MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e5daccda1624bc3412f03c4876f1254f57fe07fcbfe730e5a25b4c50a29c34f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e5daccda1624bc3412f03c4876f1254f57fe07fcbfe730e5a25b4c50a29c34f
SHA3-384 hash: 7ce550878c2a1d94f20330a20521de19ad663eeb0bc374ddc7a3937dc4f6fd973c672e67bf53312c63c4c7b86adac0c3
SHA1 hash: e9cb919dc13a963c06093b4eccc5903b6af5fb31
MD5 hash: b15fd3f793bd097c47a5532f699088df
humanhash: echo-april-high-october
File name:b15fd3f793bd097c47a5532f699088df.exe
Download: download sample
Signature Loki
Create hunting rule
File size:260'640 bytes
First seen:2021-10-11 18:40:20 UTC
Last seen:2021-10-11 20:17:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:F8LxBs/NEUKEow3qPsIpbtmY2nKe4ib3KhAZbcVJc:/iUKEf3qPpH+3eGR
TLSH T18744121226D190F7CCC11E315A3AB77AFBBEC91412215A4B0FD81F775A7308BE46A3A5
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
296
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b15fd3f793bd097c47a5532f699088df.exe
Verdict:
Malicious activity
Analysis date:
2021-10-11 19:13:26 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/1bb77025-4519-4418-953d-47f55685f3d5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196713/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.22901.7050.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/616485411c2d58ba74021d64/reports/05ecc4a8-c088-4b7e-94b9-3f70c6364242/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0ba872a8-0c0b-4f11-9664-34ac30a495e4
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867827
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4e5daccda1624bc3412f03c4876f1254f57fe07fcbfe730e5a25b4c50a29c34f/
Threat name:
Win32.Trojan.Nsisx
Create hunting rule
Status:
Malicious
First seen:
2021-10-11 18:41:06 UTC
AV detection:
12 of 44 (27.27%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jzo2ztnbmjf4gqjpapcio3yskt2x7yd7zp7hgds2ew2mkcrjynhq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/211011-xbrmaahhc9/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://136.243.159.53/~element/page.php?id=488
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
6458da48fde8b48546251db352af4afa8d12a47e45188e3fd2d576613f691709
MD5 hash:
7f8740b58177f1ddc0679c1117469b51
SHA1 hash:
febc9f41d6731b5540d2f756310a85f656f68f4c
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/605ff2be-104b-434b-aa19-a41ea5707ede/
Parent samples :
8a88211f7dc2c10cdbdc9b2c024c7ab7584f4a87594861b0c701549e3129314d
d8d1ebdb241277b39607ea8d4c63853c25b6523a3a88d720373a0f9efd03a686
4e5daccda1624bc3412f03c4876f1254f57fe07fcbfe730e5a25b4c50a29c34f
SH256 hash:
5b66f077289db839a26be894abc41c425e5844db09e5ce26e94ca4d05db2a728
MD5 hash:
a8d213c1d114cd0f2976765a83a16c5a
SHA1 hash:
363fad581d0170597cee7877e63914d9ee9ae75b
Link:
https://www.unpac.me/results/605ff2be-104b-434b-aa19-a41ea5707ede/
SH256 hash:
4e5daccda1624bc3412f03c4876f1254f57fe07fcbfe730e5a25b4c50a29c34f
MD5 hash:
b15fd3f793bd097c47a5532f699088df
SHA1 hash:
e9cb919dc13a963c06093b4eccc5903b6af5fb31
Link:
https://www.unpac.me/results/605ff2be-104b-434b-aa19-a41ea5707ede/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4e5daccda162/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/4e5daccda1624bc3412f03c4876f1254f57fe07fcbfe730e5a25b4c50a29c34f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 4e5daccda1624bc3412f03c4876f1254f57fe07fcbfe730e5a25b4c50a29c34f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1659292/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196713/

Comments