MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3464f31088630d2c06ff50b2454ddfb6556fdbcfdcc1c5692b903ea13dde809e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3464f31088630d2c06ff50b2454ddfb6556fdbcfdcc1c5692b903ea13dde809e
SHA3-384 hash: f5abc6b804cca62fb34f5c6ce34d4f747dd5a2829c293a681e56ca784bc8a2e0d1196656ee23bea83264673818cc48b8
SHA1 hash: 0c2e7832967c91d67808fda336338e16cdd37421
MD5 hash: 37f9b2e8ef104b2a4adcab52ad429c08
humanhash: lima-lion-november-tango
File name:PO-10582022.exe
Download: download sample
Signature Loki
Create hunting rule
File size:582'656 bytes
First seen:2022-07-01 07:14:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Oxx2iNmUaevUEwrQZ1a6aUZme24ZjrJJSlUx:Oxx1xvUyAEmerZjrJJ
Threatray 9'192 similar samples on MalwareBazaar
TLSH T145C4E008F665E9E4E96A17FD147254D11F35D721E96FCF299DAA32C728313820087CEB
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter cocaman
Tags:exe Loki QUOTATION

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
s.exe
Verdict:
Malicious activity
Analysis date:
2022-07-01 08:04:51 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/84aaa079-f587-403c-bc95-9799b87d7eaf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/284788/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62be9ef882a67b6740e43f6e/reports/14feec76-5c7b-4aa6-b8c2-6acc45582159/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/872df680-d02d-48e7-9e81-4d91ff24829b
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1023037
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Generic Downloader
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3464f31088630d2c06ff50b2454ddfb6556fdbcfdcc1c5692b903ea13dde809e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-01 04:15:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=grspgeeimmgsybx7kczekto7wzkw7w6p3ta4k2jlsa7kcpo6qcpa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
00a2b2d1c4e99e23efb28284bf3980f98fa40b8f7e372d94d8993157c8df77ce
Loki
2a07302e6f73cdb98477d642dff2e9679b41ed110865fbf6202aa594fed0e88e
Loki
2c62b2f84fb089ce4973cd28668b6d9101c972ae979aa56809c34665dc0ea229
Loki
8038edc06ea50632b0a2f700361ebbb6e9153507dc51e063b90a96cd9dbbadde
Loki
85f8a2cc8a2d02d949678f8e92a9226ed443a1a59353915eb22c7eb9f15c1597
Loki
8e1e3092d5e2010d374b8b6b44492d22431dcfde69cc4058e51b5626b67beafa
Loki
c504e8e7986d93f7792718415635914a76cd90c45a9455d36e748cdf6fe4da63
Loki
c94e22329965dbef963ba23ee509fe92e96371b29570f3853421dde24ad91801
Loki
+ 9'182 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220701-h28adshdem/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://198.187.30.47/p.php?id=22289002125658625
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
0cb6aef1fa57d11408e47ae071485ef8f48c2982997b8d74b47a4151d85b978c
MD5 hash:
843aa6edf83bff7b61c6a5369ef41e95
SHA1 hash:
d1bfeec8eaac9a1dacf2f7062ce964d8e7d77085
Link:
https://www.unpac.me/results/f50f6242-9be0-4198-910a-fab0aa35e1c8/
SH256 hash:
dd465afa6e247254a1fa9173748d8c4703cba8ee4746dfd0ec3a34cbdb4e57e8
MD5 hash:
d80430766c65bd3164edeace6348b7f9
SHA1 hash:
923e54dbef8fbe0247aa8206c93ff43fbddba7a5
Link:
https://www.unpac.me/results/f50f6242-9be0-4198-910a-fab0aa35e1c8/
SH256 hash:
022cfbc342e4ceae5579bee0e51357019339eeb161ea2255b4941d85579858dd
MD5 hash:
eb9b46a6c313d294d9ec7c54e8f40a8f
SHA1 hash:
75dc7384c70fe38afe0e23940796f8728623da5c
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
lokibot
Create hunting rule
Link:
https://www.unpac.me/results/f50f6242-9be0-4198-910a-fab0aa35e1c8/
Parent samples :
56a9829d3a588c2a1f2a8e82f358214387d36cdf1a28afef973bfbae53ff888b
b212572732a5245c0c9b6230914a732a14d18880ee39983097cfdf9e4a1fdafb
2a07302e6f73cdb98477d642dff2e9679b41ed110865fbf6202aa594fed0e88e
3464f31088630d2c06ff50b2454ddfb6556fdbcfdcc1c5692b903ea13dde809e
a3db0c28cd89e1ad60476432509947d6bb2d30415582ae7f0784ffbedb5a0b9d
a6d5c3429653e7201de00c45ac0f350ac7878227511a4c33ad8128767cf696a5
SH256 hash:
de340a694d9b2f2347bf03d44aeee8c59b160219bd55b9353693a14a969d0813
MD5 hash:
06dc9571745045d36556e24107faddc1
SHA1 hash:
6b8696a48f7aaad79a01df4a50ddca9f6b08cb88
Link:
https://www.unpac.me/results/f50f6242-9be0-4198-910a-fab0aa35e1c8/
SH256 hash:
16b9fc4700292684bae0ef2da4a4f4b393103771e93c0b48747df8a24af40d59
MD5 hash:
12ae0e4078e6e9da25181468d72b7ef4
SHA1 hash:
3f88feb096debc12d2f72bac4dfe7e799c7bbf36
Link:
https://www.unpac.me/results/f50f6242-9be0-4198-910a-fab0aa35e1c8/
SH256 hash:
3464f31088630d2c06ff50b2454ddfb6556fdbcfdcc1c5692b903ea13dde809e
MD5 hash:
37f9b2e8ef104b2a4adcab52ad429c08
SHA1 hash:
0c2e7832967c91d67808fda336338e16cdd37421
Link:
https://www.unpac.me/results/f50f6242-9be0-4198-910a-fab0aa35e1c8/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3464f3108863/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3464f31088630d2c06ff50b2454ddfb6556fdbcfdcc1c5692b903ea13dde809e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

rar e8d4c4c1dc7afc5e5c7e38188ebd8ccff158201aa195f7c6c5e681fbcbbec7d6

Loki

Executable exe 3464f31088630d2c06ff50b2454ddfb6556fdbcfdcc1c5692b903ea13dde809e

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 e8d4c4c1dc7afc5e5c7e38188ebd8ccff158201aa195f7c6c5e681fbcbbec7d6
Cape
Cape
https://www.capesandbox.com/analysis/284788/
  
Dropped by
MD5 cfccd7d2d8ca4fd3fefe24828865479f

Comments