MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28168c7a0fffc6787241b2c6e8c9fc1590e5715fbea2af58cb2e4f92e72374fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	28168c7a0fffc6787241b2c6e8c9fc1590e5715fbea2af58cb2e4f92e72374fa
SHA3-384 hash:	acb0cfe3ab9b0da55784714f9c25c713a6e63f521d9ff71800317ce4ac1eff57d38ba3d665c63682e81cc14fb2c4e2c7
SHA1 hash:	3424a7e1bc802df3a73d9dc4a67db9d3b155954a
MD5 hash:	3efdf4f15c056706262480a719471811
humanhash:	massachusetts-mobile-pizza-king
File name:	Sales_Order_S21080059.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	376'832 bytes
First seen:	2021-08-26 03:23:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ef471c0edf1877cd5a881a6a8bf647b9 (64 x Formbook, 33 x Loki, 29 x Loda)
ssdeep	6144:D4XrK9PX7Fp6Gh2wWRGl0EDDf1PisZQ5rAGQwg1QtP1f4paaYlsdcaMJEdbI0PzM:MXe9PPlowWX0t6mOQwg1Qd15CcYk0We8
Threatray	5'338 similar samples on MalwareBazaar
TLSH	T18084124548C4CCA6E71AB374D0B3CF9819657832CC956B689758FA2EB870343B853E6F
dhash icon	aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter	GovCERT_CH
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

124

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Sales_Order_S21080059.exe

Verdict:

Suspicious activity

Analysis date:

2021-08-26 03:25:44 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b69e92af-05e6-4e1d-8c00-743f6b03fc36

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/182457/

Detection(s):

PUA.Win.Packer.Upolyx-12

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %temp% directory

Unauthorized injection to a recently created process

Reading critical registry keys

Changing a file

Replacing files

Sending an HTTP POST request

Creating a file in the %AppData% subdirectories

Deleting a recently created file

Sending a UDP request

Stealing user critical data

Moving of the original file

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a233dc56-19c7-45e6-ba90-901c0faea228

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/839437

Signature

Antivirus detection for URL or domain

AutoIt script contains suspicious strings

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/28168c7a0fffc6787241b2c6e8c9fc1590e5715fbea2af58cb2e4f92e72374fa/

Threat name:

Win32.Backdoor.Androm

Status:

Malicious

First seen:

2021-08-26 00:47:35 UTC

AV detection:

12 of 43 (27.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=faliy6qp77dhq4sbwldorsp4cwiok4k7x2rk6wglfzhzfzzdot5a._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot spyware stealer suricata trojan upx

Link:

https://tria.ge/reports/210826-mcfk43yce2/

Behaviour

Modifies system certificate store

Suspicious behavior: MapViewOfSection

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Lokibot

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://brokenislegion.gq/Office5/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

7a300c63a855f82eee8012517296f312e5b2a1a2d5d2b44613e47a5394173352

MD5 hash:

3e90fe02e1e1a9aba2dfdfd098d0dca9

SHA1 hash:

fd1ebd25a013a0efe8851ed65f8b9777b75446cd

Link:

https://www.unpac.me/results/52620c0b-eef8-443e-89c6-e2a38bf127e1/

SH256 hash:

28168c7a0fffc6787241b2c6e8c9fc1590e5715fbea2af58cb2e4f92e72374fa

MD5 hash:

3efdf4f15c056706262480a719471811

SHA1 hash:

3424a7e1bc802df3a73d9dc4a67db9d3b155954a

Link:

https://www.unpac.me/results/52620c0b-eef8-443e-89c6-e2a38bf127e1/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/28168c7a0fff/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.85

Link:

https://yomi.yoroi.company/submissions/28168c7a0fffc6787241b2c6e8c9fc1590e5715fbea2af58cb2e4f92e72374fa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

exe 28168c7a0fffc6787241b2c6e8c9fc1590e5715fbea2af58cb2e4f92e72374fa

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/182457/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample