lokibot | faa6f5e68119576f62ec4865fc4aecc2aa301560c33f508650b8aa6be54cf7dd

General

Target

payment copy.exe
Size

723KB
MD5

95b543d7b6fc8250e6d356f6c5797311
SHA1

b66f8a01bfffc396b0fd8e2136636de468663d70
SHA256

faa6f5e68119576f62ec4865fc4aecc2aa301560c33f508650b8aa6be54cf7dd
SHA512

a669a32a9f96b03774e38e9c0b88af73637cdfe01439997671c62120f9af48136d6666d83a927c66db0aaed3c427d1cfdfc02c76afbd56c6418fac7ced27dce7

Score

10^/10

Family

lokibot

C2

http://abixmaly.duckdns.org/binge/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

payment copy.exe

description pid process target process

PID 4648 set thread context of 3476 4648 payment copy.exe payment copy.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

payment copy.exe

pid process

4648 payment copy.exe
4648 payment copy.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

payment copy.exe

pid process

3476 payment copy.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

payment copy.exepayment copy.exe

description pid process

Token: SeDebugPrivilege 4648 payment copy.exe
Token: SeDebugPrivilege 3476 payment copy.exe

description	pid	process	target process
PID 4648 set thread context of 3476	4648	payment copy.exe	payment copy.exe

pid	process
4648	payment copy.exe
4648	payment copy.exe

pid	process
3476	payment copy.exe

description	pid	process
Token: SeDebugPrivilege	4648	payment copy.exe
Token: SeDebugPrivilege	3476	payment copy.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

payment copy.exe

description	pid	process	target process
PID 4648 wrote to memory of 4084	4648	payment copy.exe	payment copy.exe
PID 4648 wrote to memory of 4084	4648	payment copy.exe	payment copy.exe
PID 4648 wrote to memory of 4084	4648	payment copy.exe	payment copy.exe
PID 4648 wrote to memory of 3476	4648	payment copy.exe	payment copy.exe
PID 4648 wrote to memory of 3476	4648	payment copy.exe	payment copy.exe
PID 4648 wrote to memory of 3476	4648	payment copy.exe	payment copy.exe
PID 4648 wrote to memory of 3476	4648	payment copy.exe	payment copy.exe
PID 4648 wrote to memory of 3476	4648	payment copy.exe	payment copy.exe
PID 4648 wrote to memory of 3476	4648	payment copy.exe	payment copy.exe
PID 4648 wrote to memory of 3476	4648	payment copy.exe	payment copy.exe
PID 4648 wrote to memory of 3476	4648	payment copy.exe	payment copy.exe
PID 4648 wrote to memory of 3476	4648	payment copy.exe	payment copy.exe

C:\Users\Admin\AppData\Local\Temp\payment copy.exe
"C:\Users\Admin\AppData\Local\Temp\payment copy.exe"
2⤵
PID:4084

memory/3476-124-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3476-125-0x00000000004139DE-mapping.dmp

Download
memory/3476-126-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4648-114-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/4648-116-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/4648-117-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/4648-118-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4648-119-0x0000000004ED0000-0x0000000004F62000-memory.dmp

Filesize
584KB

Download
memory/4648-120-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/4648-121-0x0000000005280000-0x000000000529B000-memory.dmp

Filesize
108KB

Download
memory/4648-122-0x0000000008690000-0x00000000086F6000-memory.dmp

Filesize
408KB

Download
memory/4648-123-0x0000000006E20000-0x0000000006E41000-memory.dmp

Filesize
132KB

Download