lokibot | 3e413cd70e1b19e81efe9c6560834b9dfc7da53a57e2070e4b1e9864702c3e92

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 07:55

Target

4079a6d6e87057582e467161d233e7cb.exe
Size

496KB
MD5

4079a6d6e87057582e467161d233e7cb
SHA1

ea54e95a5fa38f415166b3290c0c1f107f8c0cda
SHA256

3e413cd70e1b19e81efe9c6560834b9dfc7da53a57e2070e4b1e9864702c3e92
SHA512

c672ccc97b9c04b1ab36fbc17d6d0e3948aceddad0fc397e2c7e1f66dd09dd885015331a91addd1541045de733528c1c16f5ad5f88f1991a276b50776e5a1b9e
SSDEEP

6144:VTVFZInd6Xcfg9USG99KBOBJw/At7ENWWj0JBMufClIxkzhorWG7RCUsw3y:V5kndmJCEgjC6xSerudw

Score

10^/10

Family

lokibot

http://midwestsoil.top/alpha/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3028 set thread context of 2644	3028	4079a6d6e87057582e467161d233e7cb.exe	28

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2644	3028	4079a6d6e87057582e467161d233e7cb.exe	28
PID 3028 wrote to memory of 2644	3028	4079a6d6e87057582e467161d233e7cb.exe	28
PID 3028 wrote to memory of 2644	3028	4079a6d6e87057582e467161d233e7cb.exe	28
PID 3028 wrote to memory of 2644	3028	4079a6d6e87057582e467161d233e7cb.exe	28
PID 3028 wrote to memory of 2644	3028	4079a6d6e87057582e467161d233e7cb.exe	28
PID 3028 wrote to memory of 2644	3028	4079a6d6e87057582e467161d233e7cb.exe	28
PID 3028 wrote to memory of 2644	3028	4079a6d6e87057582e467161d233e7cb.exe	28
PID 3028 wrote to memory of 2644	3028	4079a6d6e87057582e467161d233e7cb.exe	28
PID 3028 wrote to memory of 2644	3028	4079a6d6e87057582e467161d233e7cb.exe	28
PID 3028 wrote to memory of 2644	3028	4079a6d6e87057582e467161d233e7cb.exe	28

C:\Users\Admin\AppData\Local\Temp\4079a6d6e87057582e467161d233e7cb.exe
"C:\Users\Admin\AppData\Local\Temp\4079a6d6e87057582e467161d233e7cb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\4079a6d6e87057582e467161d233e7cb.exe
  "C:\Users\Admin\AppData\Local\Temp\4079a6d6e87057582e467161d233e7cb.exe"
  2⤵
  PID:2644

memory/2644-12-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2644-5-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2644-16-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2644-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2644-13-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2644-9-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2644-7-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/3028-1-0x0000000000360000-0x00000000003E2000-memory.dmp

Filesize
520KB

Download
memory/3028-2-0x0000000002050000-0x000000000209E000-memory.dmp

Filesize
312KB

Download
memory/3028-3-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/3028-4-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/3028-0-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

Filesize
4KB

Download
memory/3028-18-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download