MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b1919ee0c81fa0ec882aa7b244a7bd04068ff86c9adeaca5596080b09ae8bf1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b1919ee0c81fa0ec882aa7b244a7bd04068ff86c9adeaca5596080b09ae8bf1
SHA3-384 hash: 23cbb749063d518ad83d2e5682dbe7000e652aae097bbf726884d880f049709c5624e19ed61e2ca4edc62376d9e99096
SHA1 hash: b871c746e842256f439a6da34c1e4ba430873de4
MD5 hash: 5ac0f611ae311d712a93cc6a3e04ca11
humanhash: mirror-hot-beryllium-butter
File name:file
Download: download sample
Signature Loki
Create hunting rule
File size:126'274 bytes
First seen:2022-10-27 20:02:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep 3072:qUJoFfWzzl+cSMqVtg2c2nn+NtShf/S4nfvVLnWZaMpTzBy:qweEpvU5hf/S4nhWpnA
Threatray 9'316 similar samples on MalwareBazaar
TLSH T190C3020AB3D0A47BE6C38B721C3AA7B2E37A5D004AA5A5475FF05F6B6D710D39409293
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter jstrosch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/325125/
Detection(s):
SecuriteInfo.com.Trojan.Garf.Gen.6.20459.10694.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Creating a file
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Creating a file in the system32 subdirectories
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/46099/overview
Behaviour
MalwareBazaar
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07a83740-06dc-484b-bbb4-06133ca319ff
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1099765
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b1919ee0c81fa0ec882aa7b244a7bd04068ff86c9adeaca5596080b09ae8bf1/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2022-10-27 20:26:32 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dmmrt3qmqh5a5secvj5sist32bagr74gzgw6vssvsyeawcnorpyq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
289532840d818f2d035db644f506e58020aafe9c650ac6b573208c95672feece
Loki
6cfd1167777006598f5eb5d1c08e1434aefe606dfd983c683a8f14639d56d053
Loki
7db764dd4ae52c134585ef5e1fd266448d12c45e2a5e4a6665de764c6e05fdf7
Loki
d780e4059a0ef101f5eba5d1544a2c4472658de34e64a07bc6ae3033b30d05d4
Loki
e1088c0a7c4152188ff7a8383956cb3b4e912bef7e4c476e5b5ab10f2e48f47d
Loki
+ 9'306 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/221027-ysn36adcb9/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
Malware Config
C2 Extraction:
http://171.22.30.147/rostov/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
3196f0d83d8b826ffd4b35ed0a6600a4080eae323017b2217d6716e887ef0118
MD5 hash:
a1234fb6c7301a7b4bf2be683cd4bd4c
SHA1 hash:
56d0d2ba24a658afd831d7cd6e30d856e0e59999
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/9d4b55b5-f9f6-4bc4-8c4b-a4be67c24e8a/
Parent samples :
33afc6737c360e6f5cb75e8bc630f14367730b0769231abc42aec3b174f7df24
8f814b069d8ff80f32a16eaf24d24c68d7840821d766152c8fad6d75affe82ab
849d05c9798a3dbd1b304802741e08b9b108411cc8fe65a2c74d8e556123d59c
1b1919ee0c81fa0ec882aa7b244a7bd04068ff86c9adeaca5596080b09ae8bf1
85fb1682833c86f92b228b644d72fab46f888acdaeec26b8f7a4500a5635aab5
632c09ce6750e00cdce70d562d9170660f73901ed278cc96b3a40f394b5cbbbd
6fb0afded18be95888c34a291fae74cccc0765c6523936f308387c9afe6b52a8
25ce19e41f4c6da6d0135a596685567ba530c0f857e0d3d833b8ae6a26f3698a
edf883faefa2a0b7e14e6aec3eafe56a811876051f97fefaa7ba9c873b05f15f
9c60fc2ef70e5e20753700757ee7de5918576f04e362d4bd118d131b5c795e1b
0e6cc1bc1964dbc39e69cdc6f2db7fa3e37af36dedd4d761ff9c80840d1de7a5
SH256 hash:
96958acc9daf921ea874246264875ff33954b18f9a070993899c0f2599bf35a8
MD5 hash:
91f71ac0b0dbd7428963e46b8c837fa2
SHA1 hash:
96ea76242a2b23182aac8cda0dd4ce294f56717f
Link:
https://www.unpac.me/results/9d4b55b5-f9f6-4bc4-8c4b-a4be67c24e8a/
SH256 hash:
1b1919ee0c81fa0ec882aa7b244a7bd04068ff86c9adeaca5596080b09ae8bf1
MD5 hash:
5ac0f611ae311d712a93cc6a3e04ca11
SHA1 hash:
b871c746e842256f439a6da34c1e4ba430873de4
Link:
https://www.unpac.me/results/9d4b55b5-f9f6-4bc4-8c4b-a4be67c24e8a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/1b1919ee0c81fa0ec882aa7b244a7bd04068ff86c9adeaca5596080b09ae8bf1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 1b1919ee0c81fa0ec882aa7b244a7bd04068ff86c9adeaca5596080b09ae8bf1

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/325125/
  
URLhaus
https://urlhaus.abuse.ch/url/2389251/

Comments