MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51571264ea17f6eb11267797cfd17a462c408580ecbfd10587dd8f848a79e15f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51571264ea17f6eb11267797cfd17a462c408580ecbfd10587dd8f848a79e15f
SHA3-384 hash: 6b5d76f6dde0b13a1819b29bf92aaeb66f4551135ee843f40116c1b5ce2e1a462ec6d13872e0717add85f021d446c5bb
SHA1 hash: 7a8dd98a122c49ee5e95d189197cf635ebb5fc68
MD5 hash: 8a2e0abebaf21cc99ed30123a0b47136
humanhash: mockingbird-william-video-burger
File name:Groupbooking.exe
Download: download sample
Signature Loki
Create hunting rule
File size:558'260 bytes
First seen:2022-10-06 06:19:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 12288:oNuHkz32t2O6D7zkoT+lqp/7Iu/O2ybZx9Y9rl7jjGHX:oNuEzm4ZlT+lQTD/O3BArRCHX
Threatray 192 similar samples on MalwareBazaar
TLSH T1D1C4124437914F57EB6F87740A2356498EBB8C620DE4E3EF9B01BE8E3E395824A55343
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0c32b232d3c8c453 (49 x AgentTesla, 21 x Loki, 4 x Formbook)
Reporter JAMESWT_WT
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317111/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Сreating synchronization primitives
Reading critical registry keys
Changing a file
DNS request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41458/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/633e739349c58ce767c65283/reports/a336fbe1-174f-497d-8fb7-7104a5926273/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/58d0bafb-41be-4ea4-95d4-d24c50cc6fca
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1084660
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 717217 Sample: Groupbooking.exe Startdate: 06/10/2022 Architecture: WINDOWS Score: 100 30 lazarovs.tk 2->30 46 Snort IDS alert for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for dropped file 2->50 52 6 other signatures 2->52 8 Groupbooking.exe 19 2->8         started        signatures3 process4 file5 24 C:\Users\user\AppData\...\qepmaqeaec.exe, PE32 8->24 dropped 11 qepmaqeaec.exe 2 8->11         started        process6 file7 26 C:\Users\user\AppData\Local\Temp\B7F2.tmp, PE32 11->26 dropped 28 C:\Users\user\AppData\Local\Temp\B2A2.tmp, PE32 11->28 dropped 54 Found hidden mapped module (file has been removed from disk) 11->54 56 Maps a DLL or memory area into another process 11->56 15 qepmaqeaec.exe 54 11->15         started        20 qepmaqeaec.exe 11->20         started        signatures8 process9 dnsIp10 32 104.21.4.147, 49703, 49713, 49714 CLOUDFLARENETUS United States 15->32 34 lazarovs.tk 172.67.154.37, 49702, 49704, 49705 CLOUDFLARENETUS United States 15->34 36 192.168.2.1 unknown unknown 15->36 22 C:\Users\user\AppData\...\B52B3F.exe (copy), PE32 15->22 dropped 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->38 40 Tries to steal Mail credentials (via file / registry access) 15->40 42 Tries to harvest and steal ftp login credentials 15->42 44 Tries to harvest and steal browser information (history, passwords, etc) 15->44 file11 signatures12
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/51571264ea17f6eb11267797cfd17a462c408580ecbfd10587dd8f848a79e15f/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 21:26:25 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
21 of 39 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kflrezhkc73owejgo6l47ul2iywebbma5s75cbmh3whyjctz4fpq._file
Verdict:
unknown
Similar samples:
392a280d0771a774bf35f681527f09852ffa9700d2a4b78dbd5f42de35d8b274
Loki
57c9630ff4575c0881314c5f31f4177249c84218642cef6c3896fbc6337c380a
Loki
63dd0a2a872fe7368088cd4916ed199f6ead9c5f5843facdcaa578bb68dedd57
Loki
6a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88
Loki
83327640b003bbdb759074d1e9925381bcb661a35b531b3d9832435ae80298ac
Loki
a233b76767157c012c4d1ec34726d87ea1efac01e49efd9fef394c7e84966103
Loki
b1f692dd52aae8317db7cfd262a4bcc053cf721fc7a00bf66f4acc7cb5cc6cbc
Loki
d32f28ba0890002ca897903a45f7d3b939abecd09de1128e3b5134cf57ab4960
Loki
d79a379ce1fcbe1e3548dfde37f6c2591f2ebf8de6c0d0db6f282933e529cf53
Loki
+ 182 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/221006-g3rhlagea9/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d6ceb902-932e-4a78-9099-f46433b11476
Unpacked files
SH256 hash:
675102dc1e301542188237ddd81329f1be7e878747c967d1e9432a53afb64a7a
MD5 hash:
669a6d275487408a885419005f637cb3
SHA1 hash:
f69811930fa0b36aa012f8cd3ac0f86870155160
Detections:
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/b00c1ccd-8da2-43df-a44a-8e407821915b/
Parent samples :
51571264ea17f6eb11267797cfd17a462c408580ecbfd10587dd8f848a79e15f
3586599d4978f9857550a52a8397edd027afe7f2eafb4f66e4af98dcd0337d22
SH256 hash:
595f8e51fbe326d278c78011343470ce97f5d655ad657023a4ba5edc79006a4d
MD5 hash:
afd61ed83d724ee7e4459b7526109c2f
SHA1 hash:
458f66512e5ba13b3777266528767935fa57028e
Link:
https://www.unpac.me/results/b00c1ccd-8da2-43df-a44a-8e407821915b/
SH256 hash:
51571264ea17f6eb11267797cfd17a462c408580ecbfd10587dd8f848a79e15f
MD5 hash:
8a2e0abebaf21cc99ed30123a0b47136
SHA1 hash:
7a8dd98a122c49ee5e95d189197cf635ebb5fc68
Link:
https://www.unpac.me/results/b00c1ccd-8da2-43df-a44a-8e407821915b/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/51571264ea17/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51571264ea17f6eb11267797cfd17a462c408580ecbfd10587dd8f848a79e15f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/317111/

Comments