MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18cd73a838afa7eaedf424631d6a079f2ffe83c8d400d129656cad2fa6260567. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18cd73a838afa7eaedf424631d6a079f2ffe83c8d400d129656cad2fa6260567
SHA3-384 hash: 6da792a40c91b68a9dacb208870b728d16d76e4bc4c62e9666d126dd464b13496f4d6ade9b4de628a4f03e38f5aa653e
SHA1 hash: 60936844a9b67f04929f02313cbe13216cc5a9b8
MD5 hash: e62d40e9bd1eeab66cb3c781d543b64f
humanhash: steak-pluto-queen-jersey
File name:e62d40e9bd1eeab66cb3c781d543b64f
Download: download sample
Signature Loki
Create hunting rule
File size:568'679 bytes
First seen:2021-08-16 08:04:17 UTC
Last seen:2021-08-16 13:19:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 82004e82653b7bafbfcf73a18d8cef95 (3 x Loki, 3 x RemcosRAT, 1 x RevCodeRAT)
ssdeep 12288:c3LWHX34JgXZrXhcepr1klgTszv1P9V594uFsNuEjdVIP9hefKUomLn/PUkvau2D:c3LQcepp9TsTh9VHyd99L/5iu2D
Threatray 4'257 similar samples on MalwareBazaar
TLSH T12EC4CF10B9C0C032D673383047B4D1B15D6DB8712B6A96EF63D81AB99F25AC1B93672F
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
4
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e62d40e9bd1eeab66cb3c781d543b64f
Verdict:
Malicious activity
Analysis date:
2021-08-16 08:04:59 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/896cf8a0-ad4d-404c-b976-c287815727fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179443/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.29163.32723.7602.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Reading critical registry keys
Changing a file
Replacing files
DNS request
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Sending a UDP request
Stealing user critical data
Moving of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d75b4dc5-9172-4d6a-b6da-7cab48771c1b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/833351
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: SAM Dump to AppData
Sigma detected: Suspicious PowerShell Invocations - Specific
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 465782 Sample: 8L8O7bfPyF Startdate: 16/08/2021 Architecture: WINDOWS Score: 64 12 Antivirus / Scanner detection for submitted sample 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 Machine Learning detection for sample 2->16 18 2 other signatures 2->18 6 8L8O7bfPyF.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started        10 8L8O7bfPyF.exe 6->10         started       
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/18cd73a838afa7eaedf424631d6a079f2ffe83c8d400d129656cad2fa6260567/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Suspicious
First seen:
2021-08-16 02:06:04 UTC
AV detection:
24 of 46 (52.17%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
24f818a962ee0e10764924354cb05a357503eb325c71dc3074091d917014b63c
Loki
3353c2ea708d348c56facaab5c7aebb5a2ec6c820d076d25dc41f30fac712f6d
Loki
3dd38daa4ca8630ccda829c5d97e744ed278ddbf9c79161450cdb9517c74e027
Loki
6438095080694e51e7802ba419e9854234dccdd3cc818eee26cea88f6391177f
Loki
871fa4ba1f0c569a5e3eecc4580b37039a5ba0ea1b07435b881e021ec7532785
Loki
a62490b7606b8b4da18bf697605bcd7f7297cad0b220900e364e1755c0852cd1
Loki
b2d561621fb51170080b646aa96ec14994a3882047fe0adc61b04a07cd618884
Loki
c7d0361fe4ffb35e685f172468a532c9c50f136bd54ac8225db1c96b9942edbe
Loki
f6f185cf7c6591797f9df660caf11d8b0485d907ca46a8fdb9b1e31577f2be3e
Loki
f967ce12d4ea51c5070859e7fb7d013a5c18027081dedc7a42d0526b9b3f0d77
Loki
+ 4'247 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer suricata trojan
Link:
https://tria.ge/reports/210816-fzg87vjk96/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://everydaywegrind.ml/BN11/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
c2d2cf7316c2b966d60a0b401121c963ad32b0abb221f06de6c1b1fd81e14140
MD5 hash:
54f3ce7d798e4d8f3c880b1f35a62520
SHA1 hash:
510e6fbae1aa6d0c40605744186e7f8ef2e9a5bf
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/1038091e-a6c2-4a19-9aa4-b224d4399620/
Parent samples :
f23caf37ae944360657463d27df572d232fb5ef227d3ef753d1c6e6de80f12f9
18cd73a838afa7eaedf424631d6a079f2ffe83c8d400d129656cad2fa6260567
SH256 hash:
18cd73a838afa7eaedf424631d6a079f2ffe83c8d400d129656cad2fa6260567
MD5 hash:
e62d40e9bd1eeab66cb3c781d543b64f
SHA1 hash:
60936844a9b67f04929f02313cbe13216cc5a9b8
Link:
https://www.unpac.me/results/1038091e-a6c2-4a19-9aa4-b224d4399620/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/18cd73a838af/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/18cd73a838afa7eaedf424631d6a079f2ffe83c8d400d129656cad2fa6260567

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 18cd73a838afa7eaedf424631d6a079f2ffe83c8d400d129656cad2fa6260567

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/179443/
  
URLhaus
https://urlhaus.abuse.ch/url/1538383/

Comments


Avatar
zbet commented on 2021-08-16 08:04:18 UTC

url : hxxp://198.12.91.144/hxxp/vbc.exe