MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bf01b361f00112f425be6120d9dd36b8943d585373e95756fc10a56cdc7c48a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0bf01b361f00112f425be6120d9dd36b8943d585373e95756fc10a56cdc7c48a
SHA3-384 hash: 42bf0f66b7d8d7a7c69d086487e317f1cdf7a9dfe9d766c71b3e8580966e094abb7ca7c815bf2d6f13b31c186d92e162
SHA1 hash: e6a512f7d91e467e3417145635e0b43e866c2d68
MD5 hash: 825b42a0e8a4136561853772cc8bf6a4
humanhash: winter-sierra-kitten-queen
File name:825B42A0E8A4136561853772CC8BF6A4.exe
Download: download sample
Signature Loki
Create hunting rule
File size:118'738 bytes
First seen:2021-07-24 22:16:12 UTC
Last seen:2021-07-24 22:44:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1eef928161ef7d2982c39057cbea43bf (1 x Formbook, 1 x Loki)
ssdeep 3072:45KUzoKURT4Sc8O5WKqNfygB3gRlTTSwKfNmlwTio8:4bC0ScDOf3glTnvo8
Threatray 3'767 similar samples on MalwareBazaar
TLSH T11FC3D0079F186364CA687334A44CD8FB5A0A593AD6BF0DEFA7C0334A3821AD451F9B53
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://185.227.139.18/dsaicosaicasdi.php/cBX7uEWjd5c0S

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.227.139.18/dsaicosaicasdi.php/cBX7uEWjd5c0S https://threatfox.abuse.ch/ioc/162786/

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
825B42A0E8A4136561853772CC8BF6A4.exe
Verdict:
Malicious activity
Analysis date:
2021-07-24 22:19:32 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/bdce7bd4-2157-4492-bfd9-ed6a711c0e13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173952/
Detection(s):
SecuriteInfo.com.Heur.Mint.Zard.24.6601.25252.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aced52ce-5fff-4d1b-84e7-920f710c6aeb
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/821351
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.VirRansom
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 02:10:43 UTC
AV detection:
26 of 46 (56.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bpybwnq7aais6qs34yja3hotnoeuhvmfg47jk5lpyeffntohysfa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
2d65a3c7da04463e34efa56f9754da234575e1082c239ce1aad1d2115d4d029a
Loki
62742e4698b352658390b6b4f5088ddebb673503d5a4151f19c2face25932210
Loki
7e0c5eb5f18d5313c39c806aeb2ee42b3ca22661c6c1aa2eb0fbead3948f6e26
Loki
8ad5224e6ae6b35e13dd1d79d7d21f3e8e28847c81cd5dd2ce830958bb042102
Loki
a03c15ab25900cc50f462093b4abdf262d51099c0feccb4f51fc2c805373cd3a
Loki
bbbe39716fc34ce2fc73e72a86669a1948ed5fb6a83ab0ce7f939409ac5d5474
Loki
+ 3'757 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer suricata trojan
Link:
https://tria.ge/reports/210724-hqcwvt4ne2/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://185.227.139.18/dsaicosaicasdi.php/cBX7uEWjd5c0S
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
bf8d5d4654b8611cc176df3ba9fd5f5ce6ec80bb67aabb26174d60ca29ae6e4d
MD5 hash:
eb4e5a0e719d47d35e34d6bf83bd756a
SHA1 hash:
31bc331453e9380f2d8c6c3debae89613f96c866
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/1eca33c5-c6bc-48fd-8e0f-c3462c7fb681/
SH256 hash:
0bf01b361f00112f425be6120d9dd36b8943d585373e95756fc10a56cdc7c48a
MD5 hash:
825b42a0e8a4136561853772cc8bf6a4
SHA1 hash:
e6a512f7d91e467e3417145635e0b43e866c2d68
Link:
https://www.unpac.me/results/1eca33c5-c6bc-48fd-8e0f-c3462c7fb681/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/0bf01b361f00112f425be6120d9dd36b8943d585373e95756fc10a56cdc7c48a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173952/

Comments