MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5095959439a744df6fc4385ffd0aabf3bade4f34adfeade45dedb58a22a49494. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5095959439a744df6fc4385ffd0aabf3bade4f34adfeade45dedb58a22a49494
SHA3-384 hash: a69f628ce08821c3a0ce72d7b76f2f504841b6bb3dfa287ce746aa248cd00d9161a6deb789199cde1061e8abfdb90278
SHA1 hash: ddb774349d5a670dc3ebaef8831a8ba2c99facc7
MD5 hash: 4b8fc79021b3a0921c913604c5794a01
humanhash: september-india-angel-arkansas
File name:4b8fc79021b3a0921c913604c5794a01
Download: download sample
Signature Loki
Create hunting rule
File size:185'001 bytes
First seen:2022-11-24 04:40:03 UTC
Last seen:2022-11-24 06:28:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ab6770b0a8635b9d92a5838920cfe770 (84 x Formbook, 30 x AgentTesla, 15 x Loki)
ssdeep 3072:QEhKzShSycSMNKvUlIvMh5shTw15V9DPzb70ObgTCKGNgHZAoT27OU/cpm:QBn1NKHI5sg/9Dbb70OokuLT6
Threatray 9'519 similar samples on MalwareBazaar
TLSH T14004022E31E0D0FBC613453089B77BBCD3B5B7070A25666B5BA10F7716741EA498A3CA
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
4b8fc79021b3a0921c913604c5794a01
Verdict:
Malicious activity
Analysis date:
2022-11-24 04:41:02 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/6ede9efa-31ef-47be-98ae-0a996b67d399

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/337922/
Detection(s):
SecuriteInfo.com.Trojan.Siggen19.12099.10602.19610.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for the window
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/637ef5de5be128ac718e99c5/reports/7adbaf61-2a07-4d57-b0b7-e1aa2609f9cb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2ed9021a-e573-4631-ba38-5bc7d95a0cc7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1120277
Signature
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 752995 Sample: J6ZxkYNOHW.exe Startdate: 24/11/2022 Architecture: WINDOWS Score: 60 23 Multi AV Scanner detection for submitted file 2->23 25 Machine Learning detection for sample 2->25 7 J6ZxkYNOHW.exe 19 2->7         started        process3 file4 21 C:\Users\user\AppData\Local\Temp\feejn.exe, PE32 7->21 dropped 10 feejn.exe 1 7->10         started        process5 signatures6 27 Multi AV Scanner detection for dropped file 10->27 13 conhost.exe 10->13         started        15 feejn.exe 10->15         started        17 feejn.exe 10->17         started        19 36 other processes 10->19 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5095959439a744df6fc4385ffd0aabf3bade4f34adfeade45dedb58a22a49494/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-11-23 13:10:21 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kckzlfbzu5cn636ehbp72cvl6o5n4tzuvx7k3zc55w2yuivesska._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
222b8b814a32347ab31d4a3174b67ee762ddfaae34e49ef21397ebfafa2328f5
Loki
381689aa52129bc94e5b821684bf9c00e91af0ef9a56b4490ee071e0cae08c58
Loki
5b51a7e451c70c0271f21acf38747c5af235c18394585c4470f127c343b6ff8c
Loki
5bd660220c19c632f61015729a2b2d94a062a3f0d84ddd49854407e9a5965449
Loki
a512d074556e9c5f7fe2fbb2ac63088adbaf8b4011a1629cc71cede78bdb2f19
Loki
b4fd188ef7836ae52efeb16712d088dd2cd21d09e37b19cc645b0f8b8762424c
Loki
e4680e26cc89886c7bcfcc9145902d92c5232f3572970d8d0b60ee3ff2e9d89a
Loki
+ 9'509 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/221124-fajfvach7v/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
Malware Config
C2 Extraction:
http://208.67.105.161/durtch/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Gathering data
Unpacked files
SH256 hash:
60735cbf05d410570bd88ccddf07ddd80ac2b8f2602eb2889a6b7c3f6009d028
MD5 hash:
b9edf938320c2842341c9c902020b982
SHA1 hash:
288e59e175e0b85fe5560cc285f4fc5dca0f0df3
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/582dd270-68d2-4cc9-8c28-e9f6bd621359/
Parent samples :
5c7c2a90ed8fa653a406566c7224c8b0e0b3a93b8fb3aaef9881d492828fcc8c
ecb00bb8fd9f9fb3de654096a3590e73ac39793e1c8dd3e30d8e859b91c257d8
5095959439a744df6fc4385ffd0aabf3bade4f34adfeade45dedb58a22a49494
SH256 hash:
3e25f11047f6a737ae941236a446b48d1fe41e0f4b413fd28eda90afb819e2cf
MD5 hash:
9eee2cb71fc485945e4c924c862081b4
SHA1 hash:
bb5d41a07ddce045400b26ec65f6fb5f7c2fa569
Link:
https://www.unpac.me/results/582dd270-68d2-4cc9-8c28-e9f6bd621359/
SH256 hash:
5095959439a744df6fc4385ffd0aabf3bade4f34adfeade45dedb58a22a49494
MD5 hash:
4b8fc79021b3a0921c913604c5794a01
SHA1 hash:
ddb774349d5a670dc3ebaef8831a8ba2c99facc7
Link:
https://www.unpac.me/results/582dd270-68d2-4cc9-8c28-e9f6bd621359/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5095959439a7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/5095959439a744df6fc4385ffd0aabf3bade4f34adfeade45dedb58a22a49494

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 5095959439a744df6fc4385ffd0aabf3bade4f34adfeade45dedb58a22a49494

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/337922/
  
URLhaus
https://urlhaus.abuse.ch/url/2431862/

Comments


Avatar
zbet commented on 2022-11-24 04:40:04 UTC

url : hxxp://103.28.70.118/45/vbc.exe