MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a33001ae12c200a137fde861b00f08e3afb05ec56ea4331c3ae1606e31f4c79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a33001ae12c200a137fde861b00f08e3afb05ec56ea4331c3ae1606e31f4c79
SHA3-384 hash: 98cf4f6bd213b1249d88356f45bd73bdeb8e7e70e8630aea3de6fc0bccb52f3cfc27e7eb9d4db1992a4486e4fcf99a31
SHA1 hash: 145bbe149069388e25c1f760269549baea73faf0
MD5 hash: d52ee6b3ae8127828700bc9b3abd6dff
humanhash: white-fruit-undress-purple
File name:d52ee6b3ae8127828700bc9b3abd6dff.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'030'144 bytes
First seen:2021-07-29 08:41:40 UTC
Last seen:2021-07-29 10:11:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:SWRVjWCtfexO8AT5/d3XitoBoRoDoyof+DcC+49Qtrf3xilXupTRA85DZ5dT:rdr5/d3+K64JbDx+49Sli5QRzDp
Threatray 3'996 similar samples on MalwareBazaar
TLSH T19B259E21B6C4CE29E56E833A8EDE10644BFCFE123572E7687EE113B12909F51D8741DA
Reporter abuse_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d52ee6b3ae8127828700bc9b3abd6dff.exe
Verdict:
Malicious activity
Analysis date:
2021-07-29 09:05:35 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/067c145b-56af-4eba-9205-9f6575162734

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174936/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.8538.10652.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a225fa4-d806-46b6-8b4f-a9c375cce056
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823705
Signature
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 03:35:18 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hizqagxbfqqaue3732dbwahqry5pwbpmk3vegmodvylanyy7jr4q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0970bb89de66cfb334d0d4d55f92c0f62aee871728218dd9945454697ba13252
Loki
1ec137c2a0ecdaa902755dffb8248470f13eb64d2f96bf90a23b66e5eeb243e0
Loki
4646b43980b60ce2dbacde9a5a850a36fd88fbfd2eefdcfc465f78cf6487e91e
Loki
52ce64858a2207c3498e65cb329ee997c5fb8c43233bed0e475376c0ca4436f8
Loki
78e8252c53ad5ef298a4245fd8e99ea360a1c35658f3a4e786d23e7cdf6ef421
Loki
7f3e97e42369a76be6688dc29fe71b83b0754acc7df08a6253460e23da7d1ce7
Loki
a50383b6ad4661cdf8d6b2acdba251a846999e4533761488fcf9e8e5abc8a11f
Loki
b234fd2b368732a6c68a39b2d0c4386764e089a3f0bd74e595c73b40bc0c1c7d
Loki
c84a8e841e3a6a8f1f7e9bcf0825d56861dfeafe89525998eac73d9a16b1673a
Loki
e18238936a0fd8123a5e4f3ac03e9f31e314e7620bbda7b65540da64668bcf20
Loki
+ 3'986 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer suricata trojan
Link:
https://tria.ge/reports/210729-6p6l5hepda/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
CustAttr .NET packer
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://185.227.139.18/dsaicosaicasdi.php/NHNmTUOdS6fzz
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
a709a70edd94ed23001f25ec2da0e7359ccd90e2f2bbf7413574122ad9cb494e
MD5 hash:
dbbfcdc2b63bd2e5a1e40283f7e08d52
SHA1 hash:
e6c7eac8e738981a043fd5b91cc7f6c38c470eb8
Link:
https://www.unpac.me/results/63a6332d-013e-43b8-8657-5aa9ec54ed39/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/63a6332d-013e-43b8-8657-5aa9ec54ed39/
SH256 hash:
3c5e2adb4feb1f09d0750f4ac57908df2f94aa4d954a07a065f96cd433fe58a9
MD5 hash:
03fd204c556980b8f6c34a317a7ba4e5
SHA1 hash:
3b5d5bbbf4f4b2567c1fff4511c1c3c0503dd770
Link:
https://www.unpac.me/results/63a6332d-013e-43b8-8657-5aa9ec54ed39/
SH256 hash:
a55f90f9ae6246094de0218e1cdb8d89bca80c1d102b6e7ce25027b7610e88c5
MD5 hash:
92e2b719a21fa6d3643f70b2a9214854
SHA1 hash:
17a91aa18157842f7dda52f0a1024089f3ef337b
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/63a6332d-013e-43b8-8657-5aa9ec54ed39/
Parent samples :
9535613a2373a6f71aca0b8474356d19b6563dc29f43b7c63b3c498ceab02793
0e4f0d2e0d90b452f22fc886ba7a35ffe11f2645360161a19230562689d43dba
3a33001ae12c200a137fde861b00f08e3afb05ec56ea4331c3ae1606e31f4c79
SH256 hash:
3a33001ae12c200a137fde861b00f08e3afb05ec56ea4331c3ae1606e31f4c79
MD5 hash:
d52ee6b3ae8127828700bc9b3abd6dff
SHA1 hash:
145bbe149069388e25c1f760269549baea73faf0
Link:
https://www.unpac.me/results/63a6332d-013e-43b8-8657-5aa9ec54ed39/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/3a33001ae12c200a137fde861b00f08e3afb05ec56ea4331c3ae1606e31f4c79

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 3a33001ae12c200a137fde861b00f08e3afb05ec56ea4331c3ae1606e31f4c79

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1487539/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/174936/

Comments