MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 550494982ec4cdbba11cbaf5a44ea3a4a7ff710f78e7e8c953f33bbdc204d091. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 550494982ec4cdbba11cbaf5a44ea3a4a7ff710f78e7e8c953f33bbdc204d091
SHA3-384 hash: 49e99ec9ed9dcbfcb0d9eaaaba245f5b54ab49dc566055557fcbde18fcb3733eeefcabb73c1aee3d8c1e7045d865812f
SHA1 hash: 6996d14b646f30f2db921a14f7cb022075b66b7a
MD5 hash: 676083473f1cbd772fbb9560aaa6d78f
humanhash: september-carbon-neptune-october
File name:PO_112234525626823775.js
Download: download sample
Signature Loki
Create hunting rule
File size:117'056 bytes
First seen:2024-08-27 15:16:54 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 3072:7zbLWB/sJtttttttttttttttttttattttttttttttttttttttn0ZlDrOm1tttttW:OB/m7iT
TLSH T1CFB30896BF132DD25928C8838B242BF7FD20B99F8AA1A72032DDF954391C47549DC93D
Magika javascript
Reporter abuse_ch
Tags:js Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
405
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan-Downloader.VBS.Agent.19543.8106.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66cdedf6e026e7f769297cb5
Tags:
Stealth Trojan
Verdict:
Malicious
Threat level:
  10/10
Confidence:
88%
Tags:
dropper evasive
Link:
https://www.filescan.io/uploads/66cdedf458cbff3e3abde8fd/reports/cfb0a52f-98f7-4482-b0e1-00a1fe5b2ec2/overview
Verdict:
Suspicious
Labled as:
Trojan.Script.Heuristic
Link:
https://www.hybrid-analysis.com/sample/550494982ec4cdbba11cbaf5a44ea3a4a7ff710f78e7e8c953f33bbdc204d091
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1499867
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
JScript performs obfuscated calls to suspicious functions
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1499867 Sample: PO_112234525626823775.js Startdate: 27/08/2024 Architecture: WINDOWS Score: 100 27 werdotx.shop 2->27 29 transfer.adttemp.com.br 2->29 41 Suricata IDS alerts for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 5 other signatures 2->47 8 wscript.exe 1 2 2->8         started        signatures3 process4 file5 23 C:\Users\user\AppData\Local\Temp\x.exe, PE32 8->23 dropped 49 Benign windows process drops PE files 8->49 51 JScript performs obfuscated calls to suspicious functions 8->51 53 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->53 12 x.exe 15 3 8->12         started        signatures6 process7 dnsIp8 31 transfer.adttemp.com.br 104.196.109.209, 443, 49699 GOOGLEUS United States 12->31 55 Antivirus detection for dropped file 12->55 57 Machine Learning detection for dropped file 12->57 59 Writes to foreign memory regions 12->59 61 2 other signatures 12->61 16 CasPol.exe 1 112 12->16         started        signatures9 process10 dnsIp11 25 werdotx.shop 188.114.96.3, 49700, 49701, 49703 CLOUDFLARENETUS European Union 16->25 21 C:\Users\user\AppData\Roaming\...\31437F.exe, PE32 16->21 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->33 35 Tries to steal Mail credentials (via file registry) 16->35 37 Tries to steal Mail credentials (via file / registry access) 16->37 39 2 other signatures 16->39 file12 signatures13
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/550494982ec4cdbba11cbaf5a44ea3a4a7ff710f78e7e8c953f33bbdc204d091
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/550494982ec4cdbba11cbaf5a44ea3a4a7ff710f78e7e8c953f33bbdc204d091/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-08-27 15:17:12 UTC
File Type:
Text
AV detection:
4 of 38 (10.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kucjjgboytg3xii4xl22itvdust764ippdt6rskt6m533qqe2ciq._file
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection credential_access discovery execution spyware stealer trojan
Link:
https://tria.ge/reports/240827-sn27bsxbng/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Credentials from Password Stores: Credentials from Web Browsers
Lokibot
Malware Config
C2 Extraction:
https://werdotx.shop/Devil/PWS/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/550494982ec4cdbba11cbaf5a44ea3a4a7ff710f78e7e8c953f33bbdc204d091

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments