MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1417d7a1c8a15742918f2642147257d87ef53f5b9e36f23c09cc31e00330d4b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1417d7a1c8a15742918f2642147257d87ef53f5b9e36f23c09cc31e00330d4b4
SHA3-384 hash: 40aa790fa2c81cf4704886f39fd84961e51fd90aa0181fdb0940a586e7759e86477649f5523481b5177541eb2a6db6e8
SHA1 hash: 186d90d86c3b28dea156353105e7d9527bbd55ff
MD5 hash: d0a756908c67ed3fae74125f6bc91a0c
humanhash: arkansas-moon-michigan-five
File name:file
Download: download sample
Signature Loki
Create hunting rule
File size:718'848 bytes
First seen:2023-02-06 14:52:07 UTC
Last seen:2023-02-06 16:40:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:lpkYsPAaKYBPtHQgcGcQrg3FQby0NDkTeVzoLunsVj5LHJ2jcXnyXx6q16ahRZ5G:bUAN25QgcGcHavwTeuKsB5Nu1NMS5G
TLSH T1A3E423002AACEF70D8BF9EF16374A1E8437C51063421ED6C8EF452DDCA76B66CA64716
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8200828086860000 (9 x AgentTesla, 5 x SnakeKeylogger, 4 x Formbook)
Reporter jstrosch
Tags:.NET exe Loki MSIL

Intelligence

File Origin
# of uploads :
3
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-02-06 14:53:13 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/f9040f3f-0009-4e09-a91c-dfe42400c11b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/360937/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1820.17467.25035.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/63e114511c9cbf7d625624a2/reports/d5895008-05d4-453a-a5cb-90bd382ac098/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/1417d7a1c8a15742918f2642147257d87ef53f5b9e36f23c09cc31e00330d4b4
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ebfef50a-832a-427f-91cc-4196f93ae7e7
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1166729
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1417d7a1c8a15742918f2642147257d87ef53f5b9e36f23c09cc31e00330d4b4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-06 14:53:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cql5pioiuflufempezbbi4sx3b7pkp23ty3pepajzqy6aazq2s2a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230206-r9atjahg3x/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://185.246.220.85/davidhill/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
6384dabeffdc0afc3d7f1e18d0033e7482790c0aa2f1f2af7cc39eb81795d0ef
MD5 hash:
f759d70f3bbee3865d9ba45b70c59bea
SHA1 hash:
f07ca29866cf8b0d92f18904860c40a284a5f550
Link:
https://www.unpac.me/results/15763542-f650-4af6-bad8-c47d2fec49d4/
SH256 hash:
090ec066d2728260276976d5e15a112938718f95cb52829a41801bf51ecfc3e3
MD5 hash:
261187c776e7a15bffbe255bcfec1b65
SHA1 hash:
a515ae3c049bead2cb2965741d72faf79d79bede
Link:
https://www.unpac.me/results/15763542-f650-4af6-bad8-c47d2fec49d4/
SH256 hash:
bcfdf6595931c4c89caa1b5b4f07aa7df98561836a5c6262eeed63fd5614129e
MD5 hash:
34dd43db9553aa4cf98a27f0fdc0802a
SHA1 hash:
9fabdc2ecd7c18df98fa989f345c1dcc02ad87e3
Link:
https://www.unpac.me/results/15763542-f650-4af6-bad8-c47d2fec49d4/
SH256 hash:
6f6ab03e9f58eb5b617e8efb771eebbc0a28c45aa02858decc3eae9049e88c2f
MD5 hash:
7115ca15dfab7c0d782570da185088e1
SHA1 hash:
907fa2cd3300b20f71e0fd431da709ce17283ce4
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/15763542-f650-4af6-bad8-c47d2fec49d4/
Parent samples :
8609e1d5c447b9a77c1e151786125c55fd229f7bc7cd492e8b9bb766cda5d8f5
1417d7a1c8a15742918f2642147257d87ef53f5b9e36f23c09cc31e00330d4b4
8cf5acb58e1cff07fa0279f116cf73a1f288aa186c138677c35a6baeffca0a83
d74c1bdbc59c3aebc01dd52982d90079ec3195a2182aa2e25f195e4d475eacdf
3e2f6ec5d299c785d30e65c3f48b2697b2dec1cd476f94882aca3986962bf27a
e931bae765d215ba33f7f7057a19da0a3e8da81d22af920f7d9687ab56fc73fd
SH256 hash:
8f0c7e3047346b8d6477ff6d4639fd6157602c7ebc840f3432b99263f1cb415c
MD5 hash:
e5b073b30db1b058298f5df032164e4d
SHA1 hash:
15d3ada4e7ac01b766615b9b66785e7e2ae9b0ca
Link:
https://www.unpac.me/results/15763542-f650-4af6-bad8-c47d2fec49d4/
SH256 hash:
1417d7a1c8a15742918f2642147257d87ef53f5b9e36f23c09cc31e00330d4b4
MD5 hash:
d0a756908c67ed3fae74125f6bc91a0c
SHA1 hash:
186d90d86c3b28dea156353105e7d9527bbd55ff
Link:
https://www.unpac.me/results/15763542-f650-4af6-bad8-c47d2fec49d4/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1417d7a1c8a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/1417d7a1c8a15742918f2642147257d87ef53f5b9e36f23c09cc31e00330d4b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 1417d7a1c8a15742918f2642147257d87ef53f5b9e36f23c09cc31e00330d4b4

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/360937/
  
URLhaus
https://urlhaus.abuse.ch/url/2532853/

Comments