lokibot | 61fc463e85fb2fa581c8d7ba3321992bfe69d28dc8ca06660875d8b9e9701ecc

General

Target

f3a4f1cc5720b34b682d65f04bd122fe.exe
Size

602KB
MD5

f3a4f1cc5720b34b682d65f04bd122fe
SHA1

9918b2802596f7185e71b21cb9a9ff6001d93c01
SHA256

61fc463e85fb2fa581c8d7ba3321992bfe69d28dc8ca06660875d8b9e9701ecc
SHA512

4f1b4c2f24dfd559be01f2f66c29b6e225cb7a6df1fb4d398b64a10984d744e5a7ec44fd7a6fab0e39ec1d8086638f734f4679a7fb263027ff698413aa5dceb8

Score

10^/10

lokibot spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

C2

http://manvim.co/fd5/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/3904-121-0x0000000007040000-0x000000000704B000-memory.dmp	CustAttr

Suspicious use of SetThreadContext 1 IoCs

Processes:

f3a4f1cc5720b34b682d65f04bd122fe.exe

description pid process target process

PID 3904 set thread context of 2332 3904 f3a4f1cc5720b34b682d65f04bd122fe.exe f3a4f1cc5720b34b682d65f04bd122fe.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f3a4f1cc5720b34b682d65f04bd122fe.exe

pid process

3904 f3a4f1cc5720b34b682d65f04bd122fe.exe
3904 f3a4f1cc5720b34b682d65f04bd122fe.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

f3a4f1cc5720b34b682d65f04bd122fe.exe

pid process

2332 f3a4f1cc5720b34b682d65f04bd122fe.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f3a4f1cc5720b34b682d65f04bd122fe.exef3a4f1cc5720b34b682d65f04bd122fe.exe

description pid process

Token: SeDebugPrivilege 3904 f3a4f1cc5720b34b682d65f04bd122fe.exe
Token: SeDebugPrivilege 2332 f3a4f1cc5720b34b682d65f04bd122fe.exe

description	pid	process	target process
PID 3904 set thread context of 2332	3904	f3a4f1cc5720b34b682d65f04bd122fe.exe	f3a4f1cc5720b34b682d65f04bd122fe.exe

pid	process
3904	f3a4f1cc5720b34b682d65f04bd122fe.exe
3904	f3a4f1cc5720b34b682d65f04bd122fe.exe

pid	process
2332	f3a4f1cc5720b34b682d65f04bd122fe.exe

description	pid	process
Token: SeDebugPrivilege	3904	f3a4f1cc5720b34b682d65f04bd122fe.exe
Token: SeDebugPrivilege	2332	f3a4f1cc5720b34b682d65f04bd122fe.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f3a4f1cc5720b34b682d65f04bd122fe.exe

description	pid	process	target process
PID 3904 wrote to memory of 732	3904	f3a4f1cc5720b34b682d65f04bd122fe.exe	f3a4f1cc5720b34b682d65f04bd122fe.exe
PID 3904 wrote to memory of 732	3904	f3a4f1cc5720b34b682d65f04bd122fe.exe	f3a4f1cc5720b34b682d65f04bd122fe.exe
PID 3904 wrote to memory of 732	3904	f3a4f1cc5720b34b682d65f04bd122fe.exe	f3a4f1cc5720b34b682d65f04bd122fe.exe
PID 3904 wrote to memory of 2332	3904	f3a4f1cc5720b34b682d65f04bd122fe.exe	f3a4f1cc5720b34b682d65f04bd122fe.exe
PID 3904 wrote to memory of 2332	3904	f3a4f1cc5720b34b682d65f04bd122fe.exe	f3a4f1cc5720b34b682d65f04bd122fe.exe
PID 3904 wrote to memory of 2332	3904	f3a4f1cc5720b34b682d65f04bd122fe.exe	f3a4f1cc5720b34b682d65f04bd122fe.exe
PID 3904 wrote to memory of 2332	3904	f3a4f1cc5720b34b682d65f04bd122fe.exe	f3a4f1cc5720b34b682d65f04bd122fe.exe
PID 3904 wrote to memory of 2332	3904	f3a4f1cc5720b34b682d65f04bd122fe.exe	f3a4f1cc5720b34b682d65f04bd122fe.exe
PID 3904 wrote to memory of 2332	3904	f3a4f1cc5720b34b682d65f04bd122fe.exe	f3a4f1cc5720b34b682d65f04bd122fe.exe
PID 3904 wrote to memory of 2332	3904	f3a4f1cc5720b34b682d65f04bd122fe.exe	f3a4f1cc5720b34b682d65f04bd122fe.exe
PID 3904 wrote to memory of 2332	3904	f3a4f1cc5720b34b682d65f04bd122fe.exe	f3a4f1cc5720b34b682d65f04bd122fe.exe
PID 3904 wrote to memory of 2332	3904	f3a4f1cc5720b34b682d65f04bd122fe.exe	f3a4f1cc5720b34b682d65f04bd122fe.exe

C:\Users\Admin\AppData\Local\Temp\f3a4f1cc5720b34b682d65f04bd122fe.exe
"C:\Users\Admin\AppData\Local\Temp\f3a4f1cc5720b34b682d65f04bd122fe.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904

C:\Users\Admin\AppData\Local\Temp\f3a4f1cc5720b34b682d65f04bd122fe.exe
"C:\Users\Admin\AppData\Local\Temp\f3a4f1cc5720b34b682d65f04bd122fe.exe"
2⤵
PID:732

C:\Users\Admin\AppData\Local\Temp\f3a4f1cc5720b34b682d65f04bd122fe.exe
"C:\Users\Admin\AppData\Local\Temp\f3a4f1cc5720b34b682d65f04bd122fe.exe"
2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:2332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2332-124-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2332-125-0x00000000004139DE-mapping.dmp

Download
memory/2332-126-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3904-114-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/3904-116-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/3904-117-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/3904-118-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/3904-119-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/3904-120-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/3904-121-0x0000000007040000-0x000000000704B000-memory.dmp

Filesize
44KB

Download
memory/3904-122-0x0000000008450000-0x00000000084B0000-memory.dmp

Filesize
384KB

Download
memory/3904-123-0x00000000084B0000-0x00000000084D1000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing