MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0dc6ac9a0255d8c726ea77ff4a7298ecc14552790389259c841e9da27c46e540. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0dc6ac9a0255d8c726ea77ff4a7298ecc14552790389259c841e9da27c46e540
SHA3-384 hash: 3699a6c4ab5bb0462694f7d216972ed3889a0235ecf722f040d0fd305a95c32bda5309b8d8dc5a69139439ff37bb5a9e
SHA1 hash: af7f0e519116cfcc8c04aff5b637a95f293b661d
MD5 hash: 3bcf9f3ba357860a4d1bd73c93802ceb
humanhash: quebec-arizona-nineteen-edward
File name:3bcf9f3ba357860a4d1bd73c93802ceb.exe
Download: download sample
Signature Loki
Create hunting rule
File size:258'095 bytes
First seen:2021-09-20 13:58:38 UTC
Last seen:2021-09-20 15:09:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:Z8LxBnBRIjc5cwXF63iIi8fO1szmSfitntIMjR:EBRJ5cwcjO1wmE6GOR
Threatray 4'714 similar samples on MalwareBazaar
TLSH T11C441252249040F7E1F38930893AF77FFB7AE6580165528B8B7C2DFB3934EC2664A156
Reporter abuse_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
KVRQ-7436819.xlsx
Verdict:
Malicious activity
Analysis date:
2021-09-20 11:52:51 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan lokibot stealer
Link:
https://app.any.run/tasks/932412c8-22b8-4a26-bfc5-bcec119139e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189467/
Detection(s):
SecuriteInfo.com.Zum.Androm.1.32675.19480.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Reading critical registry keys
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Moving of the original file
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c08adb9-5a74-4d05-aeef-2330dddce6e5
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854149
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0dc6ac9a0255d8c726ea77ff4a7298ecc14552790389259c841e9da27c46e540/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 13:59:07 UTC
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bxdkzgqckxmmojxko77uu4uy5taukutzaoeslheed2o2e7cg4vaa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
13cd902db4c2d83cf33f2d2ab048f048126f7152a8e549fa31f5deeb4f2f0294
Loki
32e43017d770e13d4a21711e598fa68b20b4ea04e2d4b9cf1fac9b7dfa8feb5e
Loki
368a4dda90b399ae7d0ed91b5c8d1c9fd7cf90948cc6aaf808375381047896d5
Loki
4a6b31994025e7a6dcfeab2954dd3ae8aba701d227ac5b9684ca97e1031256c5
Loki
8fde220d40458eceb049d049f5391e8b2ff8f60e49d64d1272602e97d000a742
Loki
9f66135d831d5ba4972ba5db9e0fd4515dfaecc92013a741679d6cddbe29ab25
Loki
a105b485a43cdc606e7a040fb26e557fbd302be0b5f1b865bade788b5cfd0866
Loki
a576c7f2ef99f454afdd5c93e22bfdcd0dcbe75c2bd909f37fed84226caaaa14
Loki
be76239da7234a7e43d56d819e0558d91bdc872aef6e08db9f612ca30355bb9b
Loki
c59840f2a37cc434ef9e343de8cb199142f80d6dd77e7cfa0869972c76f2af34
Loki
+ 4'704 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer suricata trojan
Link:
https://tria.ge/reports/210920-rad2xaghhk/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://136.243.159.53/~element/page.php?id=490
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
5540d2f031f2f14170cf157dea17c7ee5677b535d4f2d2e4608c28ce21cb37ff
MD5 hash:
d1cc40536f01b3169cf3aa29f9fcd983
SHA1 hash:
84a5e3f27c32db3da585a76fefd7ae5692776563
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/8f47f846-b9c5-4399-8a24-c7b93d83e6af/
Parent samples :
0dc6ac9a0255d8c726ea77ff4a7298ecc14552790389259c841e9da27c46e540
a91e4336af850950b1bcaec94d14e9b824ed58554c3f24256b867eae22bb2d98
SH256 hash:
0bc69197000c40965767e7f086b9bacfc44f7fc53f516f0ef2578b231fc4adfb
MD5 hash:
e1897eb8176f4c511c63a6633b554b40
SHA1 hash:
3d2ed1209453aca9315be8375bf1d34eb50dcd28
Link:
https://www.unpac.me/results/8f47f846-b9c5-4399-8a24-c7b93d83e6af/
SH256 hash:
0dc6ac9a0255d8c726ea77ff4a7298ecc14552790389259c841e9da27c46e540
MD5 hash:
3bcf9f3ba357860a4d1bd73c93802ceb
SHA1 hash:
af7f0e519116cfcc8c04aff5b637a95f293b661d
Link:
https://www.unpac.me/results/8f47f846-b9c5-4399-8a24-c7b93d83e6af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/0dc6ac9a0255d8c726ea77ff4a7298ecc14552790389259c841e9da27c46e540

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 0dc6ac9a0255d8c726ea77ff4a7298ecc14552790389259c841e9da27c46e540

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1624917/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189467/

Comments