lokibot | 2ec0872bb8cf5985b8bc64c1d15e6710f2c42a609682cd43fb52254fdb778d58

Analysis

Target

FACTURAS.EXE
Size

743KB
MD5

dec50d35699429ddcba5874277455f92
SHA1

a3b0ec9a1df69019bcc31557475b94b9cc2e39a2
SHA256

0fb28c106093876aa073dc06d84fdf14c4d01f655e5a5c78e377f60321fa7665
SHA512

11dd4e61b7141798e166b985674bcbfd0294b38c081a2667305f8d46fc9c2a7d031d228cf5ba3c7c8698c92d6a349b862b4d1e386ac746bcd00c9ebe47bce9be

Score

10^/10

Family

lokibot

http://63.141.228.141/32.php/209hwrrIygNFO

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

FACTURAS.EXE

description pid process target process

PID 1616 set thread context of 292 1616 FACTURAS.EXE FACTURAS.EXE
Suspicious behavior: RenamesItself 1 IoCs

Processes:

FACTURAS.EXE

pid process

292 FACTURAS.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

FACTURAS.EXE

description pid process

Token: SeDebugPrivilege 292 FACTURAS.EXE

description	pid	process	target process
PID 1616 set thread context of 292	1616	FACTURAS.EXE	FACTURAS.EXE

pid	process
292	FACTURAS.EXE

description	pid	process
Token: SeDebugPrivilege	292	FACTURAS.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

FACTURAS.EXE

description	pid	process	target process
PID 1616 wrote to memory of 292	1616	FACTURAS.EXE	FACTURAS.EXE
PID 1616 wrote to memory of 292	1616	FACTURAS.EXE	FACTURAS.EXE
PID 1616 wrote to memory of 292	1616	FACTURAS.EXE	FACTURAS.EXE
PID 1616 wrote to memory of 292	1616	FACTURAS.EXE	FACTURAS.EXE
PID 1616 wrote to memory of 292	1616	FACTURAS.EXE	FACTURAS.EXE
PID 1616 wrote to memory of 292	1616	FACTURAS.EXE	FACTURAS.EXE
PID 1616 wrote to memory of 292	1616	FACTURAS.EXE	FACTURAS.EXE
PID 1616 wrote to memory of 292	1616	FACTURAS.EXE	FACTURAS.EXE
PID 1616 wrote to memory of 292	1616	FACTURAS.EXE	FACTURAS.EXE
PID 1616 wrote to memory of 292	1616	FACTURAS.EXE	FACTURAS.EXE

memory/292-67-0x00000000004139DE-mapping.dmp

Download
memory/292-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/292-68-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download
memory/292-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1616-60-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/1616-62-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/1616-63-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/1616-64-0x0000000007940000-0x00000000079D5000-memory.dmp

Filesize
596KB

Download
memory/1616-65-0x0000000007E70000-0x0000000007ED3000-memory.dmp

Filesize
396KB

Download