lokibot | f9bd56989f51b598194cd551db59c95883628267a3f5ca8b87c0ad69fa7a3471

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 08:12

Target

6dc6f63b7b1a593e209d062c877a488f.exe
Size

822KB
MD5

6dc6f63b7b1a593e209d062c877a488f
SHA1

ff16670fc7957da27fb31f96ae17469a5125b720
SHA256

f9bd56989f51b598194cd551db59c95883628267a3f5ca8b87c0ad69fa7a3471
SHA512

df276f80da629c7ab78c1e913c88dc916a5564373dcf51961e4427e386612a5137ff2edbe97814dc8a4fe1499359e3779fdb46a309f7687208cae995a1f57327
SSDEEP

12288:jwglEe171o1+1k155scBRTWgwxPzsohPGLCPnXFzcoUd523GY7jVtC32LhYcdc45:WnNutGuPnX5c7d52WY/V4kc4/

Score

10^/10

Family

lokibot

http://ebnsina.top/evie1/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

6dc6f63b7b1a593e209d062c877a488f.exe

description pid process target process

PID 2028 set thread context of 1572 2028 6dc6f63b7b1a593e209d062c877a488f.exe 6dc6f63b7b1a593e209d062c877a488f.exe

description	pid	process	target process
PID 2028 set thread context of 1572	2028	6dc6f63b7b1a593e209d062c877a488f.exe	6dc6f63b7b1a593e209d062c877a488f.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6dc6f63b7b1a593e209d062c877a488f.exe

description	pid	process	target process
PID 2028 wrote to memory of 1572	2028	6dc6f63b7b1a593e209d062c877a488f.exe	6dc6f63b7b1a593e209d062c877a488f.exe
PID 2028 wrote to memory of 1572	2028	6dc6f63b7b1a593e209d062c877a488f.exe	6dc6f63b7b1a593e209d062c877a488f.exe
PID 2028 wrote to memory of 1572	2028	6dc6f63b7b1a593e209d062c877a488f.exe	6dc6f63b7b1a593e209d062c877a488f.exe
PID 2028 wrote to memory of 1572	2028	6dc6f63b7b1a593e209d062c877a488f.exe	6dc6f63b7b1a593e209d062c877a488f.exe
PID 2028 wrote to memory of 1572	2028	6dc6f63b7b1a593e209d062c877a488f.exe	6dc6f63b7b1a593e209d062c877a488f.exe
PID 2028 wrote to memory of 1572	2028	6dc6f63b7b1a593e209d062c877a488f.exe	6dc6f63b7b1a593e209d062c877a488f.exe
PID 2028 wrote to memory of 1572	2028	6dc6f63b7b1a593e209d062c877a488f.exe	6dc6f63b7b1a593e209d062c877a488f.exe
PID 2028 wrote to memory of 1572	2028	6dc6f63b7b1a593e209d062c877a488f.exe	6dc6f63b7b1a593e209d062c877a488f.exe
PID 2028 wrote to memory of 1572	2028	6dc6f63b7b1a593e209d062c877a488f.exe	6dc6f63b7b1a593e209d062c877a488f.exe

C:\Users\Admin\AppData\Local\Temp\6dc6f63b7b1a593e209d062c877a488f.exe
"C:\Users\Admin\AppData\Local\Temp\6dc6f63b7b1a593e209d062c877a488f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\6dc6f63b7b1a593e209d062c877a488f.exe
  "C:\Users\Admin\AppData\Local\Temp\6dc6f63b7b1a593e209d062c877a488f.exe"
  2⤵
  PID:1572

memory/1572-8-0x0000000000410000-0x0000000000430000-memory.dmp

Filesize
128KB

Download
memory/1572-9-0x0000000000800000-0x00000000008A2000-memory.dmp

Filesize
648KB

Download
memory/2028-0-0x00000000004D0000-0x00000000005A4000-memory.dmp

Filesize
848KB

Download
memory/2028-1-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/2028-2-0x0000000004E90000-0x0000000004EDE000-memory.dmp

Filesize
312KB

Download
memory/2028-3-0x0000000005560000-0x0000000005B04000-memory.dmp

Filesize
5.6MB

Download
memory/2028-4-0x0000000005090000-0x0000000005122000-memory.dmp

Filesize
584KB

Download
memory/2028-5-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2028-6-0x00000000051D0000-0x000000000526C000-memory.dmp

Filesize
624KB

Download
memory/2028-7-0x0000000005040000-0x0000000005048000-memory.dmp

Filesize
32KB

Download
memory/2028-12-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download