEF81FA000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads