MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31000275499b6bf142cdb597bb10762150e0987982a292d7b55b16a8c55078a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31000275499b6bf142cdb597bb10762150e0987982a292d7b55b16a8c55078a3
SHA3-384 hash: c9365fc5186b325d352f4f62f9b8c88e4d790a25504d766dedcbac75037ce7f501b43513c7e4f6e8c321c5a95e21c540
SHA1 hash: b80fcb15dd32d2f09c03c8ce78b0e70f42490c9e
MD5 hash: 32eb2b4a473426dbf54a6df49dd5e3ba
humanhash: autumn-fruit-don-california
File name:32eb2b4a_by_Libranalysis
Download: download sample
Signature Loki
Create hunting rule
File size:724'480 bytes
First seen:2021-05-19 07:02:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:PnKzi++++++++f++++++++KUoLG8SlJhyg9eW1SaqbKqwNfRLgKX:PKztLG8emg9eQSbwF7X
Threatray 3'127 similar samples on MalwareBazaar
TLSH 3FF4F13722499F95E03F5B7DA07060486BF0E506E761D31C7C60A1EC2E92F929BE5B93
Reporter Libranalysis
Tags:Loki


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
32eb2b4a_by_Libranalysis
Verdict:
Malicious activity
Analysis date:
2021-05-19 07:59:01 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/23bccd73-3d58-4541-a707-bb762961162b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/158404/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.747-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/784655
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-05-19 07:03:09 UTC
AV detection:
10 of 47 (21.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=geaae5kjtnv7cqwnwwl3wedwefiobgdzqkrjfv5vlmlkrrkqpcrq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
20c96b7d59f0c3cfaf7d4d712a8b7defb21d901dd53c910e27fdef15e85b0836
Loki
63020b39b5227a6d191e3f59639181c46aa915b28ef97fc45a8b8e1a6a239999
Loki
634a2cd851b0ae22d1ba8775341f2fc9b00ed207d7b25d6f1ed88d8ee72ba053
Loki
63f8140e7e37fa045e36df9e5cd9858ad270161732d570735ee82bcef73f17b6
Loki
93df7f1de03ce9fe65fb9acaef08adb8b12e4fca1c6ae3333cdf2563d161268a
Loki
c9f077e9f070979416f8d2b1e8d263eda9897dfb2390865ea4c2162c0780e1ba
Loki
d40ba6722ae1f278d8c73552c4b18c50808264ead08a491002de7519e984e60d
Loki
e2e4e50d3c44c62b73cd123727de4f99eba62182a89008c374709bfdeb0eabb5
Loki
e371264367bd07e03b5ccb18c60859ded59c7ec201adc8d3eecc07f6afa0eb0c
Loki
ed5b35389cdc15f792ffef0bac637b0758a566d59945429d6e7e56965bd26b31
Loki
+ 3'117 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210519-v2jstd8spx/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://manvim.co/fb18/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/158404/

Comments