MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 476b0ad3f913696fbc5fe127aaf3dab21899844c8a4b4c1e2692b83d8381dd3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 476b0ad3f913696fbc5fe127aaf3dab21899844c8a4b4c1e2692b83d8381dd3b
SHA3-384 hash: 01891fd8101bc918cde3f6e24c4ff9c538eb11c6699de473379d4d0e50cfcdfd96efcef4211a7e103a85004e80669c8f
SHA1 hash: 8cd4bfe2488d5708376f44b5030452cf9892375a
MD5 hash: 16cc98daad2a4b9eae696bfb8cc3c0d1
humanhash: bluebird-berlin-ten-stream
File name:16cc98daad2a4b9eae696bfb8cc3c0d1
Download: download sample
Signature Loki
Create hunting rule
File size:996'864 bytes
First seen:2021-07-20 10:21:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'633 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:wgCmjEypn0uyvUIZbVfyuT/LJ79IDhgRVwPT7bm5h76KKq92RgoYSRlOFtV9lN1x:wmjEypnKvDBfh/LJBohBPUhDKqJ
Threatray 3'701 similar samples on MalwareBazaar
TLSH T1E0258C282303AF8CFC7D4B755869620493F58213D346FF9E7DD960EDAA12E828ED7116
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_BL,INV,Cargo receipts_.xlsx
Verdict:
Malicious activity
Analysis date:
2021-07-20 02:07:08 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan lokibot stealer
Link:
https://app.any.run/tasks/8c2ac915-fe75-4fd1-9799-f3fe8775f7d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172775/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f37db326-ca89-4e3c-9704-d94fb4e0965b
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818827
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/476b0ad3f913696fbc5fe127aaf3dab21899844c8a4b4c1e2692b83d8381dd3b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 10:22:03 UTC
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i5vqvu7zcnuw7pc74et2v462wimjtbcmrjfuyhrgsk4d3a4b3u5q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
05fde892732b9dc4d7e78ef54fd7d2ab28caa582afab008a4556909b47c831e3
Loki
1c8c5e4239f09ad0db4f45e5c6db61b03e7d86e397bebd1d09f39940f1a6b79b
Loki
259cf108583b14b0a55566c39d81a5cece6f0f149919aa80556e6a07803e629d
Loki
3deeb55fefe05f51c41b1724780e5de1e33a432e01f455e3ab5d2af5ca655464
Loki
ab58dcfff4c29d6f6f4d6088c46007a8aba87bb950aedda3a6a5bb0c9d688cc8
Loki
ad2be9cf672a906a4e35b84210c95c3f2b0ebf1e55be6e2006498575b8871865
Loki
b1dd99e219b47e63e5a5c2fbe70b2b18d9894a1f3f063cdff868498278d4cb2a
Loki
cd36c2fd2964a7c6a5c20dbf905e4e1bd28aa8e168f2fa50ff2891adcd5d1825
Loki
edf026e5574ffb90f1df86e95bfb3dd6a3391c2ddc5786afc4506cf9c31e80ff
Loki
+ 3'691 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210720-9hhjgm8fma/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://manvim.co/fd7/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
83d9e44d9a311ea6fdbcbd09fdc816a2067806dcacf24beb5ee786191b1a3ea1
MD5 hash:
b1a7b752b6638ee03cffe5a1dde9213e
SHA1 hash:
52d215a173d2f293990f8c12fc7f4a86330a29cb
Link:
https://www.unpac.me/results/47c67c9e-ae0e-4f4e-9a1c-f5e6544b8452/
SH256 hash:
476b0ad3f913696fbc5fe127aaf3dab21899844c8a4b4c1e2692b83d8381dd3b
MD5 hash:
16cc98daad2a4b9eae696bfb8cc3c0d1
SHA1 hash:
8cd4bfe2488d5708376f44b5030452cf9892375a
Link:
https://www.unpac.me/results/47c67c9e-ae0e-4f4e-9a1c-f5e6544b8452/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/476b0ad3f913696fbc5fe127aaf3dab21899844c8a4b4c1e2692b83d8381dd3b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 476b0ad3f913696fbc5fe127aaf3dab21899844c8a4b4c1e2692b83d8381dd3b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1468149/
Cape
Cape
https://www.capesandbox.com/analysis/172775/

Comments


Avatar
zbet commented on 2021-07-20 10:21:09 UTC

url : hxxp://185.222.57.71/network/smss.exe