MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 137db6baaee41625a255900d2e76eb3c42575398bf06b92e2a0ef50a40305cc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Loki
Vendor detections: 13
| SHA256 hash: | 137db6baaee41625a255900d2e76eb3c42575398bf06b92e2a0ef50a40305cc1 |
|---|---|
| SHA3-384 hash: | bdf9708f9d715e7cbfefda2626f8a7d7ae71750bc254c8cf202a1e4ae66f0d8292f1c7b6899f22e1c37397632c947c7a |
| SHA1 hash: | 367aa158cb5dd614f8d4b3cac196bad329ee1073 |
| MD5 hash: | 18e6b6c1a6f3f7aaa2be58edaa8c1121 |
| humanhash: | bulldog-uncle-virginia-early |
| File name: | 18e6b6c1a6f3f7aaa2be58edaa8c1121 |
| Download: | download sample |
| Signature | Loki |
| File size: | 245'760 bytes |
| First seen: | 2021-09-30 16:05:34 UTC |
| Last seen: | 2021-09-30 18:22:05 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 1f41e0ca4ea9e1d12338209135b5bab4 (6 x ArkeiStealer, 1 x DanaBot, 1 x Loki) |
| ssdeep | 3072:vTOpv191RkD/Xa4BtPoQD0aLC7yDzbatkOzXn907k8BzMBpY8hLV3LJE:vTiv8D/XTPoQzmkuwg88hLX |
| Threatray | 4'808 similar samples on MalwareBazaar |
| TLSH | T16034AE0077E1C035F4B326B649BA93B4A93DBDB16B24D1CB63C42BEA56746E4AD30743 |
| File icon (PE): |  |
| dhash icon | e0e8e8e8aa66a499 (32 x RaccoonStealer, 23 x RedLineStealer, 14 x ArkeiStealer) |
| Reporter |  zbetcheckin |
| Tags: | 32 exe Loki |
Intelligence
File Origin
# of uploads :
2
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Result
Verdict:
Malware
Maliciousness:
Behaviour
Reading critical registry keys
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Moving of the original file
Malware family:
Loki
Verdict:
Malicious
Result
Threat name:
Lokibot
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Detection:
lokibot
Threat name:
Win32.Trojan.Fragtor
Status:
Malicious
First seen:
2021-09-30 14:58:37 UTC
AV detection:
22 of 45 (48.89%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Similar samples:
+ 4'798 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Score:
10/10
Tags:
family:lokibot spyware stealer trojan
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://136.243.159.53/~element/page.php?id=119
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
e641af581e3e33501b2c63a4f9d82f4d6e9eb1df24e3fa7e30a6f8c60bd4a140
MD5 hash:
6d641b36e37a83166c34fc20a1a8eb55
SHA1 hash:
a597687163740a868fd6bbeba3286ed4fea04ce4
Detections:
win_lokipws_g0
win_lokipws_auto
Parent samples :
137db6baaee41625a255900d2e76eb3c42575398bf06b92e2a0ef50a40305cc1
2b0adb1ba45e7ea11b27618151f3a185ce653c81235ab523dce4292403f99ac0
24198e6120171960649f2ea10d3a4d13291040c62f140fb33d5f527970788700
b83f53f67a2b2fa4d2abf6a0ce7b75542685661deaac9aeb2159f5e25977e10e
c5e30ba7109f8c474152f1a64dabe02e801f5ddc8313390954e1bbb5e04ce772
2b0adb1ba45e7ea11b27618151f3a185ce653c81235ab523dce4292403f99ac0
24198e6120171960649f2ea10d3a4d13291040c62f140fb33d5f527970788700
b83f53f67a2b2fa4d2abf6a0ce7b75542685661deaac9aeb2159f5e25977e10e
c5e30ba7109f8c474152f1a64dabe02e801f5ddc8313390954e1bbb5e04ce772
SH256 hash:
137db6baaee41625a255900d2e76eb3c42575398bf06b92e2a0ef50a40305cc1
MD5 hash:
18e6b6c1a6f3f7aaa2be58edaa8c1121
SHA1 hash:
367aa158cb5dd614f8d4b3cac196bad329ee1073
Malware family:
Lokibot
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.url : hxxp://192.227.225.173/rim/vbc.exe