MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 533fd8da75df1b1ba32eb92e70fcc930920a8839736e50c043c5df11eed21dd2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 533fd8da75df1b1ba32eb92e70fcc930920a8839736e50c043c5df11eed21dd2
SHA3-384 hash: 6543555065ad90f69d6d66bbcfae72c2e192077b936dcd18db86a5d7ce9a699d57102cb269c8c2f08f2a5e17e2f787ee
SHA1 hash: df861ead314f860f640f9931c7c597603b571d0a
MD5 hash: ad806b1f4cf277ecffdb3c83c1bc7aa8
humanhash: shade-kansas-one-robin
File name:ad806b1f4cf277ecffdb3c83c1bc7aa8.exe
Download: download sample
Signature Loki
Create hunting rule
File size:601'088 bytes
First seen:2021-09-01 06:40:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ef471c0edf1877cd5a881a6a8bf647b9 (83 x Formbook, 33 x Loki, 31 x Loda)
ssdeep 12288:tzXe9PPlowWX0t6mOQwg1Qd15CcYk0We1rwLsjMi1d6PN54NsLs/ob2k:tahloDX0XOf4Zj11ONSmLs/o1
Threatray 5'633 similar samples on MalwareBazaar
TLSH T1E1D4238088C9CCB5F515B37590B3CE9819A5B8338CCAABA98355F97D7835103EC535AF
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://65.21.223.84/~t/i.html/B0MWbknI2Z7T2

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://65.21.223.84/~t/i.html/B0MWbknI2Z7T2 https://threatfox.abuse.ch/ioc/204150/

Intelligence

File Origin
# of uploads :
1
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ad806b1f4cf277ecffdb3c83c1bc7aa8.exe
Verdict:
Malicious activity
Analysis date:
2021-09-01 06:42:31 UTC
Tags:
trojan lokibot stealer opendir
Link:
https://app.any.run/tasks/4dd35e59-7c4e-41e6-a40d-f27ad3fb8195

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184376/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

SecuriteInfo.com.W32.AIDetect.malware1.26871.13679.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Unauthorized injection to a recently created process
DNS request
Reading critical registry keys
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Sending a UDP request
Stealing user critical data
Moving of the original file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ac1eed4-959f-480f-8392-068c9366ade8
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/843132
Signature
AutoIt script contains suspicious strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/533fd8da75df1b1ba32eb92e70fcc930920a8839736e50c043c5df11eed21dd2/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=km75rwtv34nrxizoxexhb7gjgcjavcbzonxfbqcdyxprd3wsdxja._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
13cd902db4c2d83cf33f2d2ab048f048126f7152a8e549fa31f5deeb4f2f0294
Loki
238eed13e028fd7316db1306510ac4aba9159fad5095caf124893aef89f7cbb3
Loki
2466b0d75b3a043f2b0f341e7eb9a67612b230228543473dfd7a663338f0688e
Loki
54802aa4ca1557f67314a573e918be4157b838d1bd0aa30c23d8e1f312994dac
Loki
8083fc125756be5ccebc8b837ffd80063f42696159291e0df941c28f03170b07
Loki
8344690f025846a5a0dcf5d6012a94cddcfe48ffcc06fa6d566bb4ef149e6716
Loki
be8ca19f6d30ff45310e64470f12b39dc6529b9921899f5671be5f9359ebf8aa
Loki
d8e5a9f36cf6a0844f217c04d46790e2202479c371b7be7f76a011b0dbac5a1b
Loki
f8efdc806be878faaf8c96d42603f505f207f034106779d8a1a356d1eab253d6
Loki
+ 5'623 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/210901-9blkcj5yln/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Lokibot
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://65.21.223.84/~t/i.html/B0MWbknI2Z7T2
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
47d1fff24c43d1cc47e14bb8095c173a777f7eef9ec9f34a7f5cf31eb2092819
MD5 hash:
16d31ff104c4e11aac32e66f27c51223
SHA1 hash:
5dc930e0d73b3b5071d0748afecae2118d2c6663
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/84270dcc-76cb-4c38-9acf-8d6e8d88b93f/
SH256 hash:
915052971b56c03f1cf651768e1a7a4f28b96c56d9675dadd607bac56cc8b28b
MD5 hash:
bb45b79796e01b5a3bdf4737a0212979
SHA1 hash:
3afcbabb90ae8bc1ca92e463b7502ed8d562791e
Link:
https://www.unpac.me/results/84270dcc-76cb-4c38-9acf-8d6e8d88b93f/
SH256 hash:
533fd8da75df1b1ba32eb92e70fcc930920a8839736e50c043c5df11eed21dd2
MD5 hash:
ad806b1f4cf277ecffdb3c83c1bc7aa8
SHA1 hash:
df861ead314f860f640f9931c7c597603b571d0a
Link:
https://www.unpac.me/results/84270dcc-76cb-4c38-9acf-8d6e8d88b93f/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/533fd8da75df/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.49
Link:
https://yomi.yoroi.company/submissions/533fd8da75df1b1ba32eb92e70fcc930920a8839736e50c043c5df11eed21dd2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 533fd8da75df1b1ba32eb92e70fcc930920a8839736e50c043c5df11eed21dd2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1507223/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/184376/

Comments