MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fcb2d6dd4e6699e31ef782cdb40bdf65c388311c72952702e8f3024c46c2793. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fcb2d6dd4e6699e31ef782cdb40bdf65c388311c72952702e8f3024c46c2793
SHA3-384 hash: e17e41f153006ef233f80fdebae238d0d0559763ce98186356f971cf13e998901241b6d9312163807a378ae50eb60d57
SHA1 hash: 67e5b6c6c5cd7f5fc50d63063de04db9ddfd218e
MD5 hash: e1204f68e985164c7c87828095f5bcb6
humanhash: alabama-harry-edward-oven
File name:svchost.exe
Download: download sample
Signature Loki
Create hunting rule
File size:269'824 bytes
First seen:2020-07-09 15:17:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:vlSYaPYEQjHRV5Xavaavn+s/sDFTfmreP6ZXaWak96kAD:NSYAYEQjH7ov9/+KsBTfmreP6ZXa6
Threatray 1'481 similar samples on MalwareBazaar
TLSH 1F447D26F688A17BE21E863D52F332138EE0D055B619E7C6CD28DF46B5137C10DB764A
Reporter James_inthe_box
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/23972/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.371.4030.4958.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Reading critical registry keys
Launching a service
Changing a file
Replacing files
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Moving a system file
Launching the default Windows debugger (dwwin.exe)
Forced shutdown of a system process
Stealing user critical data
Connection attempt to an infection source
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4fcb2d6dd4e6699e31ef782cdb40bdf65c388311c72952702e8f3024c46c2793/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 15:17:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
025088f7c1db9c5f9472badb6d1c4f119868b922c52b6bed896e8e2ff746f955
Loki
1f1745eb2812b5c0cc6c26b69661ea1d8ab78a541271950e7b97d0cd2b502db1
Loki
2b419f986ea266fa5826fbb6858782f7c2acfda73aa5ec5cb21d64537d6a4ea1
Loki
2c64af2b995ad6b33bc90f4103e1ae990db77c9c341279c0ab0af1c38d414405
Loki
3fe2d0dd224e7799ad1d669d3e01ec1676ce6ba39170e12df1a600ca49ae3422
Loki
6b95bdd0d0a511eb1fb20709941e92eb049f4e246b5615554090520a9a509799
Loki
bdcc6a8591676b9d879a02bcd318bfdfa260769433865db3948d929f79b5e1fa
Loki
be64654bb507094ad7ace4a1da27dfe42dd6451d9dadb24b8310aa50e8ff5f34
Loki
ceeffdff4b0af45c77f3923e47c03a529c87dd4e0e92fdc88b0551857df53239
Loki
e336780f3321d06dfea57c94467d65e0ab2ab92d77c0267cf17b8d51359a5e38
Loki
+ 1'471 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/200709-xb3swhr612/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://195.69.140.147/.op/cr.php/vms5lZmxPBbEN
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/23972/
  
URLhaus
https://urlhaus.abuse.ch/url/410560/

Comments