lokibot | 6dcd6bb33946390797c21cb9f96e063808467289379056c2dbd0e5934219ff49

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MalwareBazaar.exe
Size

610KB
MD5

13e825e38907f58c9bfca45bba851189
SHA1

0fbadb9f113b13c3f63845cddf03dca36dcf1407
SHA256

6dcd6bb33946390797c21cb9f96e063808467289379056c2dbd0e5934219ff49
SHA512

f04258cf3528a0ad6b76ba82bfd38e1e3170f025580e2bcaf0159874a6bf5e99b4f75a330ecabb16893a10ee3a59b6efdef21b6d85b5246951fb9a0a2b3610be
SSDEEP

12288:zpahc5QdN0UfQP3wXr9plbApTyS3UgOqwr86w:zZQdNBQ/y9Ep339urhw

Score

10^/10

lokibot discovery spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://meridianresourcellc.top/document/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2540 set thread context of 2700	2540	MalwareBazaar.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MalwareBazaar.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2700	2540	MalwareBazaar.exe	30
PID 2540 wrote to memory of 2700	2540	MalwareBazaar.exe	30
PID 2540 wrote to memory of 2700	2540	MalwareBazaar.exe	30
PID 2540 wrote to memory of 2700	2540	MalwareBazaar.exe	30
PID 2540 wrote to memory of 2700	2540	MalwareBazaar.exe	30
PID 2540 wrote to memory of 2700	2540	MalwareBazaar.exe	30
PID 2540 wrote to memory of 2700	2540	MalwareBazaar.exe	30
PID 2540 wrote to memory of 2700	2540	MalwareBazaar.exe	30
PID 2540 wrote to memory of 2700	2540	MalwareBazaar.exe	30
PID 2540 wrote to memory of 2700	2540	MalwareBazaar.exe	30

C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
  "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
  2⤵
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2540-0-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

Filesize
4KB

Download
memory/2540-1-0x00000000003F0000-0x000000000048E000-memory.dmp

Filesize
632KB

Download
memory/2540-2-0x0000000000590000-0x00000000005DE000-memory.dmp

Filesize
312KB

Download
memory/2540-3-0x0000000074E30000-0x000000007551E000-memory.dmp

Filesize
6.9MB

Download
memory/2540-4-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/2540-14-0x0000000074E30000-0x000000007551E000-memory.dmp

Filesize
6.9MB

Download
memory/2700-12-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2700-9-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2700-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2700-8-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2700-6-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2700-7-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download
memory/2700-5-0x0000000000080000-0x0000000000122000-memory.dmp

Filesize
648KB

Download