MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47db67825ceb226b9deaa66b6b77c73c6a6f34689828377baec133a5a4f75395. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47db67825ceb226b9deaa66b6b77c73c6a6f34689828377baec133a5a4f75395
SHA3-384 hash: 44525ca3245871cf7220ce2600272217f09c48e77b1094bf841dce542019aafabed3fe97d4a2e1b5a9779922d4c84dd9
SHA1 hash: bd27ec27c7b1d4c4c4196a64b7d52c6cf198449c
MD5 hash: 226f23ee7ac29724dc76a59c850a56ea
humanhash: may-high-orange-juliet
File name:l8Uqn3N4pPNmJlD.exe
Download: download sample
Signature Loki
Create hunting rule
File size:572'416 bytes
First seen:2022-04-18 10:56:26 UTC
Last seen:2022-04-18 11:43:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:QwZeBjLHxProM74rgA6zsd7OahPQ/Pg/bGgzzNbyebeyMaVfikaO46uLxH1s7rm:tZEHH1tA6KogtNbXeDaVfEOJmn
Threatray 7'978 similar samples on MalwareBazaar
TLSH T1F8C4ACD86B42C00DE6D93EB3A88254F513E1EE10AD0EF68A74E1374865B6FEBC5E4351
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 06b080940880d104 (12 x Formbook, 8 x AgentTesla, 5 x Loki)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://198.187.30.47/p.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://198.187.30.47/p.php https://threatfox.abuse.ch/ioc/520844/

Intelligence

File Origin
# of uploads :
2
# of downloads :
317
Origin country :
n/a
Vendor Threat Intelligence
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/264307/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.8038.11439.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/625d4400eab80a7a6c375be6/reports/2505526a-13c9-4912-9fa5-f7e4b6d2f655/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c4d97eb8-9f31-4fd8-b964-da5ab742755f
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/978148
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/47db67825ceb226b9deaa66b6b77c73c6a6f34689828377baec133a5a4f75395/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-18 08:40:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i7nwpas45mrgxhpkuzvww56hhrvg6nditaudo65oyez2ljhxkokq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0bcb4c2c798db189132b9e70588a72df14efdc5ee998ba4203aed16fbe56960f
Loki
97e20a8b0bef654fd20528c20efdb227a31b7e923213fc5e09eead2c71c3da5e
Loki
a412a5da88b8066b205c9fb016c8bc6b28399901c0dda795577f0c466f4f7183
Loki
d88a68b1ab516aa6ef3bdf0f5eb025ebd2da3201e2cd4afe049ca5fd3dfe05cd
Loki
f6d0dff73d9ce1016095bd9f8ab244b8a651e96ef43dfc4581d0e9c7b442ed56
Loki
+ 7'968 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220418-m188hscchq/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://198.187.30.47/p.php?id=29128239232679412
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
08b7ddbe3da2c7aba102a1420e1a452b3b6f4654246d58d571040f14f670566a
MD5 hash:
b2afcc019bbba5bd15ff3236bc9e956f
SHA1 hash:
ab3769324c22a53e96ec18e235b67f67e1624850
Link:
https://www.unpac.me/results/69abd83d-a830-460d-8824-a97261ac713f/
SH256 hash:
6aedd0a58cb34e3287450ef5bd338e4b1e5a9951de092fb21a7d59e869d3dec2
MD5 hash:
a9703b44240c29bc48e127a25e47e31b
SHA1 hash:
a7dc3b9443b0aff8299a97eb2780da30f76b07c6
Link:
https://www.unpac.me/results/69abd83d-a830-460d-8824-a97261ac713f/
SH256 hash:
511fc47c088c2e2b12e87dd0c2e64528b541a255ba0bf9a696b29dbebe0a6fc5
MD5 hash:
756841f4955ca26f669756513c8a633b
SHA1 hash:
5ec95a140bbd21eedf7895c59137e097c3ae911d
Link:
https://www.unpac.me/results/69abd83d-a830-460d-8824-a97261ac713f/
Parent samples :
21018fd389f7c4bd5d0951ba87b9d5dabe8e53195560b2a67f08070b2e956a0c
1d03ba79243ced8b4cbdc083f47a3ce4ea29589afd20881670e1417d07af0fcd
SH256 hash:
af1f5074eff36653e6d54c5c7aabf990aee2cc70a72db4cfb1707e452349c574
MD5 hash:
fc0ae7f6d4aa4aa2c27c26407936ec3d
SHA1 hash:
dfa9b61be7f02298605ffe7e007617016c9bfc2b
Link:
https://www.unpac.me/results/69abd83d-a830-460d-8824-a97261ac713f/
SH256 hash:
47db67825ceb226b9deaa66b6b77c73c6a6f34689828377baec133a5a4f75395
MD5 hash:
226f23ee7ac29724dc76a59c850a56ea
SHA1 hash:
bd27ec27c7b1d4c4c4196a64b7d52c6cf198449c
Link:
https://www.unpac.me/results/69abd83d-a830-460d-8824-a97261ac713f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/47db67825ceb226b9deaa66b6b77c73c6a6f34689828377baec133a5a4f75395

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/264307/

Comments