lokibot | 972ef638b803266c9fe4afce93a2f0a4a2a880b7a93a6c250209c55dea295ee0

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 08:06

Target

9de9a50ec8399bcbea1697aed7f6b093.exe
Size

990KB
MD5

9de9a50ec8399bcbea1697aed7f6b093
SHA1

71997994585f06160d84ac92555b2eadaacfaed3
SHA256

972ef638b803266c9fe4afce93a2f0a4a2a880b7a93a6c250209c55dea295ee0
SHA512

c717604050139d6d7579ae90ebaf201f4f615c75b69163c2f0720ebe23448e6c8e88e1e91c8732ce6b4a2ff569e4c43e8e6d1fd09a148607ebbb75c9244fad3c
SSDEEP

24576:7xlH0Rs/OSeKVTzAd9zpthYjMNuZ+FOPSKs0:NlH0Rs/OSes8NthYjMNuZ+FOPSK

Score

10^/10

Family

lokibot

http://195.123.211.210/evie1/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

9de9a50ec8399bcbea1697aed7f6b093.exe

description pid process target process

PID 2192 set thread context of 1740 2192 9de9a50ec8399bcbea1697aed7f6b093.exe 9de9a50ec8399bcbea1697aed7f6b093.exe

description	pid	process	target process
PID 2192 set thread context of 1740	2192	9de9a50ec8399bcbea1697aed7f6b093.exe	9de9a50ec8399bcbea1697aed7f6b093.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

9de9a50ec8399bcbea1697aed7f6b093.exe

description	pid	process	target process
PID 2192 wrote to memory of 1740	2192	9de9a50ec8399bcbea1697aed7f6b093.exe	9de9a50ec8399bcbea1697aed7f6b093.exe
PID 2192 wrote to memory of 1740	2192	9de9a50ec8399bcbea1697aed7f6b093.exe	9de9a50ec8399bcbea1697aed7f6b093.exe
PID 2192 wrote to memory of 1740	2192	9de9a50ec8399bcbea1697aed7f6b093.exe	9de9a50ec8399bcbea1697aed7f6b093.exe
PID 2192 wrote to memory of 1740	2192	9de9a50ec8399bcbea1697aed7f6b093.exe	9de9a50ec8399bcbea1697aed7f6b093.exe
PID 2192 wrote to memory of 1740	2192	9de9a50ec8399bcbea1697aed7f6b093.exe	9de9a50ec8399bcbea1697aed7f6b093.exe
PID 2192 wrote to memory of 1740	2192	9de9a50ec8399bcbea1697aed7f6b093.exe	9de9a50ec8399bcbea1697aed7f6b093.exe
PID 2192 wrote to memory of 1740	2192	9de9a50ec8399bcbea1697aed7f6b093.exe	9de9a50ec8399bcbea1697aed7f6b093.exe
PID 2192 wrote to memory of 1740	2192	9de9a50ec8399bcbea1697aed7f6b093.exe	9de9a50ec8399bcbea1697aed7f6b093.exe
PID 2192 wrote to memory of 1740	2192	9de9a50ec8399bcbea1697aed7f6b093.exe	9de9a50ec8399bcbea1697aed7f6b093.exe
PID 2192 wrote to memory of 1740	2192	9de9a50ec8399bcbea1697aed7f6b093.exe	9de9a50ec8399bcbea1697aed7f6b093.exe

C:\Users\Admin\AppData\Local\Temp\9de9a50ec8399bcbea1697aed7f6b093.exe
"C:\Users\Admin\AppData\Local\Temp\9de9a50ec8399bcbea1697aed7f6b093.exe"
2⤵
PID:1740

memory/1740-11-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/1740-4-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/1740-6-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/1740-8-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/1740-17-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/1740-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1740-13-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2192-3-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/2192-0-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

Filesize
4KB

Download
memory/2192-9-0x0000000074D50000-0x000000007543E000-memory.dmp

Filesize
6.9MB

Download
memory/2192-2-0x0000000000B60000-0x0000000000BAE000-memory.dmp

Filesize
312KB

Download
memory/2192-1-0x0000000000C30000-0x0000000000D2E000-memory.dmp

Filesize
1016KB

Download
memory/2192-19-0x0000000074D50000-0x000000007543E000-memory.dmp

Filesize
6.9MB

Download