lokibot | e4e0857b271733e43190c89d0f20bb647137f68fa7b2b5cc387b0c367ec1427c | Triage

Analysis

max time kernel
129s
max time network
181s
platform
windows7_x64
resource
win7v20210410
submitted
24-06-2021 03:07

Sharing

Report Analysis Logs

General

Target

3611d560a21bf2d2f4641a3e3fa76756.exe
Size

358KB
MD5

3611d560a21bf2d2f4641a3e3fa76756
SHA1

1ece03720b34dbba699936e1fa1cd3bb719c20ea
SHA256

e4e0857b271733e43190c89d0f20bb647137f68fa7b2b5cc387b0c367ec1427c
SHA512

cfa66e97b3dacc55f2b9055f194ac6d28f920354a4362d7e1045613ae7fb935eb93a90ea505995ff070cb5abdf850021ced547b747494f763499b1e8008adc5c

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

C2

http://manvim.co/fd3/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious behavior: RenamesItself 1 IoCs

Processes:

3611d560a21bf2d2f4641a3e3fa76756.exe

pid process

1048 3611d560a21bf2d2f4641a3e3fa76756.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3611d560a21bf2d2f4641a3e3fa76756.exe

description pid process

Token: SeDebugPrivilege 1048 3611d560a21bf2d2f4641a3e3fa76756.exe

C:\Users\Admin\AppData\Local\Temp\3611d560a21bf2d2f4641a3e3fa76756.exe
"C:\Users\Admin\AppData\Local\Temp\3611d560a21bf2d2f4641a3e3fa76756.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1048

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1048-60-0x0000000000220000-0x000000000023B000-memory.dmp

Filesize
108KB

Download
memory/1048-61-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1048-62-0x0000000000400000-0x00000000008F7000-memory.dmp

Filesize
5.0MB

Download