MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 04ae6bfe534874485e7a5101cd8143439b10caf1057827b15201263c90bb49e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Loki
Vendor detections: 9
| SHA256 hash: | 04ae6bfe534874485e7a5101cd8143439b10caf1057827b15201263c90bb49e3 |
|---|---|
| SHA3-384 hash: | e9eb13b8351d43b38e7c59b75e71cc9719a5e9a78875a8f8889a0a7e5f08468bca1e8237b9f4b41ce3130c1c804e69e8 |
| SHA1 hash: | 13cea2510b927bbcc2b531e7e5aace7414923deb |
| MD5 hash: | 8d03b9509b17ddc71d7420ef41396b82 |
| humanhash: | blue-east-hawaii-six |
| File name: | SecuriteInfo.com.Trojan.InjectNET.14.26799.25644 |
| Download: | download sample |
| Signature | Loki |
| File size: | 1'008'640 bytes |
| First seen: | 2020-11-03 18:54:21 UTC |
| Last seen: | 2020-11-03 19:43:24 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger) |
| ssdeep | 12288:CeZW5uspPx80pEuVgMKMOUb1N1PLhrEX/8SIGxyJHsEBypobfxdCjEP/5nwAIINi:JMBpPxR91TtEv8SIjX+KX0EPE+bOeaR |
| Threatray | 1'868 similar samples on MalwareBazaar |
| TLSH | 44259DE493869607D95F123F956B3D10D353AB65CAFA878943DCB0390BBF3085A90B4B |
| Reporter |  SecuriteInfoCom |
| Tags: | Loki |
Intelligence
File Origin
# of uploads :
2
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Unauthorized injection to a recently created process
Reading critical registry keys
Creating a file
Changing a file
Replacing files
DNS request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Connection attempt to an infection source
Moving of the original file
Sending an HTTP POST request to an infection source
Result
Threat name:
Lokibot
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Found C&C like URL pattern
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2020-10-30 12:38:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
25 of 28 (89.29%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Similar samples:
+ 1'858 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Score:
10/10
Tags:
family:lokibot persistence spyware stealer trojan
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://magicview.ga/ibiki/gate.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
04ae6bfe534874485e7a5101cd8143439b10caf1057827b15201263c90bb49e3
MD5 hash:
8d03b9509b17ddc71d7420ef41396b82
SHA1 hash:
13cea2510b927bbcc2b531e7e5aace7414923deb
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
SH256 hash:
cadef4271b6b14e8e897738e95afdd803f590f1064815f25b839473151e2280b
MD5 hash:
c40656dd648c5caafa5f5f8c5f640089
SHA1 hash:
ad1b7fdf838c9ec8b4f14b442be09e4552a4f1fd
SH256 hash:
1c145d649ea32a15412a5b26bfed3e3cdb16df6c65e53e20947f0b7187dd8308
MD5 hash:
2f5526e34d11d959d96d343263245cb7
SHA1 hash:
ef81aca6893bc71a2db26137603485bec790b333
Detections:
win_lokipws_g0
win_lokipws_auto
Parent samples :
101eac9c5208775e2d2b9b0d822a8267e7fd5fafebffaa985e42a1c5279c30f4
a7e8c4d24e013f48bed29fb9a5f0d80c60be249862213e142c7feb47f07ac39e
04ae6bfe534874485e7a5101cd8143439b10caf1057827b15201263c90bb49e3
031cdbc53f23b909ad22439abde0d61b9d05b83ede083275c04c019860007103
64d24b76ebe2c64e1c507fa2780e6f562e7ff140b916c8bf555c143f67c72ffb
a055d329e005295bee9ac9949ef4c713a890211e5c12f3dd8ebf1d3ab955e435
f07787fba40b6e3e4e36a0a756db79e78c00f8bb665902c888d18b8e1c770537
5e59fdc976c0b0230265eff944a997b11ceb8f088945f03f569d4d49396f43d0
8f86de2b0bea22711505b71b7fc427da083165e4c9c6565499601c088823eeab
032d685902a52a0f22c98b9cb03ae73c31da8e84ae41db9e1f0c3f1add4b9e58
5192ad844549de866d34a6a739e6171acd2eabaab69230db37c931efd85b390b
a7e8c4d24e013f48bed29fb9a5f0d80c60be249862213e142c7feb47f07ac39e
04ae6bfe534874485e7a5101cd8143439b10caf1057827b15201263c90bb49e3
031cdbc53f23b909ad22439abde0d61b9d05b83ede083275c04c019860007103
64d24b76ebe2c64e1c507fa2780e6f562e7ff140b916c8bf555c143f67c72ffb
a055d329e005295bee9ac9949ef4c713a890211e5c12f3dd8ebf1d3ab955e435
f07787fba40b6e3e4e36a0a756db79e78c00f8bb665902c888d18b8e1c770537
5e59fdc976c0b0230265eff944a997b11ceb8f088945f03f569d4d49396f43d0
8f86de2b0bea22711505b71b7fc427da083165e4c9c6565499601c088823eeab
032d685902a52a0f22c98b9cb03ae73c31da8e84ae41db9e1f0c3f1add4b9e58
5192ad844549de866d34a6a739e6171acd2eabaab69230db37c931efd85b390b
Please note that we are no longer able to provide a coverage score for Virus Total.
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Email_stealer_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Email in files like avemaria |
| Rule name: | Lokibot |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Lokibot in memory |
| Reference: | internal research |
| Rule name: | STEALER_Lokibot |
|---|---|
| Author: | Marc Rivero | McAfee ATR Team |
| Description: | Rule to detect Lokibot stealer |
| Rule name: | win_lokipws_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | autogenerated rule brought to you by yara-signator |
| Rule name: | with_sqlite |
|---|---|
| Author: | Julian J. Gonzalez <info@seguridadparatodos.es> |
| Description: | Rule to detect the presence of SQLite data in raw image |
| Reference: | http://www.st2labs.com |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.