MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5af35520dd30145e091e7db9d4d9be25ec23cdf5b7d914a402ef880fb35bd558. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 14

Intelligence 14 IOCs 1 YARA File information Comments

SHA256 hash:	5af35520dd30145e091e7db9d4d9be25ec23cdf5b7d914a402ef880fb35bd558
SHA3-384 hash:	9c478df6469722a179e0f41ccae6a9409a277c5bb36f0792e22aca881fb1ca2bba86f8cad12fd6fb4dcf1525a1a6fd06
SHA1 hash:	bcd5af646b5e00c2c6d095dd25b627519089e465
MD5 hash:	97c58c86ec5b88fcfc3fe3ff945b01cf
humanhash:	lithium-finch-cold-avocado
File name:	FFFbuild-12022-03-0211-20.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	233'984 bytes
First seen:	2022-03-02 12:36:11 UTC
Last seen:	2022-03-02 15:11:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a4063d9816b23e02735c7787a5d84d48 (2 x Loki, 1 x Smoke Loader)
ssdeep	3072:YTNW5IL74smk2QLx0Oz5Dda7DfzJz//FqmqT3H57dB5D:R5IL7482YxflDAhz/tqHXB5D
Threatray	6'629 similar samples on MalwareBazaar
TLSH	T1D334DF217690C472C48B68758464DBF55E6EBC3123A1A94B77AB377E0F303E0977934A
File icon (PE):
dhash icon	38b078eccacccc43 (88 x Smoke Loader, 38 x Stop, 33 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://164.90.194.235/?id=11591743733997422

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://164.90.194.235/?id=11591743733997422	https://threatfox.abuse.ch/ioc/391747/

Intelligence

File Origin

# of uploads :

# of downloads :

221

Origin country :

n/a

Vendor Threat Intelligence

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/246293/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.32428.6943.8423.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/7864/overview

Behaviour

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm greyware

Link:

https://www.filescan.io/uploads/621f64f10cd58dbd926293b8/reports/7c2b2228-b9ad-4f09-ba01-f80c25cf389b/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/419da728-962d-4128-b804-1792d79996a4

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/949098

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/5af35520dd30145e091e7db9d4d9be25ec23cdf5b7d914a402ef880fb35bd558/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2022-03-02 12:37:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=llzvkig5gakf4ci6pw45jwn6exwchtpvw7mrjjac56ea7m232vma._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

02123a89ddac869b20148825d4d486598c910a71b300937f4b461cdab90f960b

Loki

6f975378cb65fa40e27b22cd6676e4385b46cdb0df3111cb94530a8615516281

Loki

8736334fb15c7ff407900e746c9a3a0d2db66226d15c28fa3151f09604f84b89

Loki

a4182d8f62fb365856798683af6277ad0c3b3a9d9788fe1e2cef07bb918197d6

Loki

fc3f900e33a9964aac54740bc6f95b506599c0b05aaeba262c10f5bd846d05d0

Loki

+ 6'619 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/220302-ptgk2aehb8/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://164.90.194.235/?id=11591743733997422
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

d770a9ba1bda8b541316b170977ceea09ed1ef1e117033d1a3edfc21731ee61d

MD5 hash:

32312208c502b955489f8984dca02a40

SHA1 hash:

80658d7e5fa2ab0bd07e821ccdf19de6983878a5

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/116dca6c-d7f1-4e55-b14e-386d073f716f/

SH256 hash:

5af35520dd30145e091e7db9d4d9be25ec23cdf5b7d914a402ef880fb35bd558

MD5 hash:

97c58c86ec5b88fcfc3fe3ff945b01cf

SHA1 hash:

bcd5af646b5e00c2c6d095dd25b627519089e465

Link:

https://www.unpac.me/results/116dca6c-d7f1-4e55-b14e-386d073f716f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5af35520dd30145e091e7db9d4d9be25ec23cdf5b7d914a402ef880fb35bd558

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/246293/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample