MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 544addebbf8ea00ed593dce1a7ff350ea6222d7ecbec5e81158735a33b11729e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 544addebbf8ea00ed593dce1a7ff350ea6222d7ecbec5e81158735a33b11729e
SHA3-384 hash: 1e56649b7b859b92f123c295d994f09b387b714b7394ed9ed08cb2acdd599b7524ffb951305799c46807ddd8f9dda204
SHA1 hash: 85764a677542a513587e5252bbb6b3ccaff67773
MD5 hash: 1326e4f2a8c7f5ef48c8a46d133bc6e3
humanhash: quiet-blue-dakota-seven
File name:1326e4f2a8c7f5ef48c8a46d133bc6e3.exe
Download: download sample
Signature Loki
Create hunting rule
File size:651'776 bytes
First seen:2021-01-20 14:20:48 UTC
Last seen:2021-01-20 15:52:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5064414005440c05f6346292b90ee3f2 (7 x RemcosRAT, 3 x Loki, 2 x ModiLoader)
ssdeep 12288:sNx7I7LYl/9l89x3hemQ4pYut1QocOcq7qspk:sjl/9l+x31QcHGOcq+sp
Threatray 40 similar samples on MalwareBazaar
TLSH B9D48E67F2E04573D12B167D9C5B9764AC3ABE013D38984A6FE53D488F3938138392A7
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://104.223.170.100/goldie/Panel/five/fre.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1326e4f2a8c7f5ef48c8a46d133bc6e3.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-20 14:58:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f86aae7d-a8bf-47bd-9fc9-fce3b721c855

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/113104/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Sending a UDP request
Sending an HTTP GET request
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/586203
Signature
Contains functionality to detect sleep reduction / modifications
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/544addebbf8ea00ed593dce1a7ff350ea6222d7ecbec5e81158735a33b11729e/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-01-20 14:21:05 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=krfn3257r2qa5vmt3tq2p7zvb2tcell6zpwf5aivq422goyrokpa._file
Verdict:
malicious
Similar samples:
1f77b91c5d343948cb84ae9f1a50eb5f8d887cb9b06de1ff30a1130567b4e09a
Loki
4573443acbca7a1f829d721f95c2944a6a2ddd97a4bf484fd993f748d298b285
Loki
817a2e3808a201ec10ce3c1181e88a0d88f1605dc2c31e2809f3b3d7340959d0
Loki
823ac795c82f035c86b71f68c8e77eea1ef916c77502d78fc2081d3fd660cde0
Loki
a4ab58cc18771c7141e96d45714b7aeb046ff7173ec5266f08da7b28d411744e
Loki
bb639bf4f7fe2289c7aac466c738998a83d6057f961c6eee77e51bc4e24eee00
Loki
c3daf1d20367ee0d7a849419594356ec6cad7c9169107b332c64ab67cb739823
Loki
c7bd80117055942f0f622a346479856e7272fb071dd1d709387dd4c8fd4f2ea5
Loki
c7d2763c845a08a22775c242be4368bbad967ae4d2f82be1042645d6a70320a5
Loki
df25440a54d9c6a3984aaca69287609df2872b64a8f0a5f5daa42fefad4c5070
Loki
+ 30 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader
Link:
https://tria.ge/reports/210120-gqc68h145s/
Behaviour
Script User-Agent
Unpacked files
SH256 hash:
544addebbf8ea00ed593dce1a7ff350ea6222d7ecbec5e81158735a33b11729e
MD5 hash:
1326e4f2a8c7f5ef48c8a46d133bc6e3
SHA1 hash:
85764a677542a513587e5252bbb6b3ccaff67773
Link:
https://www.unpac.me/results/0ed6baf6-e295-4605-a695-e9682ab2af79/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/544addebbf8ea00ed593dce1a7ff350ea6222d7ecbec5e81158735a33b11729e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 544addebbf8ea00ed593dce1a7ff350ea6222d7ecbec5e81158735a33b11729e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/971652/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/113104/

Comments