MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a295933a80907bda689b231e5295eae86bd19b21964ee8669ceb5598c9d714d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 19

Intelligence 19 IOCs YARA 5 File information Comments

SHA256 hash:	1a295933a80907bda689b231e5295eae86bd19b21964ee8669ceb5598c9d714d
SHA3-384 hash:	1c05d06bf8d9cc5dac9323bce926d951ee27d25ed306d0bc8ff37432a10ccef5630e411eeb1ac7e0a1d7f0852eb81e10
SHA1 hash:	421b526ab7b03c4fb1529af55074b4cf1fba30af
MD5 hash:	8a43a10dc1358f554584a7e8c5dfdf1a
humanhash:	fanta-mockingbird-maryland-iowa
File name:	rud.scr
Download:	download sample
Signature	Loki Create hunting rule
File size:	524'800 bytes
First seen:	2024-07-16 08:07:00 UTC
Last seen:	2024-07-24 11:46:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	6144:RwgMufVBLKEbbfYeBxZGZ+fGvcaZYE6DMQRWXu9laoMBZXVseAzBL/1nW3r3CvEa:RwfufVLG+fGvqEQqBV2hWuhb
TLSH	T1B1B4CF21A7FD6B5EF6FE1F33B7A600208B76BE22692BD35C44C4587906A3741D612723
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	NDA0E
Tags:	exe Loki scr

NDA0E

https://seadrill.top/rud.scr

Intelligence

File Origin

# of uploads :

# of downloads :

495

Origin country :

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

1a295933a80907bda689b231e5295eae86bd19b21964ee8669ceb5598c9d714d.exe

Verdict:

Malicious activity

Analysis date:

2024-07-16 09:36:05 UTC

Tags:

stealer trojan lokibot

Link:

https://app.any.run/tasks/f6a5e546-f767-4a5c-8a1e-2cb4214e7096

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.2944.14989.3357.UNOFFICIAL

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66962a2784e955866872beb2win10vpnfull_triage

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Сreating synchronization primitives

Reading critical registry keys

Changing a file

Connection attempt to an infection source

Creating a file in the %AppData% subdirectories

Creating a file

Enabling the 'hidden' option for analyzed file

Stealing user critical data

Query of malicious DNS domain

Moving of the original file

Sending an HTTP POST request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lokibot lolbin masquerade packed remote shell32

Link:

https://www.filescan.io/uploads/66962a2b059239fe32385b2d/reports/456f2273-0bda-4d18-8428-fb51f4d75c53/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/1a295933a80907bda689b231e5295eae86bd19b21964ee8669ceb5598c9d714d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/98ef336a-5f77-4a25-bd37-963974acfe9e

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1474086

Signature

.NET source code references suspicious native API functions

AI detected suspicious sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1a295933a80907bda689b231e5295eae86bd19b21964ee8669ceb5598c9d714d

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/1a295933a80907bda689b231e5295eae86bd19b21964ee8669ceb5598c9d714d/

Threat name:

Win32.Trojan.CrypterX

Status:

Malicious

First seen:

2024-07-16 07:14:29 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=diuvsm5ibed33jujwiy6kkk6v2dl2gnsdfso5btjz22vtde5ofgq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/240716-jzze5sseln/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://rocheholding.top/rudolph/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b96865d6-2c6a-435b-b760-befdc3a96c53

Unpacked files

SH256 hash:

74a4963df4d4f60a65b11912a1028bea61ccf7d161e422b739f933567e496d72

MD5 hash:

b44ee46f13402238fffa0c232404b311

SHA1 hash:

d495a5765a7e2a8d02836744b1bd6e6d14d9319d

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Lokibot

STEALER_Lokibot

Link:

https://www.unpac.me/results/41d84ba9-bc71-4961-b4a6-d8217b327f0d/

SH256 hash:

45c7b64a55dca23ee1239649e03a7c361813dbcfc2a0817b0d8e94c907d6ed4b

MD5 hash:

fb1bc19121c4e190d83672bc71b493f0

SHA1 hash:

c3488b969ba578e28ee360be24b6416425a224a0

Link:

https://www.unpac.me/results/41d84ba9-bc71-4961-b4a6-d8217b327f0d/

SH256 hash:

8738b63d441abdbc192216aa8897dd676a35dee0e26a9b7059f15ea833eeb513

MD5 hash:

64cc97c5f4de2c76826c600b044618e8

SHA1 hash:

4eb91044aa99a786c0850a1c22e0e849a244d8eb

Link:

https://www.unpac.me/results/41d84ba9-bc71-4961-b4a6-d8217b327f0d/

SH256 hash:

1a295933a80907bda689b231e5295eae86bd19b21964ee8669ceb5598c9d714d

MD5 hash:

8a43a10dc1358f554584a7e8c5dfdf1a

SHA1 hash:

421b526ab7b03c4fb1529af55074b4cf1fba30af

Link:

https://www.unpac.me/results/41d84ba9-bc71-4961-b4a6-d8217b327f0d/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1a295933a809/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1a295933a80907bda689b231e5295eae86bd19b21964ee8669ceb5598c9d714d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Loki

rtf d5a6b19ed0cb225a61c510bff2f2713b3a69435527f41fbb83d4e8343effaa13

Loki

exe 1a295933a80907bda689b231e5295eae86bd19b21964ee8669ceb5598c9d714d

(this sample)

Dropped by

SHA256 d5a6b19ed0cb225a61c510bff2f2713b3a69435527f41fbb83d4e8343effaa13

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3046263/

Dropped by

MD5 d4114e19370fc67f7ba24d46bc6f53d2

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample