MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 463688d6dfb7d1afcb6e3b13110542de17dd81cd271a79beb55d2916b5563c4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 463688d6dfb7d1afcb6e3b13110542de17dd81cd271a79beb55d2916b5563c4c
SHA3-384 hash: 588f4550ef40ab1ab35cbfe974ce80bb97ad09db01bb3ea506cd61b48b0a74686dde854782e2998c9cf3cc874f04667f
SHA1 hash: 2670b4a3ee00a9c436d7ad5afcbf0176684225c7
MD5 hash: 75d7e4d1730247c05bd66666c8902d56
humanhash: east-angel-london-fillet
File name:75d7e4d1730247c05bd66666c8902d56
Download: download sample
Signature Loki
Create hunting rule
File size:266'240 bytes
First seen:2021-10-21 18:40:49 UTC
Last seen:2021-10-21 22:09:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 324eb7eba0d6f4cd042276a6e19d7718 (1 x Loki)
ssdeep 6144:cnhyn+X8BezX321bKbGrdXso/eIADG8el:chynmcez21mnHxD
Threatray 5'164 similar samples on MalwareBazaar
TLSH T13C44ADBC329CC874D49605308835C7E8272EB86279605177F2A72EAFEEF82D05E65357
File icon (PE):PE icon
dhash icon fcfc94d4d4d4d8c0 (24 x RaccoonStealer, 21 x RedLineStealer, 9 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
3
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/199180/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.20481.5381.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Reading critical registry keys
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Moving of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6171b4409a5a1e91c5cc3093/reports/e17a2da2-7cb6-4924-8bd7-428fae43257e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5a311c44-e927-4191-97f2-4ca1c4d70455
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/874819
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/463688d6dfb7d1afcb6e3b13110542de17dd81cd271a79beb55d2916b5563c4c/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-10-21 14:23:45 UTC
AV detection:
15 of 27 (55.56%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iy3irvw7w7i27s3ohmjrcbkc3yl53aone4nhtpvvluurnnkwhrga._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
00969485768d60df4cd9c2055424b89dc7a241ab99a15c221f40dc601d4abf52
Loki
27fa1f24657b1710079922f92e16cdc7d1710257aabe93201bbf730b7ddea3a9
Loki
38bf29715b8bd57e0d6fb5357eaa2385523a66ff311da4d5c3f9349468be5635
Loki
65309f9f8c2b26c74b9c77c1fc4cb88843021b7e2b6c4c8ed1c2ac743b200bed
Loki
94a1e919eb41d87d67dc8de0be85ac9fe1d2cdd47aa388d1da14c98134669e4a
Loki
9b6212468424803dd746fc4b6c4f47a4c60f4462fae640b4f01ffa466308e7db
Loki
b975efada0ebff25099dd3da9986ad31cbd92c6a3547b9cd51345484ee0bfd12
Loki
c766869a3601ab5407d5a2577f7395d32cb854af3edb663c3ca46939f123aa6a
Loki
+ 5'154 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/211021-xbrmaabefp/
Behaviour
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://63.250.40.204/~wpdemo/file.php?search=386869
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
d45eeaf6aa941303d06957964f60cd0960628064831f72cb36cf4e7c42d6d053
MD5 hash:
184149c1c254ac16dfbd4554dc70e048
SHA1 hash:
39168563d21bf42a7712b6ff95d9fdaab2fc1c8a
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/37b09b60-897c-45d9-9b88-69d24c383cbf/
Parent samples :
a001d248a75b25696fc58e278aa37fb21a81dd6a2fa4ee5c126d37412cb4b993
be881776d5b641749f3581e555076ca05ec433f5396b9fefcf6870325c74fce2
463688d6dfb7d1afcb6e3b13110542de17dd81cd271a79beb55d2916b5563c4c
56c19e2e628b52c856c87a84e8bd57ddda5f5003c0632382f1d313be307b4cde
c996958847954d1197a2214aa5d513d58c4367b9813b8124bf77d52711c3b83c
c6030629e95fca38d4916ce79c7ef1424675cd8403d0e88b36b647df612c33f3
baa7a0fc43efac46f018eea0d3affe838754c5d375a1f3e9924a849c9d4b6ebc
SH256 hash:
463688d6dfb7d1afcb6e3b13110542de17dd81cd271a79beb55d2916b5563c4c
MD5 hash:
75d7e4d1730247c05bd66666c8902d56
SHA1 hash:
2670b4a3ee00a9c436d7ad5afcbf0176684225c7
Link:
https://www.unpac.me/results/37b09b60-897c-45d9-9b88-69d24c383cbf/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/463688d6dfb7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/463688d6dfb7d1afcb6e3b13110542de17dd81cd271a79beb55d2916b5563c4c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 463688d6dfb7d1afcb6e3b13110542de17dd81cd271a79beb55d2916b5563c4c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1705797/
Cape
Cape
https://www.capesandbox.com/analysis/199180/

Comments


Avatar
zbet commented on 2021-10-21 18:40:50 UTC

url : hxxp://192.227.228.37/005/vbc.exe