lokibot | 054ed8f0ce27a64eb8c1e0b9ad040ce4e90eed29e386130233d2e82d2564769a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 03:34

Target

39935053e7eaa77836d3063051d2984d.exe
Size

1.1MB
MD5

39935053e7eaa77836d3063051d2984d
SHA1

7e3262627d8f5b3324feb63b219f917bba09430c
SHA256

054ed8f0ce27a64eb8c1e0b9ad040ce4e90eed29e386130233d2e82d2564769a
SHA512

5f682d4d64ef3ba577542ca7dbe72f6ebaf19ac75e1c449bb8356d365ca6d56e5f974b758006aa052e49cf431da2f21a2f2d226a9da4cbd4b6778ca81634d1e6
SSDEEP

24576:8Su1S82mBVrIiudqZLmrNelXDukAktky7C:8SuU82mTVZ8

Score

10^/10

Family

lokibot

http://sempersim.su/d6/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2940 set thread context of 824	2940	39935053e7eaa77836d3063051d2984d.exe	81

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 824	2940	39935053e7eaa77836d3063051d2984d.exe	81
PID 2940 wrote to memory of 824	2940	39935053e7eaa77836d3063051d2984d.exe	81
PID 2940 wrote to memory of 824	2940	39935053e7eaa77836d3063051d2984d.exe	81
PID 2940 wrote to memory of 824	2940	39935053e7eaa77836d3063051d2984d.exe	81
PID 2940 wrote to memory of 824	2940	39935053e7eaa77836d3063051d2984d.exe	81
PID 2940 wrote to memory of 824	2940	39935053e7eaa77836d3063051d2984d.exe	81
PID 2940 wrote to memory of 824	2940	39935053e7eaa77836d3063051d2984d.exe	81
PID 2940 wrote to memory of 824	2940	39935053e7eaa77836d3063051d2984d.exe	81
PID 2940 wrote to memory of 824	2940	39935053e7eaa77836d3063051d2984d.exe	81

C:\Users\Admin\AppData\Local\Temp\39935053e7eaa77836d3063051d2984d.exe
"C:\Users\Admin\AppData\Local\Temp\39935053e7eaa77836d3063051d2984d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\39935053e7eaa77836d3063051d2984d.exe
  "C:\Users\Admin\AppData\Local\Temp\39935053e7eaa77836d3063051d2984d.exe"
  2⤵
  PID:824

memory/824-10-0x0000000000750000-0x00000000007F2000-memory.dmp

Filesize
648KB

Download
memory/2940-0-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/2940-1-0x0000000000F10000-0x0000000001024000-memory.dmp

Filesize
1.1MB

Download
memory/2940-2-0x0000000005F60000-0x0000000006504000-memory.dmp

Filesize
5.6MB

Download
memory/2940-3-0x00000000059B0000-0x0000000005A42000-memory.dmp

Filesize
584KB

Download
memory/2940-4-0x00000000058F0000-0x00000000058FA000-memory.dmp

Filesize
40KB

Download
memory/2940-5-0x0000000005B40000-0x0000000005B8E000-memory.dmp

Filesize
312KB

Download
memory/2940-6-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/2940-7-0x0000000005C50000-0x0000000005CEC000-memory.dmp

Filesize
624KB

Download
memory/2940-8-0x0000000005BA0000-0x0000000005BA8000-memory.dmp

Filesize
32KB

Download
memory/2940-13-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download