MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f3bbac27a7a4ef0f0c858abf426b3d33ee7d6b82a4cda53ec33cb645185e55c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f3bbac27a7a4ef0f0c858abf426b3d33ee7d6b82a4cda53ec33cb645185e55c
SHA3-384 hash: 881fb27158c09fdbf905244372567973beded4f04b7fe2b315266bd32e48e657d055881c964f9c8d73ef00d8c5121044
SHA1 hash: 6060adac4ba24f566442f0ab25c4d65601a35d05
MD5 hash: 216a4e1be6ff06ea30132875e394a45c
humanhash: potato-lima-hamper-butter
File name:Swift Copy.exe
Download: download sample
Signature Loki
Create hunting rule
File size:125'904 bytes
First seen:2022-04-26 17:27:18 UTC
Last seen:2022-04-26 18:22:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 3072:l1NjcVVnLpPunb49FH1ddMhaHS48OB7u+ozDUICdIictxF:HNeZm49V1dewzDB0nEcN
Threatray 7'531 similar samples on MalwareBazaar
TLSH T1D8C3F10073E5C0F7E59706321E7A97676FB7DD2620B4432F0760AB8D79527829A0E763
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter James_inthe_box
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
312
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/266933/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Sending a UDP request
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62682ba4801e66012b0ef000/reports/bf9c0e56-5c45-460e-bd0d-75d5797f7cd6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/62ce042d-ffbd-46b4-9d6a-21c405bfbe50
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/983487
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4f3bbac27a7a4ef0f0c858abf426b3d33ee7d6b82a4cda53ec33cb645185e55c/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2022-04-26 17:27:01 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j453vqt2pjhpb4gilcv7ijvt2m7opvvyfjgnuu7mgpfwiumf4voa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
111034f27e3ca14869a34302882101b980b6088e28faf3cc34f6456116559959
Loki
79b7f4abc65b134b08a0c96666d69203d56cbb6aa5333fa992c78e58d14d413d
Loki
84d953cd48be96057c97f9cd6456ddf4b430f35a7d0fad1c0457e9be5379cb10
Loki
c340d05738f7bfcf038571ea92b2b6f04b00751b6bf335b629846e83e3a9ba82
Loki
c6216dc2be2714f4ababe05db055291469d022432995247565e0a130830b1167
Loki
dee203595ec8d8c6e974d1d1720f82ad01f1e3728243612941e561d5b9f7f3a3
Loki
+ 7'521 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220426-v1zm3shchr/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://45.133.1.45/me/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
786641357be3393717d15a66000e395539833beadeadd7504c672138d24d8e79
MD5 hash:
93da12f1426ce0c438ec1be556b8dd14
SHA1 hash:
893580588c57ab84ec7129c096bad461f6652a1e
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/128c50a7-a351-4cf0-97b4-0f693a7889db/
Parent samples :
0bcb4c2c798db189132b9e70588a72df14efdc5ee998ba4203aed16fbe56960f
716cef6988e3d7cc2a4bbcc7140995c280a23b2e6b54824eac031fdb4905be9b
86c6cc93d8405840ca3be8cbc58db75d6ed324c115461969aebcbf0a84f13a21
5833bb5b323155bc7055ccec5ce39e093901b609ccde004f104857abca656c3a
e467de436bdab4d5135f3e96abe24eb7b912e9b8024dc020b39c0e5df4745304
467f56bac6833fd37c3008e275c85a43352a3bc9712e803e7ebef5d86a47ce47
4f3bbac27a7a4ef0f0c858abf426b3d33ee7d6b82a4cda53ec33cb645185e55c
dc20351f5143916c3be56337c798bc4d6389afe08c7a2fc610283989391c3604
f4444d9d72b57601f4bd9c4a93036abc3940f589c002c2330e47877f22650951
c4c6068b86fcdf0f5ebe83a9d114bc16f2f5fd9baa4d056036954bdf06061004
5c2f7cf7cc4886a0e1905b2de9f1e9b1b376120f1a7a5c82151b6f77e6f77b90
2aea00a617849d6481827a5215ba64c3423bd2121e7ad35926807e79ac53594e
SH256 hash:
e12836406924d23627f6f58065f937c7b8e0530891e2a70e8626bd39800c4067
MD5 hash:
5aebdc29a2fd9145d74de764eef053d9
SHA1 hash:
e10cc505d8dfd132541236430e1d68741625d55b
Link:
https://www.unpac.me/results/128c50a7-a351-4cf0-97b4-0f693a7889db/
SH256 hash:
22897d6e2c9fb13e85a4df49d8b637e97a01e629a7554a04dc4962836aae6572
MD5 hash:
014bffd8f4237b65734472cfe2a94427
SHA1 hash:
0448defeaf74672c67bde48ccd5d042d619528b7
Link:
https://www.unpac.me/results/128c50a7-a351-4cf0-97b4-0f693a7889db/
SH256 hash:
4f3bbac27a7a4ef0f0c858abf426b3d33ee7d6b82a4cda53ec33cb645185e55c
MD5 hash:
216a4e1be6ff06ea30132875e394a45c
SHA1 hash:
6060adac4ba24f566442f0ab25c4d65601a35d05
Link:
https://www.unpac.me/results/128c50a7-a351-4cf0-97b4-0f693a7889db/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4f3bbac27a7a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4f3bbac27a7a4ef0f0c858abf426b3d33ee7d6b82a4cda53ec33cb645185e55c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/266933/

Comments