MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0070689bd4d52fe73254dc4d1f507adfebc49bc302ecec500c47fe89811da603. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0070689bd4d52fe73254dc4d1f507adfebc49bc302ecec500c47fe89811da603
SHA3-384 hash: 6af2670a8ae8879731a2dac13fc02a746a633cea3ef413f2c057b69c3afe05754fb0a816e568843530941e8dafeb9c43
SHA1 hash: 80f0bd201537d92f470ef76d2e8b8372a07cc945
MD5 hash: 02dd41ae5a97eafa7a7250e64abacb08
humanhash: florida-butter-charlie-angel
File name:lobo.exe
Download: download sample
Signature Loki
Create hunting rule
File size:699'392 bytes
First seen:2022-03-16 04:44:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:5C3NwOEEpe2Nb1zhqL0++TRhR7ZG4utq1UcVhzBY0hXEnVTyEc9b:QNwOBpe2NbVYL0++ZtGa1vVxXEVPcR
Threatray 8'039 similar samples on MalwareBazaar
TLSH T1C6E4122833C48FA2C7BF8F37E97452015BB6F122B432D74E5E9469EE1A9BB140910397
File icon (PE):PE icon
dhash icon 80c4ececececc480 (6 x AgentTesla, 5 x Formbook, 5 x SnakeKeylogger)
Reporter ankit_anubhav
Tags:exe Loki Lokibot

Intelligence

File Origin
# of uploads :
1
# of downloads :
430
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
lobo.exe
Verdict:
Malicious activity
Analysis date:
2022-03-16 04:44:53 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/79f41c96-f6b6-4ed0-b2a9-7597886a8d86

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/251145/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.26272.26710.26252.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for analyzed file
Stealing user critical data
Moving of the original file
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/66bc8f8c-2acd-4619-9eed-d1f3c5763c81
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/957638
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0070689bd4d52fe73254dc4d1f507adfebc49bc302ecec500c47fe89811da603/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-16 04:45:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=abygrg6u2ux6omsu3rgr6ud237v4jg6dalwoyuami77itai5uybq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
13a20e11cd5a555f254458a08800d84b16cbc42871e9b26baef8b5e8ec958557
Loki
87e99c12ae59079e3c1eb5ad0d43ceaf907f0eae3dcebe0d33fd17f3f42b7d48
Loki
9b32c7bab515a968de59b05494701600fb0fac369e11169297713dc30b552491
Loki
eee91d7774e1d15d830eb3913deea24ff70e4967fa2ae0d1adb5d5bfe95d80bb
Loki
f907bb4548a2c3d49ab289554b6f6c98e6affd633278c6568b7bcb5a38a3b075
Loki
+ 8'029 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/220316-fdd1jahca9/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://164.90.194.235/?id=24261401353047909
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
0e31f3428ff6f4b77b9f4d6b369944d07b2a7f93166f725d87c4341e99efa140
MD5 hash:
ec4e497b0dd698be987059865857b867
SHA1 hash:
dec85dd3c613b988f6be5517739579ba67d698a8
Link:
https://www.unpac.me/results/aa6880f9-6fbb-4f94-a13e-3cbe41a9a5d8/
SH256 hash:
2534f3e4cf343854bf0dec8042af1d49278f4ec3981e5b32bd869afcc508001f
MD5 hash:
706102313f4890c7e68a4996ba9360f6
SHA1 hash:
c8ac3d5238c417f4617c0991a402f655dd5d843d
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/aa6880f9-6fbb-4f94-a13e-3cbe41a9a5d8/
Parent samples :
63f9ffef412f84bc98dc622d7cfd7ae0881b8f330b976826faa9071599d6b5c6
0070689bd4d52fe73254dc4d1f507adfebc49bc302ecec500c47fe89811da603
df9c5e69a34306cef8bd223a3093a53d0c7cb92c53348884ad79a1b7236816fe
SH256 hash:
4ffb59b76867dc3ee5df8b1476a82043c8bbfa9679aa90a2e4b937292b3722b8
MD5 hash:
fc6d91ff314356715f5c76ba61240c9f
SHA1 hash:
aac8291f9af1c2e18b8302550ee4d1c96120949a
Link:
https://www.unpac.me/results/aa6880f9-6fbb-4f94-a13e-3cbe41a9a5d8/
SH256 hash:
507d4e37cd2b94f1b8aca0bf9794e0b76e2e2503ba953967cca2b8958c3dfe88
MD5 hash:
aa1a7ff5bd5421291519c759460d50ad
SHA1 hash:
16f92e59a7bcd0a0bb375d28c9c6b52a5698d3c3
Link:
https://www.unpac.me/results/aa6880f9-6fbb-4f94-a13e-3cbe41a9a5d8/
SH256 hash:
0070689bd4d52fe73254dc4d1f507adfebc49bc302ecec500c47fe89811da603
MD5 hash:
02dd41ae5a97eafa7a7250e64abacb08
SHA1 hash:
80f0bd201537d92f470ef76d2e8b8372a07cc945
Link:
https://www.unpac.me/results/aa6880f9-6fbb-4f94-a13e-3cbe41a9a5d8/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0070689bd4d5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/0070689bd4d52fe73254dc4d1f507adfebc49bc302ecec500c47fe89811da603

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 0070689bd4d52fe73254dc4d1f507adfebc49bc302ecec500c47fe89811da603

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/251145/

Comments