lokibot | 323dfe748192de2c66729a6b781f73188233d4cf2efef722271499a047847011

Analysis

max time kernel
260s
max time network
271s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 08:35

Target

Purchase Inquiry.exe
Size

721KB
MD5

bbf8cc59cbe4cd8d3845c1499335c07f
SHA1

045568cace1af652cf3dea51f561bfe80c0035d7
SHA256

7329528ead7542c9af48aeff33fcfa265731b53ad352af1efc3666911f115090
SHA512

7a26c93971d7470800187fecb2908d377bd2df9aa24fd69b6c6c999746384f37e2cfc13679cef3977e4bb7b833f504ab4c2cbf10bb2883f9d52d711f678f9210
SSDEEP

12288:Be1O4WxovDi23bDIg95lzKogGNkwZ3cYRMdS98MTHRyoY:eIgvxKodMS2MjRpY

Score

10^/10

Family

lokibot

http://157.245.36.27/~dokterpol/?page=14914169539334

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

Purchase Inquiry.exe

description pid process target process

PID 3152 set thread context of 2096 3152 Purchase Inquiry.exe Purchase Inquiry.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Purchase Inquiry.exe

pid process

3152 Purchase Inquiry.exe
3152 Purchase Inquiry.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Purchase Inquiry.exe

description pid process

Token: SeDebugPrivilege 3152 Purchase Inquiry.exe

description	pid	process	target process
PID 3152 set thread context of 2096	3152	Purchase Inquiry.exe	Purchase Inquiry.exe

pid	process
3152	Purchase Inquiry.exe
3152	Purchase Inquiry.exe

description	pid	process
Token: SeDebugPrivilege	3152	Purchase Inquiry.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Purchase Inquiry.exe

description	pid	process	target process
PID 3152 wrote to memory of 4800	3152	Purchase Inquiry.exe	Purchase Inquiry.exe
PID 3152 wrote to memory of 4800	3152	Purchase Inquiry.exe	Purchase Inquiry.exe
PID 3152 wrote to memory of 4800	3152	Purchase Inquiry.exe	Purchase Inquiry.exe
PID 3152 wrote to memory of 2096	3152	Purchase Inquiry.exe	Purchase Inquiry.exe
PID 3152 wrote to memory of 2096	3152	Purchase Inquiry.exe	Purchase Inquiry.exe
PID 3152 wrote to memory of 2096	3152	Purchase Inquiry.exe	Purchase Inquiry.exe
PID 3152 wrote to memory of 2096	3152	Purchase Inquiry.exe	Purchase Inquiry.exe
PID 3152 wrote to memory of 2096	3152	Purchase Inquiry.exe	Purchase Inquiry.exe
PID 3152 wrote to memory of 2096	3152	Purchase Inquiry.exe	Purchase Inquiry.exe
PID 3152 wrote to memory of 2096	3152	Purchase Inquiry.exe	Purchase Inquiry.exe
PID 3152 wrote to memory of 2096	3152	Purchase Inquiry.exe	Purchase Inquiry.exe
PID 3152 wrote to memory of 2096	3152	Purchase Inquiry.exe	Purchase Inquiry.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.exe"
2⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Inquiry.exe"
2⤵
PID:2096

memory/2096-138-0x0000000000000000-mapping.dmp

Download
memory/2096-139-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2096-141-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2096-142-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3152-132-0x0000000000EF0000-0x0000000000FAA000-memory.dmp

Filesize
744KB

Download
memory/3152-133-0x0000000005ED0000-0x0000000006474000-memory.dmp

Filesize
5.6MB

Download
memory/3152-134-0x00000000059C0000-0x0000000005A52000-memory.dmp

Filesize
584KB

Download
memory/3152-135-0x0000000005940000-0x000000000594A000-memory.dmp

Filesize
40KB

Download
memory/3152-136-0x0000000007BD0000-0x0000000007C6C000-memory.dmp

Filesize
624KB

Download
memory/4800-137-0x0000000000000000-mapping.dmp

Download