MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 570ca80a1165eff70e52b4c9c69745fb94f2816640ac71d7cb055d4b5aa1680c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	570ca80a1165eff70e52b4c9c69745fb94f2816640ac71d7cb055d4b5aa1680c
SHA3-384 hash:	4f8f69604f14e1dd94592ab85b15ba3ec979fcaa15b7613acce7c1a3fb306d51466191a002119ccad5578d0b0f490610
SHA1 hash:	4b41559085541b309426829779b52d0a2e1ff581
MD5 hash:	a352361c5f9494d84fc8737b90bf92d5
humanhash:	muppet-solar-snake-five
File name:	Product_list.xll
Download:	download sample
Signature	Loki Create hunting rule
File size:	641'536 bytes
First seen:	2022-04-28 06:35:53 UTC
Last seen:	Never
File type:	xll
MIME type:	application/x-dosexec
imphash	be710ba34b048ab0098050ccf62e369c (18 x Formbook, 14 x Dridex, 9 x AgentTesla)
ssdeep	6144:HxOJXk57IMp7oyR4y6Qf3lbp83A6zbKsS5ukTP2YmqtkSGUmuqZGw+gSe81Hf2:Hx2s7IMrR4yVld8bzbBSreCqZGDxf
Threatray	8'507 similar samples on MalwareBazaar
TLSH	T1CDD46D55BECA6EA1EFBF43B78361DA3D1126736D03A1A6CF6603059D3951EC2443EA03
TrID	58.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 34.3% (.OCX) Windows ActiveX control (116521/4/18) 3.0% (.EXE) Win64 Executable (generic) (10523/12/4) 1.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.3% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	Loki xll

Intelligence

File Origin

# of uploads :

1

# of downloads :

195

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Dropper.Detected-9941731-0

Win.Dropper.Detected-9943897-0

Result

Verdict:

Malicious

File Type:

Office Add-Ins - Suspicious

Link:

https://app.docguard.net/570ca80a1165eff70e52b4c9c69745fb94f2816640ac71d7cb055d4b5aa1680c/results/dashboard

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm greyware packed packed

Link:

https://www.filescan.io/uploads/626a35eb2b32b1c37c6a830d/reports/0969491d-a6cc-4656-b371-d20097e35b6f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/570ca80a1165eff70e52b4c9c69745fb94f2816640ac71d7cb055d4b5aa1680c/

Threat name:

Win32.Trojan.Woreflint

Status:

Malicious

First seen:

2022-04-28 01:47:17 UTC

File Type:

PE (Dll)

Extracted files:

2

AV detection:

19 of 25 (76.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=k4gkqcqrmxx7odsswte4nf2f7okpfalgicwhdv6lavouwwvbnaga._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Similar samples:

2289816fa967e230968ffe986a76950ba4938c6f0c3b27912ec480bf5c0e62d5

3851e1c8c896ecae1035576a4b37d1fafa0690df428e255ed709c155cf77279c

4dd4e59368f5e310bdebc4f7ee60778446873c9b930f16366592b471a86f3718

50cb7b0b1d15d89428745bd508343b52d5f197b5f57cdf83a077973bae3d1ec1

7fe467ef6f392039c0ce5edaadf85c19a8406a0b0b7332131e2b2ddc9f074bb6

9740fa7b19f17e4c6df857ec1240c243a77ad689894ecaa92bd112709c242664

bc4e9db6c6cc42bb03d7257abbf2105e1ed6c4fe24ccaabcd3db84fe8a935c1b

+ 8'497 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/220428-hcx35afchn/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Lokibot

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/570ca80a1165eff70e52b4c9c69745fb94f2816640ac71d7cb055d4b5aa1680c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample