MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34cf92c4236aec58cb4fdee3e1cd71cbad154a5d7e0e38fdf299741ab232ce03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 12

Intelligence 12 IOCs 1 YARA File information Comments

SHA256 hash:	34cf92c4236aec58cb4fdee3e1cd71cbad154a5d7e0e38fdf299741ab232ce03
SHA3-384 hash:	ff727bbb260e543acab1a98a98f4959d38fb73da192139e9e1900c487bb882f66c38271d72ae61f1cb151ba6e2bc9da0
SHA1 hash:	dc1437218a72a620cf29758d1b54502ec544008e
MD5 hash:	9276258e0b84d9aee61cc44c6bfebc73
humanhash:	friend-dakota-bravo-fix
File name:	34CF92C4236AEC58CB4FDEE3E1CD71CBAD154A5D7E0E3.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	606'208 bytes
First seen:	2021-08-31 19:00:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2e045d8f17965028b18d27361d15c582 (1 x Loki)
ssdeep	12288:iCahkOVDkFrmry96ePDpofB0+pbTWpU/vXw5lZMFX:AiO6F6GgetoJd+pU3X/R
Threatray	4'557 similar samples on MalwareBazaar
TLSH	T173D45C22B6B09433C36765BC5D1B67AD5826BD10FD6CE8465FEE194CBF382403C6A293
dhash icon	5801e0ecfeded0c0 (1 x Loki)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://31.220.40.22/~cmcmetal/name/mint/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://31.220.40.22/~cmcmetal/name/mint/fre.php	https://threatfox.abuse.ch/ioc/203866/

Intelligence

File Origin

# of uploads :

# of downloads :

227

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

34CF92C4236AEC58CB4FDEE3E1CD71CBAD154A5D7E0E3.exe

Verdict:

Suspicious activity

Analysis date:

2021-08-31 19:09:26 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ae2befdf-ec5e-4d7f-8a5f-79c4b6a16acf

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Loki

Link:

https://www.capesandbox.com/analysis/184299/

Detection(s):

PUA.Win.Adware.Slugin-6840354-0

Win.Dropper.Delf-6667112-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Reading critical registry keys

Changing a file

Replacing files

Creating a file in the %AppData% subdirectories

Deleting a recently created file

Stealing user critical data

Connection attempt to an infection source

Moving of the original file

Sending an HTTP POST request to an infection source

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/29fc5be3-2c3c-4daa-91c6-33f4299713b1

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/842922

Signature

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/34cf92c4236aec58cb4fdee3e1cd71cbad154a5d7e0e38fdf299741ab232ce03/

Threat name:

Win32.Trojan.DelfInject

Status:

Malicious

First seen:

2018-04-28 17:24:13 UTC

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gthzfrbdnlwfrs2p33r6dtlrzowrkss5pyhdr7pstf2bvmrszybq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

3dd38daa4ca8630ccda829c5d97e744ed278ddbf9c79161450cdb9517c74e027

Loki

6497084e19295b7d1b081fe8d24a6ef204bbd2713e46ae3414de1cacce1f364c

Loki

84ec364c6d26c1a382649abc47eafc328c9ee5f1ef19dbddf528db50432246f7

Loki

8ca831e6478b2d7751cc75fc8a23725178b691ee4fed2d70b36238f039d04537

Loki

96502f45d9fa8235052025a0edfb89ce841b2b188259c870626f499ed68116a9

Loki

a405789e39eadf0915988ea3dec8ebc8f3bf7cc5ff14866600e0a35b473c4273

Loki

bf609b81d1aea60144f40a30b262525de69f4534ca102292a5f01b7e18b98abc

Loki

+ 4'547 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot spyware stealer trojan

Link:

https://tria.ge/reports/210831-ezceky8drx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Lokibot

Malware Config

C2 Extraction:

http://31.220.40.22/~cmcmetal/name/mint/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

f442b337f05d9fa01c37e14a635c14e67176029eb6cfbd609c2b48500d0d6a39

MD5 hash:

2156e525911f37c4065ca0bd49146ba6

SHA1 hash:

b3dc9b5aa8b3896ce85cd31c209d222f5530b744

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/d10760d1-3761-4d55-a7a5-40b1af89534f/

SH256 hash:

34cf92c4236aec58cb4fdee3e1cd71cbad154a5d7e0e38fdf299741ab232ce03

MD5 hash:

9276258e0b84d9aee61cc44c6bfebc73

SHA1 hash:

dc1437218a72a620cf29758d1b54502ec544008e

Link:

https://www.unpac.me/results/d10760d1-3761-4d55-a7a5-40b1af89534f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/34cf92c4236aec58cb4fdee3e1cd71cbad154a5d7e0e38fdf299741ab232ce03

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/184299/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample