MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11641171be559d99044f4d62bfbb517de3c0981758f98998a57345b93b01dd1e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 3 File information Comments

SHA256 hash:	11641171be559d99044f4d62bfbb517de3c0981758f98998a57345b93b01dd1e
SHA3-384 hash:	352b2bbce7187722ea54f3ab91bc815658153ffc90b01e4200dcdefa974679040243efa01c551bb865dbaca76fa6a2c9
SHA1 hash:	78629548aafeaab5a54decad0f5ce79948301509
MD5 hash:	5ae723426c5c426070363beed4611be0
humanhash:	wyoming-four-burger-stairway
File name:	340002751NIAHOB1087830-22PO24DE-6C4B,pdf.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	789'504 bytes
First seen:	2021-08-11 22:32:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:x8U/HK7zKpZ22WKFPTM3sXFKbfwupA/MtCpzpRAD9UKi64HchkCLsCZZPy7+7dql:x8LjGTGIuSFp1RAhW6
Threatray	4'769 similar samples on MalwareBazaar
TLSH	T1A5F4AFAC36A476EFD417CA72CEA42C60EB61B4B7871BC207905711AD9E0E957CF106F2
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://185.227.139.5/sxisodifntose.php/w3WdjHBMG5lDq

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://185.227.139.5/sxisodifntose.php/w3WdjHBMG5lDq	https://threatfox.abuse.ch/ioc/172492/

Intelligence

File Origin

# of uploads :

# of downloads :

145

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

340002751NIAHOB1087830-22PO24DE-6C4B,pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-08-11 22:34:05 UTC

Tags:

trojan lokibot stealer

Link:

https://app.any.run/tasks/9078121b-9e43-4f2f-a303-431a7016c8a2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Loki

Link:

https://www.capesandbox.com/analysis/178407/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.993-1.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3f493685-24b8-40d7-a321-63819894899d

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/831296

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/11641171be559d99044f4d62bfbb517de3c0981758f98998a57345b93b01dd1e/

Threat name:

ByteCode-MSIL.Trojan.Sabsik

Status:

Malicious

First seen:

2021-08-11 22:33:05 UTC

AV detection:

12 of 46 (26.09%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cfsbc4n6kwozsbcpjvrl7o2rpxr4bgaxld4ytgffonc3soyb3upa._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

33ebfd8e209828818c29eac889a86e84eba1e9f428dc839f3a2a2fb57ade8d22

Loki

399fcf1ef0bea5b4e3b5446868d6c227c16399278359ee6094118fdaf1da9556

Loki

3b9ff29f35dafcb9a28349285b3a4f834c21d3a4061f05c775ee53b11fdd6a05

Loki

9bfab55ea6effd91b30c42df158c61218c68ca5c2775c91718849535bb692bfa

Loki

9c043d62d7c8a70b2467ebd0391ca2741d52985fb579c3b0752b1804ecd626ef

Loki

a77d42e5cf03fce86d5fcc844840ab9f8db3f562791348ae5bca2aaba0d3f54d

Loki

b97de627f21e9b429b51add91c260bf329e8df489e2f7b56d7f9b3e0dbbc315d

Loki

dcc83cdb07ca180562e8d60726bceae110348801e682c23d1b55d95d59ef0a52

Loki

+ 4'759 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot spyware stealer suricata trojan

Link:

https://tria.ge/reports/210811-3nh9ckelve/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Lokibot

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://185.227.139.5/sxisodifntose.php/w3WdjHBMG5lDq
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

5fc0481acd55caf2e8b44f08f8da4f90f71f56fe4dfe4618c3ef243ab5f559ef

MD5 hash:

3c47641776142d8133fab29300523c83

SHA1 hash:

6ed8cb43275a1628340cf95655505d4712987cfb

Link:

https://www.unpac.me/results/4b1eae4d-80dc-4d55-a3e5-90b4940109fa/

SH256 hash:

ed0dd1e2260da7b03c8b80e0b45e8fef44be722c1e8c41e078c1a25ed0d18ecc

MD5 hash:

6057ce35bd926dd6d49dedfa9cc18372

SHA1 hash:

1f4e44e1740ffbd91129ac3a37d22845bc52c158

Link:

https://www.unpac.me/results/4b1eae4d-80dc-4d55-a3e5-90b4940109fa/

SH256 hash:

29c5687fed72599a24397d5fcb7b228aa27f6823cd4ade34752999cae3e6f01c

MD5 hash:

52ab35ea25fe17f1541f09b53599323e

SHA1 hash:

192f93dfd5e94ef9f56e62a0d1515b2f1f53e2ac

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/4b1eae4d-80dc-4d55-a3e5-90b4940109fa/

Parent samples :

11641171be559d99044f4d62bfbb517de3c0981758f98998a57345b93b01dd1e
ac4a470326858948bd6e8d28e2d8b0751b3b0ff61e882501bec8e434714d9a3e
c448169380e81c58f9468dfc7ffe85622b8e01d1b1b9cb66dabb7be265cd5306
a491adea93cfa47734c9807e9f58143e40b9697b005b23575f91cca7e7a93103
b027bcc2c6005b6d0e980d83457ade075f087441ec40e3748b6b23aeb439f151

SH256 hash:

11641171be559d99044f4d62bfbb517de3c0981758f98998a57345b93b01dd1e

MD5 hash:

5ae723426c5c426070363beed4611be0

SHA1 hash:

78629548aafeaab5a54decad0f5ce79948301509

Link:

https://www.unpac.me/results/4b1eae4d-80dc-4d55-a3e5-90b4940109fa/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/11641171be55/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/11641171be559d99044f4d62bfbb517de3c0981758f98998a57345b93b01dd1e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/178407/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample