MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 053ba5ebdf692c17beed17aec6e7ca7d183ab55b5264170fd11a7f7850828289. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 053ba5ebdf692c17beed17aec6e7ca7d183ab55b5264170fd11a7f7850828289
SHA3-384 hash: 50638a7bfc0f727b513bceb6c774914ad4bf43b0cc8b20baf6f97e12b442e3278426ca02f04494c82941d214a2e9462f
SHA1 hash: eb408839d73c942af8bd9c663b58a79f4d478d40
MD5 hash: 09a781424dc28340d0112c5e4f77ac3e
humanhash: yellow-london-twelve-beryllium
File name:09a781424dc28340d0112c5e4f77ac3e.exe
Download: download sample
Signature Loki
Create hunting rule
File size:128'161 bytes
First seen:2021-06-29 06:59:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 3072:iBkfJpRXATwMdFCcGbV07weSVIixs7HFWEODytnwpB0FyN:iqjIKVYwmLBW+q30Fo
Threatray 3'336 similar samples on MalwareBazaar
TLSH 72C3022F3190D8A7DB6B12B09C365762AFEA91250160478FE7649F5F7C31BE3104E7A2
Reporter abuse_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
09a781424dc28340d0112c5e4f77ac3e.exe
Verdict:
Malicious activity
Analysis date:
2021-06-29 07:02:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0400461e-b25a-46c7-b714-49b3046c6e74

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168691/
Detection(s):
SecuriteInfo.com.Zum.Androm.1.17447.6150.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d9e43103-b42d-4608-aedf-af6a1c2a3011
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/809222
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/053ba5ebdf692c17beed17aec6e7ca7d183ab55b5264170fd11a7f7850828289/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-06-29 07:00:14 UTC
AV detection:
21 of 46 (45.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=au52l267newbppxnc6xmnz6kpumdvnk3kjsbod6rdj7xquecqkeq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0c4efefcd2850c9764e65fb0f5a084573dfb65c7103b4513781c02e06e21c83a
Loki
0f1d9f17d6380c6318f136f9f951922cffd80ba90fa8748ab88e6fd0b0b19ceb
Loki
47aa20a304624dbf8b71da1804f3f848ab12f2797390d0788067b542dc2c6a9c
Loki
52ffdd3bc0de63eb8f6cd8a90373eaf3bcc37bb0804fc4eaad228d34ea5f293d
Loki
616b49735927d0f2a78649237770fe83d86db4c50731ac38b8395b85a67ac2e2
Loki
7c53e1f63d1d88bc24f08cdb03e119ebedd27c84802f3b012b7a424ea9ed8e5f
Loki
90d83343f51a1ec0472c4dfd7c887ee13cf79e060632c45e75cd43ff90450810
Loki
c4039980d8050f9deeba61533e38ffff74571e48f7304940825852c2cf8f0932
Loki
cf047a5781d40b7500be89db809fe4343223b20e043819bbba6511ed4f5858e1
Loki
d324d33233edf16f00bb4c9a06a14eee0ef15f8d90a3b9f62213e0ea9054312d
Loki
+ 3'326 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210629-6k18ynal6n/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
ec8627c2e3744678c52fe1b743d92d57bc2302ee6a34cd643dc02233a00d9f44
MD5 hash:
b5ec89cb60f7ede3abd0242790517127
SHA1 hash:
17989841ba4a1675175fcc2e6f3013fab3bf8c1b
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/d41d2660-0ce8-43bc-8deb-da2e07e51e27/
SH256 hash:
06337925a71f1dea18d953fd7f930ae19bc19c5c1d65270cc21e1541879b6efb
MD5 hash:
11f667b800bacfc07e6bb27321432b9f
SHA1 hash:
2d8c15ee87b757ad20e036818e66fda97ec678d1
Link:
https://www.unpac.me/results/d41d2660-0ce8-43bc-8deb-da2e07e51e27/
SH256 hash:
053ba5ebdf692c17beed17aec6e7ca7d183ab55b5264170fd11a7f7850828289
MD5 hash:
09a781424dc28340d0112c5e4f77ac3e
SHA1 hash:
eb408839d73c942af8bd9c663b58a79f4d478d40
Link:
https://www.unpac.me/results/d41d2660-0ce8-43bc-8deb-da2e07e51e27/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.67
Link:
https://yomi.yoroi.company/submissions/053ba5ebdf692c17beed17aec6e7ca7d183ab55b5264170fd11a7f7850828289

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 053ba5ebdf692c17beed17aec6e7ca7d183ab55b5264170fd11a7f7850828289

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1409437/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168691/

Comments