lokibot | f94b0dd0a257f49fe725f07b88aac985afc8b128a4c02578f3053a70697282e8

General

Target

SI1 X20'D000280.exe
Size

781KB
MD5

a49265372ee1fb62e111a66c4ac76501
SHA1

34b72db4d0c4fcf0a9bfef1bac78ad2024fce51c
SHA256

f94b0dd0a257f49fe725f07b88aac985afc8b128a4c02578f3053a70697282e8
SHA512

f731c2089c36b8a0b4ec74f3a84c0c66d3ff3fe6c582a25841c099cf7eda305a9457ba8975081e3814cf8ff7bf8ba6d67bf1d00585828a84dea1a27c898b238c

Score

10^/10

Family

lokibot

C2

http://albemalb.com/dumbo/dumbo1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

SI1 X20'D000280.exe

description pid process target process

PID 852 set thread context of 4024 852 SI1 X20'D000280.exe SI1 X20'D000280.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

SI1 X20'D000280.exe

pid process

4024 SI1 X20'D000280.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SI1 X20'D000280.exe

description pid process

Token: SeDebugPrivilege 4024 SI1 X20'D000280.exe

description	pid	process	target process
PID 852 set thread context of 4024	852	SI1 X20'D000280.exe	SI1 X20'D000280.exe

pid	process
4024	SI1 X20'D000280.exe

description	pid	process
Token: SeDebugPrivilege	4024	SI1 X20'D000280.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

SI1 X20'D000280.exe

description	pid	process	target process
PID 852 wrote to memory of 4024	852	SI1 X20'D000280.exe	SI1 X20'D000280.exe
PID 852 wrote to memory of 4024	852	SI1 X20'D000280.exe	SI1 X20'D000280.exe
PID 852 wrote to memory of 4024	852	SI1 X20'D000280.exe	SI1 X20'D000280.exe
PID 852 wrote to memory of 4024	852	SI1 X20'D000280.exe	SI1 X20'D000280.exe
PID 852 wrote to memory of 4024	852	SI1 X20'D000280.exe	SI1 X20'D000280.exe
PID 852 wrote to memory of 4024	852	SI1 X20'D000280.exe	SI1 X20'D000280.exe
PID 852 wrote to memory of 4024	852	SI1 X20'D000280.exe	SI1 X20'D000280.exe
PID 852 wrote to memory of 4024	852	SI1 X20'D000280.exe	SI1 X20'D000280.exe
PID 852 wrote to memory of 4024	852	SI1 X20'D000280.exe	SI1 X20'D000280.exe

memory/852-114-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/852-116-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/852-117-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/852-118-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/852-119-0x0000000004EF0000-0x00000000053EE000-memory.dmp

Filesize
5.0MB

Download
memory/852-120-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/852-121-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/852-122-0x00000000053E0000-0x00000000053E4000-memory.dmp

Filesize
16KB

Download
memory/852-123-0x0000000006350000-0x0000000006401000-memory.dmp

Filesize
708KB

Download
memory/852-124-0x0000000000E10000-0x0000000000E83000-memory.dmp

Filesize
460KB

Download
memory/4024-125-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4024-126-0x00000000004139DE-mapping.dmp

Download
memory/4024-127-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download