MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a1d7550fd236109635ced43f8cc42b640795246ed1df49ef1f0c39f07180df9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 18


Intelligence 18 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a1d7550fd236109635ced43f8cc42b640795246ed1df49ef1f0c39f07180df9
SHA3-384 hash: 4f5cfced132bbeaec9ce312f8047d475c955865dfef467f9590314d6a53839d9b5450c00462582b2db90aafe39339964
SHA1 hash: 5f32919aee742cb7ff8ac8221cb44708a0bb82ec
MD5 hash: d638b63bad8888a8530a233d3480b257
humanhash: one-fruit-quiet-queen
File name:d638b63bad8888a8530a233d3480b257.exe
Download: download sample
Signature Loki
Create hunting rule
File size:238'373 bytes
First seen:2022-03-31 09:21:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:HNeZm2BvOU/5+cRxU3nF2VQoq22tRj50b4ZuCQDOY:HNlG/5tfxG/XRq7r
Threatray 7'155 similar samples on MalwareBazaar
TLSH T16434122C71F0D85BD5E2CB310E7396223DAC99353930479B3B106F8A3976B859A0E3D6
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://plxnva67001gs6gljacjpqudhatjqf.tk/Exodus1/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://plxnva67001gs6gljacjpqudhatjqf.tk/Exodus1/fre.php https://threatfox.abuse.ch/ioc/471268/

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
PO2224477.xlsx
Verdict:
Malicious activity
Analysis date:
2022-03-31 14:23:12 UTC
Tags:
encrypted trojan opendir exploit CVE-2017-11882 loader lokibot stealer
Link:
https://app.any.run/tasks/5c6b99fa-5367-4158-b0ec-dfc1d7f5dfe3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/260002/
Detection(s):
SecuriteInfo.com.Gen.Variant.Fragtor.71875.746.17445.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12172/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/624572c69253b276b7b1e11d/reports/93c53634-d880-4d66-b6cc-7136adf6cb9d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/de42f225-cbb2-407c-960d-993add2a5e80
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/968139
Behaviour
Behavior Graph:
n/a
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2a1d7550fd236109635ced43f8cc42b640795246ed1df49ef1f0c39f07180df9/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2022-03-31 09:22:09 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fioxkuh5enqqsy245vb7rtccwzahsusg5uo7jhxr6dbz6byybx4q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
2289816fa967e230968ffe986a76950ba4938c6f0c3b27912ec480bf5c0e62d5
Loki
3851e1c8c896ecae1035576a4b37d1fafa0690df428e255ed709c155cf77279c
Loki
50cb7b0b1d15d89428745bd508343b52d5f197b5f57cdf83a077973bae3d1ec1
Loki
5af35520dd30145e091e7db9d4d9be25ec23cdf5b7d914a402ef880fb35bd558
Loki
9740fa7b19f17e4c6df857ec1240c243a77ad689894ecaa92bd112709c242664
Loki
d705d1e518e32f4c1dcfdce42040cd87d30ad8cd032d9bd4fe1fde67285ac5b9
Loki
da2f8b897d09228f81c3019c98676c771b85f0d68471628dfb685201af0422d5
Loki
+ 7'145 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220331-lbw18adfhr/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://plxnva67001gs6gljacjpqudhatjqf.tk/Exodus1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
728c7005cae257a4d99df169a19a412a087b67c004326f50d8156a82f7ebd132
MD5 hash:
5df3eb6224c129e7a085d1b0d72ab95b
SHA1 hash:
a662e61133bfd7f260e11c91084a3e1769aaae74
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/bbb3d339-3265-4edd-8818-3f5d507774e8/
Parent samples :
2a1d7550fd236109635ced43f8cc42b640795246ed1df49ef1f0c39f07180df9
a08a8aaa67f65ebe4ad2b3af52de80f9bdb4d05f7114e2d323af5f40386e984a
039ab35aa7e63889b2c28cda9c81c8c0fdbe818df9c0fefa70f09cf78e696304
SH256 hash:
ca0975540710474be1ad924611e4b4ccec2fedcf93911ad08e3eb7182be500b3
MD5 hash:
243c93ef2ca13c85cf78831252c92bd8
SHA1 hash:
5479df6fe2b2c49323de7c65b3b770782fa378a3
Link:
https://www.unpac.me/results/bbb3d339-3265-4edd-8818-3f5d507774e8/
SH256 hash:
6ab98435c2d2c58471e7620b5293ff8452b3c99004b3dbbd53c38b090b1bfcb9
MD5 hash:
79b1d4bb2b57df653cf468abf3f27a02
SHA1 hash:
57a4e6c5224e3981fde1c16a1680da6a7a22b0e7
Link:
https://www.unpac.me/results/bbb3d339-3265-4edd-8818-3f5d507774e8/
SH256 hash:
2a1d7550fd236109635ced43f8cc42b640795246ed1df49ef1f0c39f07180df9
MD5 hash:
d638b63bad8888a8530a233d3480b257
SHA1 hash:
5f32919aee742cb7ff8ac8221cb44708a0bb82ec
Link:
https://www.unpac.me/results/bbb3d339-3265-4edd-8818-3f5d507774e8/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2a1d7550fd23/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a1d7550fd236109635ced43f8cc42b640795246ed1df49ef1f0c39f07180df9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 2a1d7550fd236109635ced43f8cc42b640795246ed1df49ef1f0c39f07180df9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2124052/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/260002/

Comments