MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927
SHA3-384 hash: 34e09c5940f56d7129111be140bcf4a350dfdd79d4ae996d345d1bdc95a25f231291f1e9b4833158dbbc00240301c695
SHA1 hash: 67e96d488538213b16c6c0c599648437a176039a
MD5 hash: 0af7fbb3b5a2a7059555859c4c1db8f9
humanhash: uranus-october-oven-stairway
File name:SecuriteInfo.com.Variant.Jaik.72878.10394.17964
Download: download sample
Signature Loki
Create hunting rule
File size:212'868 bytes
First seen:2022-05-12 10:52:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 3072:LODZGPEounbPcYshIYLbrM88cu1IC8N5vE6z8kRZSKbzCbQnPanr+83Mckm/fsjz:LOtIOUr+Y/rzu1T8r1gk/lPOGMEjuw
Threatray 7'781 similar samples on MalwareBazaar
TLSH T1BB2402213255F0A7EEE623323D3BA77AC8F7A5152CA1099B570112D6B9F3201F61F34A
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter SecuriteInfoCom
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/270067/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17340/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe formbook overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/627ce721420fe225c4097d09/reports/4d5f0d91-e1a8-49f3-b58e-eb61c0cfa890/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff2b2eb5-4738-47e1-8db0-2a3a0815ceb1
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/992646
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-05-12 10:20:48 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
42d8b7f214ab4c51c337d3abfaa9107f0e8fd78801311e205cd484e4b65fb440
Loki
7e7fb389420084c8d186307502d05cb767293ec80fddabb73d7b1fe9e3654bcb
Loki
8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950
Loki
c16dcddd7b9501bce324b49c9906488bb7a5467789381766801dfd7ce2d13a1a
Loki
e06081aedcfc5f44b0ccde2ac1a13f287ed6533f74ca5fa050e174e5774140c2
Loki
+ 7'771 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220512-myyzrscca9/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927
MD5 hash:
0af7fbb3b5a2a7059555859c4c1db8f9
SHA1 hash:
67e96d488538213b16c6c0c599648437a176039a
Link:
https://www.unpac.me/results/e071e7a1-5b4c-444c-a1b8-453891046172/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 0728b4bdf11dbf9da1c04ad542981e9bc44e313747bf5b86dccc15ca7f8dc927

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2191236/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2191235/
Cape
Cape
https://www.capesandbox.com/analysis/270067/

Comments