lokibot | c3338e8d8bb652e897c624f3380e1432eb1c4c93091b64dd28abc3cfa02fa804

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 06:44

Target

ccfc8289ea1ad3acab95de0c1e65eb2c.exe
Size

990KB
MD5

ccfc8289ea1ad3acab95de0c1e65eb2c
SHA1

b38ece908f2ffec164f1f19619b16d6bca5d0614
SHA256

c3338e8d8bb652e897c624f3380e1432eb1c4c93091b64dd28abc3cfa02fa804
SHA512

b69ff9be50478e7c08216312c2002b46a841f2a233a5a5a895612752b464058d51d11b857fd9c041d0d053dc781a46f2ff3ee7f0c230be2db1bbf3186390bf2a
SSDEEP

24576:SxlH0Rs/WSwTwT2gzlthO/GNuD6FOPSKfBbWyq0:OlH0Rs/cQ2AthO/GNuD6FOPSKJbW

Score

10^/10

Family

lokibot

http://rocheholding.top/evie3/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2872 set thread context of 4428	2872	ccfc8289ea1ad3acab95de0c1e65eb2c.exe	85

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 4428	2872	ccfc8289ea1ad3acab95de0c1e65eb2c.exe	85
PID 2872 wrote to memory of 4428	2872	ccfc8289ea1ad3acab95de0c1e65eb2c.exe	85
PID 2872 wrote to memory of 4428	2872	ccfc8289ea1ad3acab95de0c1e65eb2c.exe	85
PID 2872 wrote to memory of 4428	2872	ccfc8289ea1ad3acab95de0c1e65eb2c.exe	85
PID 2872 wrote to memory of 4428	2872	ccfc8289ea1ad3acab95de0c1e65eb2c.exe	85
PID 2872 wrote to memory of 4428	2872	ccfc8289ea1ad3acab95de0c1e65eb2c.exe	85
PID 2872 wrote to memory of 4428	2872	ccfc8289ea1ad3acab95de0c1e65eb2c.exe	85
PID 2872 wrote to memory of 4428	2872	ccfc8289ea1ad3acab95de0c1e65eb2c.exe	85
PID 2872 wrote to memory of 4428	2872	ccfc8289ea1ad3acab95de0c1e65eb2c.exe	85

C:\Users\Admin\AppData\Local\Temp\ccfc8289ea1ad3acab95de0c1e65eb2c.exe
"C:\Users\Admin\AppData\Local\Temp\ccfc8289ea1ad3acab95de0c1e65eb2c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\ccfc8289ea1ad3acab95de0c1e65eb2c.exe
  "C:\Users\Admin\AppData\Local\Temp\ccfc8289ea1ad3acab95de0c1e65eb2c.exe"
  2⤵
  PID:4428

memory/2872-0-0x000000007480E000-0x000000007480F000-memory.dmp

Filesize
4KB

Download
memory/2872-1-0x0000000000B40000-0x0000000000C3E000-memory.dmp

Filesize
1016KB

Download
memory/2872-2-0x00000000055C0000-0x000000000560E000-memory.dmp

Filesize
312KB

Download
memory/2872-3-0x0000000005E90000-0x0000000006434000-memory.dmp

Filesize
5.6MB

Download
memory/2872-4-0x0000000005700000-0x0000000005792000-memory.dmp

Filesize
584KB

Download
memory/2872-5-0x00000000058E0000-0x000000000597C000-memory.dmp

Filesize
624KB

Download
memory/2872-6-0x00000000056B0000-0x00000000056B8000-memory.dmp

Filesize
32KB

Download
memory/2872-7-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/2872-12-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4428-9-0x0000000000700000-0x00000000007A2000-memory.dmp

Filesize
648KB

Download