MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f32d1725c917672afcea8f55889bd90ad5199f7d40b7656dba7e365f7df4b79c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f32d1725c917672afcea8f55889bd90ad5199f7d40b7656dba7e365f7df4b79c
SHA3-384 hash: 49f471523fbf5b61a83c2f5e670cb1a90c5d82e698e0ca1ba36d7434a95f755e020325fce32e060b2ddaa5f3e6265789
SHA1 hash: 6dcb856c0d52619e35810f7e796cc63fb01bffe9
MD5 hash: e244ba48e7ff5e8cf50fec0a9e902603
humanhash: magazine-aspen-speaker-avocado
File name:f32d1725c917672afcea8f55889bd90ad5199f7d40b7656dba7e365f7df4b79c.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'283'584 bytes
First seen:2020-06-01 07:09:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:6tb20pkaCqT5TBWgNQ7abcqclBYGb8+YaU2mdd8ZW6A:nVg5tQ7abwlB/R4T5
Threatray 2'341 similar samples on MalwareBazaar
TLSH 8855D01373DDC361C7725273BA26B741AEBF782506A1F96B2F94093DAC20162521EB73
Reporter JoulK
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-23 07:28:26 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6mwrojojc5tsv7hkr5kyrg6zblkrth35ic3wk3n2py3f67puw6oa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
1edf8c6bcf0ae2b38e9e28bcb1fd838c2ea35b5b126e4bc9e42daa2e1e722298
Loki
3d611ca54f64546327d9bc6993662d5058a7f07fa8e16b81fc7ee6ff60d952f2
Loki
6091c72afc1b64e11cca31aa5375871a3e3b99e769e20bc95abe7fc4a6626f7e
Loki
6b01894744aec6eee3cd40910eae4d7dab47e7fccc7aed526c07f40b9110bd8d
Loki
a500f27709fb009950d25abae11f25c6e8e0205d15931530467ecfb342a661ad
Loki
af076d38fb1a0fe805a6a835aefa72a1eaa827bb0421dcc91bd2e6153469d60d
Loki
b453e21bb868ec936faa3e048a7f0b4dd17456dd6ede5672b99ae0541f675020
Loki
dab70b4af932eff3aeb93b40eb473647dc9242a84ac68435886cb40b32d3e010
Loki
dfeb957fc25e4102bf74a28e214d8ad5488d85b552824e0cd1f3c856f3a62acc
Loki
e0e899627677a5191b45c3da7da2f9c83e5840e45b70142816ccc7c18d5b4ada
Loki
+ 2'331 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/201109-83yy43qqgj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://eloquentcs.com/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments