lokibot | 913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe
Size

395KB
MD5

60c8e751c1caee5b01cc878231fea5f4
SHA1

d7bc61e04f58e428658d3ce86461ceadf2019548
SHA256

913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca
SHA512

45a7f0dbb7e9ebcdad9e834fe6156590e98d776db78426b2ddb2529b92c554584f4433d09de7405e36342b836d95693fccd372f1049bc4166f5078f8b3922241
SSDEEP

6144:WmijPECZwxTMr79U+dykVFJvMDxvacgN2DPAXhPDKdJsd7uUQ0KDOSrrW4iAHlZR:Wmij8w/Mkxv8Lv8Xorsd71Q0IO0r/F

Score

10^/10

lokibot spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://spencerstuartllc.top/document/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Suspicious use of SetThreadContext 1 IoCs

Processes:

913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe

description	pid	process	target process
PID 2088 set thread context of 1656	2088	913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe	913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe

description	pid	process	target process
PID 2088 wrote to memory of 1656	2088	913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe	913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe
PID 2088 wrote to memory of 1656	2088	913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe	913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe
PID 2088 wrote to memory of 1656	2088	913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe	913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe
PID 2088 wrote to memory of 1656	2088	913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe	913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe
PID 2088 wrote to memory of 1656	2088	913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe	913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe
PID 2088 wrote to memory of 1656	2088	913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe	913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe
PID 2088 wrote to memory of 1656	2088	913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe	913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe
PID 2088 wrote to memory of 1656	2088	913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe	913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe
PID 2088 wrote to memory of 1656	2088	913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe	913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe
PID 2088 wrote to memory of 1656	2088	913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe	913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe

C:\Users\Admin\AppData\Local\Temp\913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe
"C:\Users\Admin\AppData\Local\Temp\913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2088

C:\Users\Admin\AppData\Local\Temp\913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe
"C:\Users\Admin\AppData\Local\Temp\913f2f9a1131b26bb6afcc715fc914b5ead5c2a4ffc91a3d19e51292ab3be1ca.exe"
2⤵
PID:1656

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1656-11-0x0000000000130000-0x00000000001D2000-memory.dmp

Filesize
648KB

Download
memory/1656-5-0x0000000000130000-0x00000000001D2000-memory.dmp

Filesize
648KB

Download
memory/1656-7-0x0000000000130000-0x00000000001D2000-memory.dmp

Filesize
648KB

Download
memory/1656-8-0x0000000000130000-0x00000000001D2000-memory.dmp

Filesize
648KB

Download
memory/1656-10-0x0000000000130000-0x00000000001D2000-memory.dmp

Filesize
648KB

Download
memory/1656-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1656-16-0x0000000000130000-0x00000000001D2000-memory.dmp

Filesize
648KB

Download
memory/2088-1-0x0000000074B70000-0x000000007525E000-memory.dmp

Filesize
6.9MB

Download
memory/2088-2-0x0000000000920000-0x000000000096E000-memory.dmp

Filesize
312KB

Download
memory/2088-3-0x00000000046C0000-0x0000000004700000-memory.dmp

Filesize
256KB

Download
memory/2088-4-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/2088-0-0x0000000000970000-0x00000000009DA000-memory.dmp

Filesize
424KB

Download
memory/2088-18-0x0000000074B70000-0x000000007525E000-memory.dmp

Filesize
6.9MB

Download