MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 037a4ae072c70cade6ca101962abd2ebf156642b04a43a182ad39868397a5fae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 037a4ae072c70cade6ca101962abd2ebf156642b04a43a182ad39868397a5fae
SHA3-384 hash: 504151c4609492dc5b6c24e20ba2915ab5ac08311ea583e5d985c75aa1521113aedc4ca7d3c588e6c4553268a53601f9
SHA1 hash: 2092ee6ad345d1c8308c71591b8199487139c90e
MD5 hash: c7381f53aae8af38e0878fd55fd4233a
humanhash: sink-stream-jig-robin
File name:c7381f53aae8af38e0878fd55fd4233a
Download: download sample
Signature Loki
Create hunting rule
File size:288'117 bytes
First seen:2021-11-15 09:08:25 UTC
Last seen:2021-11-15 11:13:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:rGiaNdSnlmZhzuwmmjSal0U+WMHqFZpzxN+2jH80xNbCeZranu+L:Y0lchuwmCB0XtHqBdljHjx1C1uQ
Threatray 5'407 similar samples on MalwareBazaar
TLSH T10D5423467DC4C99FC490483009B39F3ABFBBD299C1661A1357C45F376B2BD660AA82D3
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
af03f2fb7663771c312b66f2e4e5f52c38196ce47862d67e4acfc9592475de8f.xlsx
Verdict:
Malicious activity
Analysis date:
2021-11-15 05:34:56 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan lokibot stealer
Link:
https://app.any.run/tasks/bfe4a881-f3fd-4cbc-a476-17c26af3e50a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lokibot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/205841/
Detection(s):
SecuriteInfo.com.Dropped.Trojan.GenericKDZ.80095.2680.24835.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Reading critical registry keys
Sending a UDP request
Changing a file
Replacing files
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Creating a window
Stealing user critical data
Connection attempt to an infection source
Moving of the original file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/619223b23edf00a722d51076/reports/c8274f8d-1829-440c-a501-d75525b040e5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/479cd60c-af5f-4f01-b261-8d7772333beb
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/889244
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/037a4ae072c70cade6ca101962abd2ebf156642b04a43a182ad39868397a5fae/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-11-15 08:11:28 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=an5evydsy4gk3zwkcamwfk6s5pyvmzblassdugbk2omgqol2l6xa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
192e4319bd154cebbbf5354e1b04bc8fb53b9dc6bd48887d2ce1f4159bee5b4e
Loki
23857e09339755abd6fc1933b0d6de532f86c378d00ad968abcd3902e303ec36
Loki
397d08a888f2174c57f1ffa6d26dbf903bb072e9dc1509ce9c119350e837eb65
Loki
425e1e6199ab47a0dc997c8bf731bc09d96a97c7d55a43d6767fb99d74ecb036
Loki
7b12e253b0bf89ef0535a8dc539361954c67511bcdbc709060c0b1e6ed539cb6
Loki
b87ecdb8035fa8b5ce87570d757265182a9f49122a02e77dc7f414816cf4b511
Loki
+ 5'397 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/211115-k4fz2aeffj/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://63.250.40.204/~wpdemo/file.php?search=5803588
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
037a4ae072c70cade6ca101962abd2ebf156642b04a43a182ad39868397a5fae
MD5 hash:
c7381f53aae8af38e0878fd55fd4233a
SHA1 hash:
2092ee6ad345d1c8308c71591b8199487139c90e
Link:
https://www.unpac.me/results/1cd1b89c-88de-43c2-ab77-7384587f964c/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/037a4ae072c7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 037a4ae072c70cade6ca101962abd2ebf156642b04a43a182ad39868397a5fae

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1788020/
Cape
Cape
https://www.capesandbox.com/analysis/205841/

Comments


Avatar
zbet commented on 2021-11-15 09:08:28 UTC

url : hxxp://107.173.219.26/c1/file_01.exe