lokibot | b90e3f203d5736096b41b710e1fa0ab10f26025e84e4fcf1e4bc760a0306ed72

General

Target

audiodg.exe
Size

566KB
MD5

66da45ed268a07990768ee03d70e4502
SHA1

3cef4bb7af1179eabd38cd1e1989dc9c41f5c69c
SHA256

b90e3f203d5736096b41b710e1fa0ab10f26025e84e4fcf1e4bc760a0306ed72
SHA512

ffb07451f68ac863c803407d5081f07aec97824cbe15390b4e658e4f455b2635769f53d375d497aa4e493364458b8f85aa6539e45dbaa31aab4cca347e0f0ee9

Score

10^/10

lokibot spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://185.227.139.18/dsaicosaicasdi.php/jRbn3g7uWVTsx

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/508-121-0x0000000005BE0000-0x0000000005BEB000-memory.dmp	CustAttr

Suspicious use of SetThreadContext 1 IoCs

Processes:

audiodg.exe

description pid process target process

PID 508 set thread context of 2116 508 audiodg.exe audiodg.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

audiodg.exe

pid process

2116 audiodg.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

audiodg.exe

description pid process

Token: SeDebugPrivilege 2116 audiodg.exe

description	pid	process	target process
PID 508 set thread context of 2116	508	audiodg.exe	audiodg.exe

pid	process
2116	audiodg.exe

description	pid	process
Token: SeDebugPrivilege	2116	audiodg.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

audiodg.exe

description	pid	process	target process
PID 508 wrote to memory of 2116	508	audiodg.exe	audiodg.exe
PID 508 wrote to memory of 2116	508	audiodg.exe	audiodg.exe
PID 508 wrote to memory of 2116	508	audiodg.exe	audiodg.exe
PID 508 wrote to memory of 2116	508	audiodg.exe	audiodg.exe
PID 508 wrote to memory of 2116	508	audiodg.exe	audiodg.exe
PID 508 wrote to memory of 2116	508	audiodg.exe	audiodg.exe
PID 508 wrote to memory of 2116	508	audiodg.exe	audiodg.exe
PID 508 wrote to memory of 2116	508	audiodg.exe	audiodg.exe
PID 508 wrote to memory of 2116	508	audiodg.exe	audiodg.exe

C:\Users\Admin\AppData\Local\Temp\audiodg.exe
"C:\Users\Admin\AppData\Local\Temp\audiodg.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:508

C:\Users\Admin\AppData\Local\Temp\audiodg.exe
"C:\Users\Admin\AppData\Local\Temp\audiodg.exe"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:2116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/508-114-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/508-116-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/508-117-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/508-118-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/508-119-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/508-120-0x00000000050E0000-0x00000000055DE000-memory.dmp

Filesize
5.0MB

Download
memory/508-121-0x0000000005BE0000-0x0000000005BEB000-memory.dmp

Filesize
44KB

Download
memory/508-122-0x0000000007830000-0x0000000007896000-memory.dmp

Filesize
408KB

Download
memory/508-123-0x00000000078C0000-0x00000000078E1000-memory.dmp

Filesize
132KB

Download
memory/2116-125-0x00000000004139DE-mapping.dmp

Download
memory/2116-124-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2116-126-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download

Analysis

Sharing