MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a340ed2bb2fa46a77fa5ef392bfe250651ae9dcb7e63a47b3c4cbc901c1818c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a340ed2bb2fa46a77fa5ef392bfe250651ae9dcb7e63a47b3c4cbc901c1818c
SHA3-384 hash: e10b5dc4e35ed6cd2cc59b8f6005163e69a8e9780fb0b062e90b0c08f04a0c9457acc614b5bcb3db02a422f9dfbece55
SHA1 hash: 1178dd34cb408cf85d542bfbb55ab66df7964f50
MD5 hash: 19457db0af3139cf602708a929705ce8
humanhash: wisconsin-salami-iowa-red
File name:4a340ed2bb2fa46a77fa5ef392bfe250651ae9dcb7e63a47b3c4cbc901c1818c
Download: download sample
Signature Loki
Create hunting rule
File size:577'536 bytes
First seen:2023-05-14 09:57:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:qBz92bBxDEnrtDT1IwhlcwtVAzaHsRTEegQVt:qBQKnxdzVf8
Threatray 4'404 similar samples on MalwareBazaar
TLSH T1D0C49D525065CD5FFE2ADBB0D1B4FF95A6F1F07324E190242BB821C9CAA9F011E8D52E
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter petikvx
Tags:Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
send.zip
Verdict:
Malicious activity
Analysis date:
2023-05-05 01:32:47 UTC
Tags:
rat redline loader trojan amadey keylogger evasion kelihos remcos snake miner lokibot stealer vidar arkei aurorastealer PurpleFox backdoor dcrat raccoon recordbreaker formbook xloader asyncrat
Link:
https://app.any.run/tasks/17b5ac69-5abf-48ac-97e3-d42c22e57ab0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/389344/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66716583.26344.32461.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/6460b0b89afafccc175d35b1/reports/66c5b7d3-f6da-4225-bf7e-530089276e41/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4a340ed2bb2fa46a77fa5ef392bfe250651ae9dcb7e63a47b3c4cbc901c1818c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a86b694b-a00e-4c9a-abad-4c8f7257b9db
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1232774
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4a340ed2bb2fa46a77fa5ef392bfe250651ae9dcb7e63a47b3c4cbc901c1818c/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-04-28 12:29:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ji2a5uv3f6sgu572l3zzfp7ckbsrv2o4w7tdur5tytf4saobqgga._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
19af5e15b1e1e9b6eb90f2a93f290ae53cb2ebdee29f972cfb3bf9e9dc38444e
Loki
1aa1a9e5b07f7e5a5d4cfb16aaadd4a68e2bd76c42f96e932396ccc8d5f18785
Loki
3a7511034e72aa8874f3763cb01604464c74571237bc08906578ed9dcf2c137f
Loki
878f78260ff0cc10af5b6aef90f7352b83dd20db8394db7ba06bb3230a54e674
Loki
894cd5c6a63bd35486dd0e8e51a7562a8abd6655d405a588dfedc262b2d3713f
Loki
9889a91e24a729669aa276f27617f5169fd9d8f0358be427ed4e4cd9bb8e5dab
Loki
cdca513e22701403a62e153f5d197a4d7e3f0fb3ed18f66021e00b7b3720713a
Loki
d45f5ad41b7903babda50ffd7511660f1a092699c0ec56ca0dc347fccfe0f208
Loki
f79a80b0ff4dd1066e5c4844882278b420c591a05c73838a1c69190f0d145826
Loki
+ 4'394 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230514-lzhhqsbe53/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://208.67.105.148/nnanna/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
af0925e4c632166ff87032bc43ea4f85a3805db3782a49724d125f44c0731114
MD5 hash:
b9897ba5e468e516e162fd3790a9ddbc
SHA1 hash:
db264c796e4a36a45af11e8a7bf71cf0dadce0f0
Link:
https://www.unpac.me/results/452cff66-fa1a-42a0-9c1f-ca0c4872247c/
SH256 hash:
67ab57e86132f74a6220aa61f8a52554f1c95aa71a57a71dd19d745d68100553
MD5 hash:
bf6450044f4c87a7f04f475e0b40f6e3
SHA1 hash:
bfae7f81f4fe79d1b8b187edee7dea730f7f6ef0
Link:
https://www.unpac.me/results/452cff66-fa1a-42a0-9c1f-ca0c4872247c/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/452cff66-fa1a-42a0-9c1f-ca0c4872247c/
SH256 hash:
bc15f8236e51ef22fdf007aea03e4608d1f6390c5ad37a6b316c6b2d74e97b6c
MD5 hash:
e220351991feda8c223283c13fa6d80f
SHA1 hash:
83be1fcab56d3bec413cbd55ff83a229f92ee7ea
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/452cff66-fa1a-42a0-9c1f-ca0c4872247c/
Parent samples :
0699e889c84a872eccddfa07916b7a7e379ce6335e1796d67d119b6450323790
51d167499771b51338ce81d945bb083dbafbacb8256a910af55575a8f506f3e3
0af4bdeb4de3a9f8cac5601c872cd4d9a7e9fb06a4fc0a7ed4fb60d6cb64b957
b175593d1ac69bbb4ccb9d1ecac2eef8414ef9dc8bf0ff6975c63537dda6ec13
4a340ed2bb2fa46a77fa5ef392bfe250651ae9dcb7e63a47b3c4cbc901c1818c
SH256 hash:
66a5de74362bbc3fac7c311e346ca21abb5331a9fa7f3c2aaab6a6166b8a3e7a
MD5 hash:
65f6b0a0c2c6482814607d52382e3afb
SHA1 hash:
63faadb6713938c71afe980f275d6a28b4258fd4
Link:
https://www.unpac.me/results/452cff66-fa1a-42a0-9c1f-ca0c4872247c/
SH256 hash:
4a340ed2bb2fa46a77fa5ef392bfe250651ae9dcb7e63a47b3c4cbc901c1818c
MD5 hash:
19457db0af3139cf602708a929705ce8
SHA1 hash:
1178dd34cb408cf85d542bfbb55ab66df7964f50
Link:
https://www.unpac.me/results/452cff66-fa1a-42a0-9c1f-ca0c4872247c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a340ed2bb2fa46a77fa5ef392bfe250651ae9dcb7e63a47b3c4cbc901c1818c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 4a340ed2bb2fa46a77fa5ef392bfe250651ae9dcb7e63a47b3c4cbc901c1818c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2614105/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/389344/

Comments