MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21bd15a49a0feee20817448701fcfc05370735470fedc3bce1165dbc6c556769. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 13

Intelligence 13 IOCs 1 YARA File information Comments

SHA256 hash:	21bd15a49a0feee20817448701fcfc05370735470fedc3bce1165dbc6c556769
SHA3-384 hash:	6c6e620e61b420f1e038b00dc27e1a67f26bbfe0cbe6027fef213f0b8eb84d61aaa9865ce84eacd1062ce544cfc8d0f5
SHA1 hash:	b168089b720828b1497697415178cf445383bd96
MD5 hash:	f3640943e3e7b3e3e33049d91345d27c
humanhash:	purple-table-three-carolina
File name:	(TWN-2021-036W) #401896.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	127'174 bytes
First seen:	2021-07-14 07:21:08 UTC
Last seen:	2021-07-14 08:05:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep	3072:iBkfJpRXATwMdFCcGbeoxbuYBqLXRnay6gr4wycr72pLlILh74M:iqjIKmYBO0C2c2Shf
Threatray	3'592 similar samples on MalwareBazaar
TLSH	T131C3F26E37A1C273C7A102B0097D2B23A7FEE51111BC0B0B9BA49FD7BD56AC6461F152
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://185.227.139.18/dsaicosaicasdi.php/Rijt7lLCIHYsg

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://185.227.139.18/dsaicosaicasdi.php/Rijt7lLCIHYsg	https://threatfox.abuse.ch/ioc/160226/

Intelligence

File Origin

# of uploads :

# of downloads :

144

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

(TWN-2021-036W) #401896.exe

Verdict:

Malicious activity

Analysis date:

2021-07-14 07:24:40 UTC

Tags:

trojan lokibot stealer

Link:

https://app.any.run/tasks/f9729ca7-fa9c-4adf-a70d-fd1169943b4f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Loki

Link:

https://www.capesandbox.com/analysis/171603/

Detection(s):

SecuriteInfo.com.Zum.Androm.1.28517.20856.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/855cbc19-c4fc-4d98-a90b-453c5a6b3eea

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/816068

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/21bd15a49a0feee20817448701fcfc05370735470fedc3bce1165dbc6c556769/

Threat name:

Win32.Backdoor.Androm

Status:

Malicious

First seen:

2021-07-14 05:17:45 UTC

AV detection:

16 of 46 (34.78%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=eg6rlje2b7xoecaxisdqd7h4au3qonkhb7w4hphbczo3y3cvm5uq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

82b4deebf79267e382a6fb39d382a224aa72172e14edb7c52ad190e3dd2909ea

Loki

930a0bcb30b0ff7a6d150035840d6aee497044576bbd985b3437b65ea181ebd4

Loki

98ee9eb5449562fdfe5e0a448cec7ef60f315e5f8a7c65c40a5b61290bcbe97d

Loki

d29732d660ad3b3e1f478b179c69afae0274e5e40354e5136e22376371e795b6

Loki

de3292924ba69a7f7dfd5b6687d6c774a7aecf8e2ac1368d30ce81c61a14e73f

Loki

f967ce12d4ea51c5070859e7fb7d013a5c18027081dedc7a42d0526b9b3f0d77

Loki

+ 3'582 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot spyware stealer trojan

Link:

https://tria.ge/reports/210714-vg3ky69qja/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Lokibot

Malware Config

C2 Extraction:

http://185.227.139.18/dsaicosaicasdi.php/Rijt7lLCIHYsg
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

576c7fe1ea566a8d48e862e51c13800b68feba722372cc2d522d6e3942fb73c8

MD5 hash:

f520fddc6933253f2d437a7dc1a7aa06

SHA1 hash:

b9df9b934f28d9290d5d1c211ab4b53a4f250b8f

Link:

https://www.unpac.me/results/f10174db-8c96-46cd-a9ae-a089902f87c5/

SH256 hash:

bb994798a5a978ddd3b9333a4803ceffd44504fce381b4878727eba1a2cba452

MD5 hash:

a87189bd14eb56b8b8ed02a6885f75b0

SHA1 hash:

a6bc7ca670338cbdea4b65684a12c037518b3bcf

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/f10174db-8c96-46cd-a9ae-a089902f87c5/

SH256 hash:

110ec5971c9fd0612cc04a0a7ce171f6164a24b3193a7c31e238f18ec62a3792

MD5 hash:

ee7943e2b2c29219fbd61ac42c453b4b

SHA1 hash:

8d6ccdb5fbe9e677327b114b22abe36bc57ff154

Link:

https://www.unpac.me/results/f10174db-8c96-46cd-a9ae-a089902f87c5/

SH256 hash:

21bd15a49a0feee20817448701fcfc05370735470fedc3bce1165dbc6c556769

MD5 hash:

f3640943e3e7b3e3e33049d91345d27c

SHA1 hash:

b168089b720828b1497697415178cf445383bd96

Link:

https://www.unpac.me/results/f10174db-8c96-46cd-a9ae-a089902f87c5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/21bd15a49a0feee20817448701fcfc05370735470fedc3bce1165dbc6c556769

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/171603/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample