MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48530d0a7998377381a3113c006f2886c14019938af1bb618fd9911e62ea571d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48530d0a7998377381a3113c006f2886c14019938af1bb618fd9911e62ea571d
SHA3-384 hash: be43caefd1b4589611ba7a8eb3ce3864c5be73a70ab78623ca5ea9d9daa735aad38dccaaeee16836f8a3af2bb33ec7d3
SHA1 hash: 1e930a5c1e6084ebec1ec13904ff606fbe95078a
MD5 hash: cc6806aac79a24a3b5f50780257a7cdb
humanhash: river-solar-oxygen-bulldog
File name:win32[1].bin
Download: download sample
Signature Loki
Create hunting rule
File size:235'437 bytes
First seen:2020-07-24 05:25:20 UTC
Last seen:2020-07-24 08:24:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep 6144:1PCganNIGcvtYLab1JGOxHsxGcBzTuSOvl:banGGcvtY2bbGOxMQcBul
Threatray 639 similar samples on MalwareBazaar
TLSH D2341244539094EBD8B541B22930BD7FABB9ED1A515ACA079B903F1E38730877D2E391
Reporter JAMESWT_WT
Tags:Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32003/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

SecuriteInfo.com.Artemis162931E90DCF.4593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Launching a process
Launching cmd.exe command interpreter
Deleting a recently created file
Reading critical registry keys
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Unauthorized injection to a system process
Stealing user critical data
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/396881
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 250619 Sample: win32[1].bin Startdate: 24/07/2020 Architecture: WINDOWS Score: 100 30 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 4 other signatures 2->36 7 win32[1].exe 23 2->7         started        process3 file4 18 C:\Users\user\AppData\Local\...\msddslmp.dll, PE32 7->18 dropped 20 MicrosoftVisualJUp...EngineInterface.dll, PE32 7->20 dropped 22 C:\Users\user\AppData\Local\...\UserInfo.dll, PE32 7->22 dropped 24 C:\Users\user\AppData\...\FayMonochasium.dll, PE32 7->24 dropped 10 rundll32.exe 7->10         started        process5 signatures6 38 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->38 40 Hijacks the control flow in another process 10->40 42 Maps a DLL or memory area into another process 10->42 13 cmd.exe 55 10->13         started        process7 dnsIp8 28 goldrealestate.ga 84.38.180.51, 49736, 49737, 49738 SELECTELRU Russian Federation 13->28 26 C:\Users\user\AppData\Roaming\...\AA2F06.exe, PE32 13->26 dropped 44 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->44 46 Tries to steal Mail credentials (via file registry) 13->46 48 Tries to harvest and steal browser information (history, passwords, etc) 13->48 50 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 13->50 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48530d0a7998377381a3113c006f2886c14019938af1bb618fd9911e62ea571d/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-07-24 05:24:19 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0fd1ddf542f9746a9e25ceb976d416b8385d837d5e71bb02bd9b999083620d9f
Loki
315992fe86f3bc95dc19312739fe9e89ee80a85f94c02bbebb420919bfaec5d6
Loki
574a393b16055b44e6c6baeb608506f58375d8792c0c1b88ba0b2b2e6c5dbd72
Loki
682cc8dd9a32fa7fc922d9d0a4635ae557dc20c734a7e64ed38df41d3b4c6f3a
Loki
7af08bbd907a68770548426050115d6b0aeba599e0c3bd03c03f5ef8268ceb11
Loki
7c7cee883042c0641e920036b8f54ce82e61eaa145cd3fffcdf04089d814b5ff
Loki
9490bc548511441ce8fa54756132f3324814e0724abb1679db97083bd832280d
Loki
cc10c0e3ee3bf9c787d85b3758354c6463b689833f0cafe171ce89b857502f13
Loki
d6f98f5291cec1f95f72fdd63d0ad49239f9396de4c297b01929bb7cb0024b7e
Loki
e90afb5e8db6f087a07263fa3814f1ce4b82472418331b910884a5ae7d27d467
Loki
+ 629 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200724-cc94xcv4qj/
Behaviour
NSIS installer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48530d0a7998377381a3113c006f2886c14019938af1bb618fd9911e62ea571d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 48530d0a7998377381a3113c006f2886c14019938af1bb618fd9911e62ea571d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/32003/
  
URLhaus
https://urlhaus.abuse.ch/url/418706/
  
Delivery method
Distributed via web download

Comments