lokibot | eb6d3ace662019bd56815df63efce445a2f9357ca21a187517e11d8a7dd022d7

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 10:57

Target

pyramidzx.scr.exe
Size

1.1MB
MD5

8b55653ee4d81ebca0bdc88e3b5fc942
SHA1

27f988ad6c42417936d25282f960c16daeebc00c
SHA256

eb6d3ace662019bd56815df63efce445a2f9357ca21a187517e11d8a7dd022d7
SHA512

9bcca862c26fd0b41a0e4203fa6546fbda3c2a551d5115bb1fb204aee3644dc18c80d7eacdaa05815dd73ad5cd834ceddf0ab2f2ec233bdc7deb9f691c910b35
SSDEEP

24576:FSu1S82mBVrIiudqfO/9kfbRyWNaRVSVOJFXH7C:FSuU82mTVnRlxN1sJFX

Score

10^/10

Family

lokibot

http://sempersim.su/d3/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4840 set thread context of 1360	4840	pyramidzx.scr.exe	85

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 1360	4840	pyramidzx.scr.exe	85
PID 4840 wrote to memory of 1360	4840	pyramidzx.scr.exe	85
PID 4840 wrote to memory of 1360	4840	pyramidzx.scr.exe	85
PID 4840 wrote to memory of 1360	4840	pyramidzx.scr.exe	85
PID 4840 wrote to memory of 1360	4840	pyramidzx.scr.exe	85
PID 4840 wrote to memory of 1360	4840	pyramidzx.scr.exe	85
PID 4840 wrote to memory of 1360	4840	pyramidzx.scr.exe	85
PID 4840 wrote to memory of 1360	4840	pyramidzx.scr.exe	85
PID 4840 wrote to memory of 1360	4840	pyramidzx.scr.exe	85

C:\Users\Admin\AppData\Local\Temp\pyramidzx.scr.exe
"C:\Users\Admin\AppData\Local\Temp\pyramidzx.scr.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Users\Admin\AppData\Local\Temp\pyramidzx.scr.exe
  "C:\Users\Admin\AppData\Local\Temp\pyramidzx.scr.exe"
  2⤵
  PID:1360

memory/1360-10-0x0000000000500000-0x00000000005A2000-memory.dmp

Filesize
648KB

Download
memory/4840-0-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

Filesize
4KB

Download
memory/4840-1-0x00000000009C0000-0x0000000000AD4000-memory.dmp

Filesize
1.1MB

Download
memory/4840-2-0x0000000005B70000-0x0000000006114000-memory.dmp

Filesize
5.6MB

Download
memory/4840-3-0x00000000054C0000-0x0000000005552000-memory.dmp

Filesize
584KB

Download
memory/4840-4-0x0000000005580000-0x000000000558A000-memory.dmp

Filesize
40KB

Download
memory/4840-6-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/4840-5-0x0000000005740000-0x000000000578E000-memory.dmp

Filesize
312KB

Download
memory/4840-7-0x0000000005840000-0x00000000058DC000-memory.dmp

Filesize
624KB

Download
memory/4840-8-0x0000000005790000-0x0000000005798000-memory.dmp

Filesize
32KB

Download
memory/4840-13-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download