MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59b06069ea18c6dbbd1e31391c841edf48d9baa0cf8bb58e2dbed3e14dc0acad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	59b06069ea18c6dbbd1e31391c841edf48d9baa0cf8bb58e2dbed3e14dc0acad
SHA3-384 hash:	59d63eaddb1f92173bc33c251956c0b4174d97aeffcb6bad6e24dd88f0612e602e355ffe0fa4c8adfc9d4d7d8a7e3abf
SHA1 hash:	4eb59af0df62b3954698ede93926bc45223911b9
MD5 hash:	f34196be326455dee3ee015c87553be1
humanhash:	avocado-west-white-crazy
File name:	Scan Doc.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	531'392 bytes
First seen:	2022-03-08 07:50:39 UTC
Last seen:	2022-03-08 14:12:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	6144:UGiHEj9bfIp51Ti1VvApPUgCWZNxru1LXkuhHi37gFvRXN:m6bIT1TyvngCyNNo1hC3W9
Threatray	4'553 similar samples on MalwareBazaar
TLSH	T179B4AC626D4E838AF0734D3AC969C55EB0AD7F8C8BA2246F67487BC935312F366DC141
File icon (PE):
dhash icon	b270f0baa8f07092 (1 x Loki)
Reporter	lowmal3
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

196

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/248100/

Detection(s):

SecuriteInfo.com.Dropped.Trojan.GenericKD.48539204.12415.26203.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Launching a process

Creating a file

Searching for synchronization primitives

Sending a custom TCP request

DNS request

Unauthorized injection to a recently created process by context flags manipulation

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9c102780-aad0-4c61-8ed6-a8779892e1c9

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/952321

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/59b06069ea18c6dbbd1e31391c841edf48d9baa0cf8bb58e2dbed3e14dc0acad/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-03-08 07:51:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 27 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lgyga2pkdddnxpi6ge4rzba635entovaz6f3ldrnx3j6ctoavswq._file

Verdict:

malicious

Loki

59a048d9e77daa656b5f90c45cba08c4371b04fd1724458638992e9c2f83359a

Loki

5cf0fe7d3d3c026e6c262014442ceab086c0fb66223f1c70c9bcaea29159f6dc

Loki

6ff46a14b9b9ee749f6d723246afa1f2c82e85433de7c243d9b66046fa25fa42

Loki

75f7a5b155426bf485770e395bac90894eee5f8d1742f774429d726f7a5156bc

Loki

781eea0865be648267a08dd5216e3d598de51f5438951a9bc35d9dba22277770

Loki

8230050be18082cbd46028e18bd49362c630c8c63dfc8b6875b605f250fadda3

Loki

f3457b15e193b2fa2ce2fff91da46d671208034e010091cf1f88cc0231f35f71

Loki

+ 4'543 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot spyware stealer trojan

Link:

https://tria.ge/reports/220308-jptrxacgh9/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Lokibot

Malware Config

C2 Extraction:

http://164.90.194.235/?id=2834036298392462
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

59b06069ea18c6dbbd1e31391c841edf48d9baa0cf8bb58e2dbed3e14dc0acad

MD5 hash:

f34196be326455dee3ee015c87553be1

SHA1 hash:

4eb59af0df62b3954698ede93926bc45223911b9

Link:

https://www.unpac.me/results/8f7d9775-969a-4e22-bc43-a70f9fb8cf59/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.38

Link:

https://yomi.yoroi.company/submissions/59b06069ea18c6dbbd1e31391c841edf48d9baa0cf8bb58e2dbed3e14dc0acad

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

exe 59b06069ea18c6dbbd1e31391c841edf48d9baa0cf8bb58e2dbed3e14dc0acad

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/248100/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample