lokibot | 82c03a6ad7623a1d70ce197bb70546551ca0501afec4a36b526b75c972b2901f

General

Target

INV#202170607#SGNBM4809600#BL_pdf.exe
Size

1.0MB
MD5

f8a2560749f06673e66153403b53139f
SHA1

c47cfacf830a6c0782749e1ecb3a44e4d2f42f10
SHA256

db13717fdf4d8f392e93c6510569cf06bcd9f727d672fc1d7787c06ae6d3033b
SHA512

17356c01e540560e95ddc4be07371632c587187857c6dcaf32aba2d618e147c4cedf6ee335e8e71193eba9e81ba6aa69d60986c58ece28eff4d6329ff8d41c30

Score

10^/10

Family

lokibot

C2

http://manvim.co/com/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

INV#202170607#SGNBM4809600#BL_pdf.exe

description pid process target process

PID 1036 set thread context of 772 1036 INV#202170607#SGNBM4809600#BL_pdf.exe INV#202170607#SGNBM4809600#BL_pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

INV#202170607#SGNBM4809600#BL_pdf.exe

description pid process

Token: SeDebugPrivilege 1036 INV#202170607#SGNBM4809600#BL_pdf.exe

description	pid	process	target process
PID 1036 set thread context of 772	1036	INV#202170607#SGNBM4809600#BL_pdf.exe	INV#202170607#SGNBM4809600#BL_pdf.exe

description	pid	process
Token: SeDebugPrivilege	1036	INV#202170607#SGNBM4809600#BL_pdf.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

INV#202170607#SGNBM4809600#BL_pdf.exe

description	pid	process	target process
PID 1036 wrote to memory of 772	1036	INV#202170607#SGNBM4809600#BL_pdf.exe	INV#202170607#SGNBM4809600#BL_pdf.exe
PID 1036 wrote to memory of 772	1036	INV#202170607#SGNBM4809600#BL_pdf.exe	INV#202170607#SGNBM4809600#BL_pdf.exe
PID 1036 wrote to memory of 772	1036	INV#202170607#SGNBM4809600#BL_pdf.exe	INV#202170607#SGNBM4809600#BL_pdf.exe
PID 1036 wrote to memory of 772	1036	INV#202170607#SGNBM4809600#BL_pdf.exe	INV#202170607#SGNBM4809600#BL_pdf.exe
PID 1036 wrote to memory of 772	1036	INV#202170607#SGNBM4809600#BL_pdf.exe	INV#202170607#SGNBM4809600#BL_pdf.exe
PID 1036 wrote to memory of 772	1036	INV#202170607#SGNBM4809600#BL_pdf.exe	INV#202170607#SGNBM4809600#BL_pdf.exe
PID 1036 wrote to memory of 772	1036	INV#202170607#SGNBM4809600#BL_pdf.exe	INV#202170607#SGNBM4809600#BL_pdf.exe
PID 1036 wrote to memory of 772	1036	INV#202170607#SGNBM4809600#BL_pdf.exe	INV#202170607#SGNBM4809600#BL_pdf.exe
PID 1036 wrote to memory of 772	1036	INV#202170607#SGNBM4809600#BL_pdf.exe	INV#202170607#SGNBM4809600#BL_pdf.exe
PID 1036 wrote to memory of 772	1036	INV#202170607#SGNBM4809600#BL_pdf.exe	INV#202170607#SGNBM4809600#BL_pdf.exe

C:\Users\Admin\AppData\Local\Temp\INV#202170607#SGNBM4809600#BL_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\INV#202170607#SGNBM4809600#BL_pdf.exe"
2⤵
PID:772

memory/772-65-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/772-66-0x00000000004139DE-mapping.dmp

Download
memory/772-67-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/772-68-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1036-59-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/1036-61-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/1036-62-0x0000000000480000-0x00000000004AD000-memory.dmp

Filesize
180KB

Download
memory/1036-63-0x0000000004D20000-0x0000000004D85000-memory.dmp

Filesize
404KB

Download
memory/1036-64-0x0000000000A20000-0x0000000000A40000-memory.dmp

Filesize
128KB

Download