MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13bda2fab9d78868f30a0bb704eaa1db2e0dacfe11bd3dcd348290bfc67fe40c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13bda2fab9d78868f30a0bb704eaa1db2e0dacfe11bd3dcd348290bfc67fe40c
SHA3-384 hash: fe0ece4e957361526f4273aabac50cecd74b23a021a7afc5ffe5089ec58a32a47633c8c3c3354d021c2da014043787e0
SHA1 hash: f4e3b490779151aa5477a5a1d0a9f296c8f6c68b
MD5 hash: 8ac9e272b1df5061daa9455ff0230c36
humanhash: leopard-speaker-crazy-six
File name:1.ps1
Download: download sample
Signature Loki
Create hunting rule
File size:300'877 bytes
First seen:2021-06-01 12:23:36 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 6144:9laTYe1Utx7ccUWqPcQtU78uNUysckPuILJGAm8Eu0tga+MLB:9laTYeqtx7cc3Okgu
Threatray 3'105 similar samples on MalwareBazaar
TLSH B154A645165BC2D5F19A4588386CF722087A747B7BC88A361237430AEBDED4A1DCFB8D
Reporter JAMESWT_WT
Tags:ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Infostealerim.11942.18180.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13bda2fab9d78868f30a0bb704eaa1db2e0dacfe11bd3dcd348290bfc67fe40c/
Threat name:
Script-PowerShell.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-06-01 12:23:56 UTC
File Type:
Text (PowerShell)
AV detection:
4 of 29 (13.79%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
321e7fea6ceb5255c592162c7781c524b7569c3f1244274a247f5f0c97702c49
Loki
4eec9ac382b6fcbf861641137d9a597a04a891a47983252137a7b0fdbbeb842b
Loki
73a2b7c5a949d1439f4a729aca0e7a13f428dc0394416c73ec4fce7b2810da2b
Loki
8b1f2987c5d3c458937b3709fb521c53d55fad6d3c9e03ae2e3cfc1c5c98229d
Loki
9ef305091f40e275d536c509669d30ca345e09cf887bb77ba01099e7f6de3ec5
Loki
a56b83419b879f415fcd6961f31ad0345305288cd67b61ce4a533f8c2ae12c25
Loki
aa9570887695577e03ee3b6dc119e2776ad158e0b9654505cd59d9ed86b61cb0
Loki
d378f6971357840b8cf71b654d7ff91eb0edb08b1415fcba5b8d9aedaebcebb5
Loki
e66690ac534774a152675178c27d0f778fe68c8cb65c4b934e1796c3166b8818
Loki
fa65e886e4df52c1f48b8aca57d2610a8ceb3877c9a9a3bc86a5fa32b7a9040f
Loki
+ 3'095 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210601-43qsnnng7e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://173.208.204.37/k.php/SczbkxCQZQyVr
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13bda2fab9d78868f30a0bb704eaa1db2e0dacfe11bd3dcd348290bfc67fe40c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments