lokibot | 78fbe00d497dc9ee0fa4dcbd83d5b04928bb6c952adedf721e9c577548ce8c12

Analysis

max time kernel
90s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2023 20:36

Target

a0c1eee76f19d04eb95679242a5d2ba2.exe
Size

954KB
MD5

a0c1eee76f19d04eb95679242a5d2ba2
SHA1

985fab934a3291ccdd65f3b6ff97ddd6b4f04174
SHA256

78fbe00d497dc9ee0fa4dcbd83d5b04928bb6c952adedf721e9c577548ce8c12
SHA512

5c1f4971a22714219ce5569e5e28ce5d31f4880be2ed72e51a2468578b32a88b84f996878a9e0ab9533b406b91953f607ee6d6f63adf21bba853eb280166d6eb
SSDEEP

12288:4m7tnnKUsQH0gVm7tnnKUsQH0gnzNdewwY/wgoe4fLYwLcfCLFSLfmJ:4m7ZH04m7ZH0sfwfecYKcqZSq

Score

10^/10

Family

lokibot

http://predictindia.co/loki/Panel/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

a0c1eee76f19d04eb95679242a5d2ba2.exe

description pid process target process

PID 2740 set thread context of 852 2740 a0c1eee76f19d04eb95679242a5d2ba2.exe a0c1eee76f19d04eb95679242a5d2ba2.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a0c1eee76f19d04eb95679242a5d2ba2.exe

description pid process

Token: SeDebugPrivilege 2740 a0c1eee76f19d04eb95679242a5d2ba2.exe

description	pid	process	target process
PID 2740 set thread context of 852	2740	a0c1eee76f19d04eb95679242a5d2ba2.exe	a0c1eee76f19d04eb95679242a5d2ba2.exe

description	pid	process
Token: SeDebugPrivilege	2740	a0c1eee76f19d04eb95679242a5d2ba2.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a0c1eee76f19d04eb95679242a5d2ba2.exe

description	pid	process	target process
PID 2740 wrote to memory of 852	2740	a0c1eee76f19d04eb95679242a5d2ba2.exe	a0c1eee76f19d04eb95679242a5d2ba2.exe
PID 2740 wrote to memory of 852	2740	a0c1eee76f19d04eb95679242a5d2ba2.exe	a0c1eee76f19d04eb95679242a5d2ba2.exe
PID 2740 wrote to memory of 852	2740	a0c1eee76f19d04eb95679242a5d2ba2.exe	a0c1eee76f19d04eb95679242a5d2ba2.exe
PID 2740 wrote to memory of 852	2740	a0c1eee76f19d04eb95679242a5d2ba2.exe	a0c1eee76f19d04eb95679242a5d2ba2.exe
PID 2740 wrote to memory of 852	2740	a0c1eee76f19d04eb95679242a5d2ba2.exe	a0c1eee76f19d04eb95679242a5d2ba2.exe
PID 2740 wrote to memory of 852	2740	a0c1eee76f19d04eb95679242a5d2ba2.exe	a0c1eee76f19d04eb95679242a5d2ba2.exe
PID 2740 wrote to memory of 852	2740	a0c1eee76f19d04eb95679242a5d2ba2.exe	a0c1eee76f19d04eb95679242a5d2ba2.exe
PID 2740 wrote to memory of 852	2740	a0c1eee76f19d04eb95679242a5d2ba2.exe	a0c1eee76f19d04eb95679242a5d2ba2.exe
PID 2740 wrote to memory of 852	2740	a0c1eee76f19d04eb95679242a5d2ba2.exe	a0c1eee76f19d04eb95679242a5d2ba2.exe

C:\Users\Admin\AppData\Local\Temp\a0c1eee76f19d04eb95679242a5d2ba2.exe
"C:\Users\Admin\AppData\Local\Temp\a0c1eee76f19d04eb95679242a5d2ba2.exe"
2⤵
PID:852

memory/852-136-0x0000000000000000-mapping.dmp

Download
memory/852-138-0x0000000000820000-0x00000000008C2000-memory.dmp

Filesize
648KB

Download
memory/2740-132-0x0000000000DC0000-0x0000000000EB2000-memory.dmp

Filesize
968KB

Download
memory/2740-133-0x0000000006820000-0x0000000006DC4000-memory.dmp

Filesize
5.6MB

Download
memory/2740-134-0x0000000006370000-0x0000000006402000-memory.dmp

Filesize
584KB

Download
memory/2740-135-0x0000000006DD0000-0x0000000006E6C000-memory.dmp

Filesize
624KB

Download