MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c58b923afaff926a59bd2043c8f176e905e6989ff4fb7f0654f49a0b474f618. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c58b923afaff926a59bd2043c8f176e905e6989ff4fb7f0654f49a0b474f618
SHA3-384 hash: 83cb56bb2ceb3026ef66ba61fd28e5e610733fad29e9864e1523140b29ebae9cabbcfa17cab50c8a3ea095c5d7fc2475
SHA1 hash: ffc5633515904358ecbc1e6ea51a10791c19b445
MD5 hash: c659bf9eacb99dc3b2f49518ae9bbcb0
humanhash: failed-carpet-tango-victor
File name:vbc.exe
Download: download sample
Signature Loki
Create hunting rule
File size:162'216 bytes
First seen:2022-05-09 13:44:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 3072:l1NjcVVnLpPunbCVpZQuJjV/agWhbUGtfrKEts6T/aNdLdSRusFdFV:HNeZmcWKBzWh5n2NpdS3
Threatray 7'634 similar samples on MalwareBazaar
TLSH T19BF301943BA0D4F7C9E31B712D3647A35FBAE83111A8470F9301AF9E7B646818A2D753
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter James_inthe_box
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
vbc.exe
Verdict:
Malicious activity
Analysis date:
2022-05-09 13:51:23 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/da491e68-c936-439e-a59d-e3521e800c17

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/16797/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62791afabe0219041a8859a2/reports/6e028d4e-410d-4a7f-b467-49ae69a3a733/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/52a3b24e-c5d7-4195-84c6-46fc0eb22079
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/990190
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5c58b923afaff926a59bd2043c8f176e905e6989ff4fb7f0654f49a0b474f618/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2022-05-09 11:38:27 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
21 of 42 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lrmlsi5pv74snjm32icdzdyxn2if42mj75h3p4dfj5e2bndu6yma._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
44eae1c8c48076b016f6629596f65adc9ab7d4b6d00e933aca6df1d29a7281f4
Loki
79b7f4abc65b134b08a0c96666d69203d56cbb6aa5333fa992c78e58d14d413d
Loki
92896afd836208b63ec1d1e850a5b5278de069772f3dc638de35cdc69aa9102c
Loki
c6216dc2be2714f4ababe05db055291469d022432995247565e0a130830b1167
Loki
dee203595ec8d8c6e974d1d1720f82ad01f1e3728243612941e561d5b9f7f3a3
Loki
+ 7'624 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220509-q2c39adbf6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Executes dropped EXE
Lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://sempersim.su/gf9/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
0bd98a460895895d4c6e7762d0e2ae0aa31dc8c5dbcf092f3f7567289ac5ce97
MD5 hash:
6a393b69a23fbaaca556798cbf71f59f
SHA1 hash:
8e31e1fa147f948d820d71169aa557c905f15e59
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/23c7648b-2bc1-4f7d-aea1-a1cd49139ddd/
Parent samples :
67286378272f3092628103421067df2717eb8b6c7e75dee664ae2157b2fe01be
b3d17b959be07e41497ebe48d403db574b5e5c2e94b9783bf7301ae17c48f71c
a244c9f48051a0de3e4baaf1f6e09e6027d73bd8c4988311b3697d9800178989
5c58b923afaff926a59bd2043c8f176e905e6989ff4fb7f0654f49a0b474f618
65b1181f015e593b130b80297bae56f87fac30b3b8606fb0f61625b807b15d76
b14be84cf6e13f74894dc7b884c30a37d2063553f7996a3084468bd1d378d98d
00ad0fc0ee8c7ed338229abcfecd8d4e4d41aa5ef2fbde91e32f70858f392692
SH256 hash:
2c5a0dfdbe314e1178d8b017d33329709b0afdb73a9cf57ab8e539770378d771
MD5 hash:
049fd7fff10a793b2b02a21eb3f4a1c4
SHA1 hash:
b34c601fa165490cc30fd3a760c1be8da5c609b6
Link:
https://www.unpac.me/results/23c7648b-2bc1-4f7d-aea1-a1cd49139ddd/
SH256 hash:
5c58b923afaff926a59bd2043c8f176e905e6989ff4fb7f0654f49a0b474f618
MD5 hash:
c659bf9eacb99dc3b2f49518ae9bbcb0
SHA1 hash:
ffc5633515904358ecbc1e6ea51a10791c19b445
Link:
https://www.unpac.me/results/23c7648b-2bc1-4f7d-aea1-a1cd49139ddd/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5c58b923afaf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c58b923afaff926a59bd2043c8f176e905e6989ff4fb7f0654f49a0b474f618

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/2186863/

Comments