lokibot | eb6d3ace662019bd56815df63efce445a2f9357ca21a187517e11d8a7dd022d7

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 10:57

Target

pyramidzx.scr.exe
Size

1.1MB
MD5

8b55653ee4d81ebca0bdc88e3b5fc942
SHA1

27f988ad6c42417936d25282f960c16daeebc00c
SHA256

eb6d3ace662019bd56815df63efce445a2f9357ca21a187517e11d8a7dd022d7
SHA512

9bcca862c26fd0b41a0e4203fa6546fbda3c2a551d5115bb1fb204aee3644dc18c80d7eacdaa05815dd73ad5cd834ceddf0ab2f2ec233bdc7deb9f691c910b35
SSDEEP

24576:FSu1S82mBVrIiudqfO/9kfbRyWNaRVSVOJFXH7C:FSuU82mTVnRlxN1sJFX

Score

10^/10

Family

lokibot

http://sempersim.su/d3/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Suspicious use of SetThreadContext 1 IoCs

Processes:

pyramidzx.scr.exe

description pid process target process

PID 4840 set thread context of 1360 4840 pyramidzx.scr.exe pyramidzx.scr.exe

description	pid	process	target process
PID 4840 set thread context of 1360	4840	pyramidzx.scr.exe	pyramidzx.scr.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

pyramidzx.scr.exe

description	pid	process	target process
PID 4840 wrote to memory of 1360	4840	pyramidzx.scr.exe	pyramidzx.scr.exe
PID 4840 wrote to memory of 1360	4840	pyramidzx.scr.exe	pyramidzx.scr.exe
PID 4840 wrote to memory of 1360	4840	pyramidzx.scr.exe	pyramidzx.scr.exe
PID 4840 wrote to memory of 1360	4840	pyramidzx.scr.exe	pyramidzx.scr.exe
PID 4840 wrote to memory of 1360	4840	pyramidzx.scr.exe	pyramidzx.scr.exe
PID 4840 wrote to memory of 1360	4840	pyramidzx.scr.exe	pyramidzx.scr.exe
PID 4840 wrote to memory of 1360	4840	pyramidzx.scr.exe	pyramidzx.scr.exe
PID 4840 wrote to memory of 1360	4840	pyramidzx.scr.exe	pyramidzx.scr.exe
PID 4840 wrote to memory of 1360	4840	pyramidzx.scr.exe	pyramidzx.scr.exe

C:\Users\Admin\AppData\Local\Temp\pyramidzx.scr.exe
"C:\Users\Admin\AppData\Local\Temp\pyramidzx.scr.exe"
2⤵
PID:1360

memory/1360-10-0x0000000000500000-0x00000000005A2000-memory.dmp

Filesize
648KB

Download
memory/4840-0-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

Filesize
4KB

Download
memory/4840-1-0x00000000009C0000-0x0000000000AD4000-memory.dmp

Filesize
1.1MB

Download
memory/4840-2-0x0000000005B70000-0x0000000006114000-memory.dmp

Filesize
5.6MB

Download
memory/4840-3-0x00000000054C0000-0x0000000005552000-memory.dmp

Filesize
584KB

Download
memory/4840-4-0x0000000005580000-0x000000000558A000-memory.dmp

Filesize
40KB

Download
memory/4840-6-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/4840-5-0x0000000005740000-0x000000000578E000-memory.dmp

Filesize
312KB

Download
memory/4840-7-0x0000000005840000-0x00000000058DC000-memory.dmp

Filesize
624KB

Download
memory/4840-8-0x0000000005790000-0x0000000005798000-memory.dmp

Filesize
32KB

Download
memory/4840-13-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download