MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28773d9e5dc1ef0fb9e3c09c5d1bd3f894270336387ef74866d3634d942b19d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28773d9e5dc1ef0fb9e3c09c5d1bd3f894270336387ef74866d3634d942b19d6
SHA3-384 hash: 9053ce7a1f42f2126f20d55dbcc423f2691d3c8b32a47b49f2ebde4cfa071c7f55522722088c4507e44f130db6286872
SHA1 hash: f0d27e2c8210a26da298bfce056338f716e698e3
MD5 hash: a20cee41b2437fbb614888d24971f29d
humanhash: magnesium-johnny-magazine-venus
File name:a20cee41b2437fbb614888d24971f29d.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'163'264 bytes
First seen:2021-08-10 16:26:21 UTC
Last seen:2021-08-10 16:53:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f4afa9907318e4335a6c33177216fafe (1 x Loki)
ssdeep 12288:aQ+3bG4kzZO4OhTx3JMXhWd3KcYrqiYwt7etMwWGwPbp+ODD72QLlAUeZ:U3bG4kg4OhTx32XhwYrqi2pfiDGslHe
Threatray 7'527 similar samples on MalwareBazaar
TLSH T1133512C82255B99DD5205E384FE1B5F2D2283E232E42692153CE7F1ABE34AE5DD113CB
dhash icon c486aa3be386ec70 (1 x Loki)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://koodakandonya.org/mp/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://koodakandonya.org/mp/fre.php https://threatfox.abuse.ch/ioc/167981/

Intelligence

File Origin
# of uploads :
2
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a20cee41b2437fbb614888d24971f29d.exe
Verdict:
No threats detected
Analysis date:
2021-08-10 16:28:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7de7aac9-a466-4913-a5d9-94748af7fc32

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/178032/
Detection(s):
SecuriteInfo.com.Heur.PonyStealer.hn0@euu1h3ei.3743.4785.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Unauthorized injection to a recently created process
Reading critical registry keys
Changing a file
Replacing files
Connection attempt to an infection source
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Query of malicious DNS domain
Moving of the original file
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2721c55-e9c4-460a-a871-7697caaf5f72
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/830371
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Generic Dropper
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28773d9e5dc1ef0fb9e3c09c5d1bd3f894270336387ef74866d3634d942b19d6/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2021-08-09 22:38:00 UTC
AV detection:
35 of 46 (76.09%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fb3t3hs5yhxq7opdycof2g6t7ckcoazwhb7posdg2nru3fbldhla._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
6a1be88d091d3365e9343a762f8ef32e88c6c0953efd09b7fdcc6bbf514b2ebd
Loki
788af4037d2336793213e33ba539a4b8f3bed5507f660f63bcfc40e1cc67863e
Loki
7c72d2e12ed2db6353a373d16c07eaf27fbf110c75a2dc7535ec7d624cb42012
Loki
7f347545daf832b84a0cb2d823af46e874cb7c69f436814c58355262e594c4d3
Loki
821bc12d61a9ad2698823b6f54bbba6b8e9fba81a167a438f7da728d1dcd381d
Loki
97e8e53c9ad758050c08da0cf14f7024dba1d7710b0f612f13d2b5a458dd13bb
Loki
b59374ff4efaa214c04a353aa3cf500ca22c43b63f27d0c3fb0495bd942ac734
Loki
c03b5d783971f4ab3ae3dac1b9576acfc0334cd919ffd74bb6ac01cbef2b128d
Loki
d01ae8d985a333d9c39bad55b8129b73451f037bff556a08ddb7f7efc17818fa
Loki
e4effdebb79bd1b3d2e3a2510a96f44cbf9ca4961340c7ca1f276bd3c527afb2
Loki
+ 7'517 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer suricata trojan
Link:
https://tria.ge/reports/210810-7vphf4mrsa/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://koodakandonya.org/mp/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
4135ca4198a2bd2cf229457006cc44c579b173e6387e9255d8aa0a516d38b9ce
MD5 hash:
8c436c4b2e2c5c37adf80cffc18076bc
SHA1 hash:
611a0dd77ddf2a2e8dbe4b139a9ba607553f83a3
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/96885547-5a9f-43d3-aebc-94be9fcd1dba/
SH256 hash:
28773d9e5dc1ef0fb9e3c09c5d1bd3f894270336387ef74866d3634d942b19d6
MD5 hash:
a20cee41b2437fbb614888d24971f29d
SHA1 hash:
f0d27e2c8210a26da298bfce056338f716e698e3
Link:
https://www.unpac.me/results/96885547-5a9f-43d3-aebc-94be9fcd1dba/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/28773d9e5dc1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/28773d9e5dc1ef0fb9e3c09c5d1bd3f894270336387ef74866d3634d942b19d6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/178032/

Comments