MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1395a50888b4c73f21c6b5a00af040111af037ec72d49bf6d18609d053be2f82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1395a50888b4c73f21c6b5a00af040111af037ec72d49bf6d18609d053be2f82
SHA3-384 hash: 95c9aa76d378e15372649a46863804f744514c4f60d3450dbc9c6d54da8eb284bc1f06c131a7d0d372dfc64efa0ae267
SHA1 hash: 76581a6c5ed49c8c0567c6f6ef9788aa61fe7347
MD5 hash: 04980596d66951166fa2ebfd96c84d22
humanhash: violet-happy-wyoming-solar
File name:SecuriteInfo.com.Trojan.DownLoader42.26571.4952.1039
Download: download sample
Signature Loki
Create hunting rule
File size:167'936 bytes
First seen:2021-09-06 14:33:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f83362a57e6d6a2f15132c167d7f42c (3 x Formbook, 2 x Loki)
ssdeep 3072:WXmxKcYFvjNwx7yCYOOOOOIOOOMTYOOOOOIOOOPUUYYUYUYUYUYUYUUYUYUYUYOn:uOcKGglq
Threatray 4'622 similar samples on MalwareBazaar
TLSH T193F31FA0D285D9B9E45A023985B2DD34551B9F2DA4B8442E05EDBD2777FF38320ABC0F
dhash icon be9aac66638ad87a (1 x Loki)
Reporter SecuriteInfoCom
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8c8949ea4366b524e7e6928c5a2a05a4738ecd0dde63af663fe95a4d18538b0f.xlsx
Verdict:
Malicious activity
Analysis date:
2021-09-06 06:58:40 UTC
Tags:
exploit CVE-2017-11882 trojan lokibot stealer loader
Link:
https://app.any.run/tasks/5bcdfa19-ebbd-42ba-8e2d-b9607262b5cf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185689/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader42.26571.4952.1039.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Reading critical registry keys
Changing a file
Replacing files
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Sending a UDP request
Stealing user critical data
Moving of the original file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c69ac05f-2b25-4ee6-8437-6206a9b04a53
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/846052
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1395a50888b4c73f21c6b5a00af040111af037ec72d49bf6d18609d053be2f82/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-09-06 08:54:35 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
4a6b31994025e7a6dcfeab2954dd3ae8aba701d227ac5b9684ca97e1031256c5
Loki
533fd8da75df1b1ba32eb92e70fcc930920a8839736e50c043c5df11eed21dd2
Loki
54802aa4ca1557f67314a573e918be4157b838d1bd0aa30c23d8e1f312994dac
Loki
8083fc125756be5ccebc8b837ffd80063f42696159291e0df941c28f03170b07
Loki
8344690f025846a5a0dcf5d6012a94cddcfe48ffcc06fa6d566bb4ef149e6716
Loki
a9d8ff851ff8644ca724b4f4cac643aebdcdf200df30b86066db120cd0d574b2
Loki
ad03d6c2459c0ee88848bd587581f4dc1183017aac47a757e566e0390e727f4d
Loki
+ 4'612 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer suricata trojan
Link:
https://tria.ge/reports/210906-rxe8gseddj/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://xc45.xyz/SPT-TAKR/w2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
1395a50888b4c73f21c6b5a00af040111af037ec72d49bf6d18609d053be2f82
MD5 hash:
04980596d66951166fa2ebfd96c84d22
SHA1 hash:
76581a6c5ed49c8c0567c6f6ef9788aa61fe7347
Link:
https://www.unpac.me/results/0b5db0a9-98a5-4ae2-9055-8c72e6759d73/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1395a50888b4c73f21c6b5a00af040111af037ec72d49bf6d18609d053be2f82

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 1395a50888b4c73f21c6b5a00af040111af037ec72d49bf6d18609d053be2f82

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1596848/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/185689/

Comments