MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5342d363c887bc5df6640a5d0a7ae4dc5c9344615df002af7dbbb8aa7e669967. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments 1

SHA256 hash:	5342d363c887bc5df6640a5d0a7ae4dc5c9344615df002af7dbbb8aa7e669967
SHA3-384 hash:	a4b9d8f9883f51757af436b8b97c1f0a3997c090b2f85a2812096b099b3971caa9eebe73c12edb4981f86b852a109b80
SHA1 hash:	83951b727bb85db87b55a3c68d2c7812640a6619
MD5 hash:	d0a58eae99dfb90ea4aa5dbf24d2fb93
humanhash:	avocado-mississippi-vegan-delta
File name:	d0a58eae99dfb90ea4aa5dbf24d2fb93
Download:	download sample
Signature	Loki Create hunting rule
File size:	476'160 bytes
First seen:	2021-11-02 09:00:29 UTC
Last seen:	2021-11-02 14:11:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:d9nbrVyE06WGSt9bKg8vKs63hLTlZ06Y3e5xo:d9nbaKguKNRTxc
Threatray	5'355 similar samples on MalwareBazaar
TLSH	T121A4CF3824E45626CBED83759D55C51913B19CAEA013EB1C1DF0FEE33AFD7A34A06846
File icon (PE):
dhash icon	d0f4ccf2faaaead4 (10 x Loki, 9 x AgentTesla, 9 x Formbook)
Reporter	zbetcheckin
Tags:	32 exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d0a58eae99dfb90ea4aa5dbf24d2fb93

Verdict:

Malicious activity

Analysis date:

2021-11-02 09:09:10 UTC

Tags:

trojan lokibot stealer

Link:

https://app.any.run/tasks/5c173be0-571e-42ca-afb5-43d3872b2c61

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/201364/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.47300229.15364.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6180fe50bf51178dbe483392/reports/d5f6c913-77be-465f-a7f0-2d04bef6dce0/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b02693c5-4372-4501-b506-57fd9645c3e8

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/881107

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/5342d363c887bc5df6640a5d0a7ae4dc5c9344615df002af7dbbb8aa7e669967/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-11-02 09:01:04 UTC

AV detection:

12 of 45 (26.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=knbngy6iq66f35tebjoqu6xe3rojgrdblxyafl35xo4ku7tgtftq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/211102-kywhjacbh7/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://secure01-redirect.net/ga18/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

96c1773fc8fa1bacb82247fc34ce42d47db9aa889e7794e564ba045b0b0c3115

MD5 hash:

3fce1d53c05299b98aaeb3d4b77e8396

SHA1 hash:

d92de4b17b488f62e5725df7b41e28391ac70c1c

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/e108b1a9-cfd6-4338-9fc5-7fa7c80fe20f/

Parent samples :

98ed85bf441ec79455c8f951b8f248c98a67c4271aa8890efecb6cf8fd60e773
2ef14b8f3874b9f72e814af5e868f30973c3e9db9f812d037fb3485f1487eca9
5342d363c887bc5df6640a5d0a7ae4dc5c9344615df002af7dbbb8aa7e669967
cffbf152c52afdee21ac3423d65f5d6a947342dfb1dd3871c18c8148713c02bc
08a432fce2ce0eddb6a02573a6a44d4a443f4476fd9a7f9902386747c4f38de5
282b2c8f35139c3a89785d6f043b15ae8d6eed0c9e6242382a4a6ec153bbeca6

SH256 hash:

7ec7c47de5927351c7035f8657a2dd91c42fd6ed6e4da309e34b87ef0b0ba785

MD5 hash:

171a2669225911b41301096cd9dcf19f

SHA1 hash:

dc25f1f69faec5174e489a0d1a18cf14cf7fd1b5

Link:

https://www.unpac.me/results/e108b1a9-cfd6-4338-9fc5-7fa7c80fe20f/

SH256 hash:

4266a5c8b54829262254a1f80c92b5daba31990c040c970723cd96245b3b8fb0

MD5 hash:

72462902dfc2c912cf4cbbf69d39b16f

SHA1 hash:

e14a49bf5b5d1c96b8958019c83e6a405b61c749

Link:

https://www.unpac.me/results/e108b1a9-cfd6-4338-9fc5-7fa7c80fe20f/

SH256 hash:

5342d363c887bc5df6640a5d0a7ae4dc5c9344615df002af7dbbb8aa7e669967

MD5 hash:

d0a58eae99dfb90ea4aa5dbf24d2fb93

SHA1 hash:

83951b727bb85db87b55a3c68d2c7812640a6619

Link:

https://www.unpac.me/results/e108b1a9-cfd6-4338-9fc5-7fa7c80fe20f/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/5342d363c887/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/5342d363c887bc5df6640a5d0a7ae4dc5c9344615df002af7dbbb8aa7e669967

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

exe 5342d363c887bc5df6640a5d0a7ae4dc5c9344615df002af7dbbb8aa7e669967

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1738558/

Cape

https://www.capesandbox.com/analysis/201364/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2021-11-02 09:00:32 UTC

url : hxxp://202.55.134.54/77077/vbc.exe