lokibot | 624222e2621e27d2fa7e5501300b150ab8ba8fbdd92a1ca108d641b0f34d6926

General

Target

PTI invoice of oc 4f -36..exe
Size

849KB
MD5

7d4c0543f30b67b2d2c30cc548d2b725
SHA1

dacea8e26c5e8d50f8aa65a0c76fbfc6db24c8e0
SHA256

5c932da9805dcfbf5d7188eb6e0938c13b3291cdb11be5564cb446a07cd12011
SHA512

c3a1139c74b01ebedabcb128eb8a57661c41aa1684ae244d12a1b3765bce455528ea115fa922af44720e5fedc1cfbe019c63db25d7886fb96f006db1c5b31e0a

Score

10^/10

Family

lokibot

C2

http://abixmaly.duckdns.org/binge/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
Suspicious use of SetThreadContext 1 IoCs

Processes:

PTI invoice of oc 4f -36..exe

description pid process target process

PID 1092 set thread context of 800 1092 PTI invoice of oc 4f -36..exe PTI invoice of oc 4f -36..exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

PTI invoice of oc 4f -36..exe

pid process

800 PTI invoice of oc 4f -36..exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PTI invoice of oc 4f -36..exe

description pid process

Token: SeDebugPrivilege 800 PTI invoice of oc 4f -36..exe

description	pid	process	target process
PID 1092 set thread context of 800	1092	PTI invoice of oc 4f -36..exe	PTI invoice of oc 4f -36..exe

pid	process
800	PTI invoice of oc 4f -36..exe

description	pid	process
Token: SeDebugPrivilege	800	PTI invoice of oc 4f -36..exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

PTI invoice of oc 4f -36..exe

description	pid	process	target process
PID 1092 wrote to memory of 800	1092	PTI invoice of oc 4f -36..exe	PTI invoice of oc 4f -36..exe
PID 1092 wrote to memory of 800	1092	PTI invoice of oc 4f -36..exe	PTI invoice of oc 4f -36..exe
PID 1092 wrote to memory of 800	1092	PTI invoice of oc 4f -36..exe	PTI invoice of oc 4f -36..exe
PID 1092 wrote to memory of 800	1092	PTI invoice of oc 4f -36..exe	PTI invoice of oc 4f -36..exe
PID 1092 wrote to memory of 800	1092	PTI invoice of oc 4f -36..exe	PTI invoice of oc 4f -36..exe
PID 1092 wrote to memory of 800	1092	PTI invoice of oc 4f -36..exe	PTI invoice of oc 4f -36..exe
PID 1092 wrote to memory of 800	1092	PTI invoice of oc 4f -36..exe	PTI invoice of oc 4f -36..exe
PID 1092 wrote to memory of 800	1092	PTI invoice of oc 4f -36..exe	PTI invoice of oc 4f -36..exe
PID 1092 wrote to memory of 800	1092	PTI invoice of oc 4f -36..exe	PTI invoice of oc 4f -36..exe
PID 1092 wrote to memory of 800	1092	PTI invoice of oc 4f -36..exe	PTI invoice of oc 4f -36..exe

memory/800-66-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/800-67-0x00000000004139DE-mapping.dmp

Download
memory/800-68-0x00000000768B1000-0x00000000768B3000-memory.dmp

Filesize
8KB

Download
memory/800-69-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1092-60-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/1092-62-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/1092-63-0x0000000000390000-0x00000000003AB000-memory.dmp

Filesize
108KB

Download
memory/1092-64-0x00000000057A0000-0x0000000005801000-memory.dmp

Filesize
388KB

Download
memory/1092-65-0x0000000000530000-0x000000000054D000-memory.dmp

Filesize
116KB

Download