MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e163f9d1bd679ab06d2e469412c8fc6aabad9a4d58375f9c8eb7cd5a915a081. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	5e163f9d1bd679ab06d2e469412c8fc6aabad9a4d58375f9c8eb7cd5a915a081
SHA3-384 hash:	ea28689c2dd88860547caf194bc89bb8e282c8e77947076cbf4b40cac31540a8d1ecdd19065dd95305796e612e4a879a
SHA1 hash:	cbb4bef767f8a5529e6512a00e7d8373f5ac0fc9
MD5 hash:	ba6efc03d66ad160e406e612861969c2
humanhash:	william-louisiana-quiet-blossom
File name:	ba6efc03d66ad160e406e612861969c2.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	249'406 bytes
First seen:	2021-10-19 15:05:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep	6144:wBlL/cCrzQ47GRCMeoUcaQ18i5YqCa1bxzaJsWOfl:CeH4iRCzZc/r5YqCGrWOfl
Threatray	5'107 similar samples on MalwareBazaar
TLSH	T1B134122318C125F3EA6FC9B1153B1769D1FAAA04143AC28F9F24DE3A64B48CD661F4D3
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

333

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Loki

Link:

https://www.capesandbox.com/analysis/198608/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file

Deleting a recently created file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/616edee2db358dd15ec50a59/reports/ab7ed2cc-004f-4c32-b670-bdd0e3c3840f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e955c626-2865-41a0-8526-16916a43210f

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/873241

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/5e163f9d1bd679ab06d2e469412c8fc6aabad9a4d58375f9c8eb7cd5a915a081/

Threat name:

Win32.Trojan.Nsisx

Status:

Malicious

First seen:

2021-10-18 23:31:30 UTC

AV detection:

14 of 45 (31.11%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lyld7hi32z42wbws4ruuclepy2vlvwne2wbxl6oi5n6nlkivucaq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

4ed734e9759f4c0f6da12c3863ac192a5ccfd0493b5cb4a045c7466791bbd154

Loki

895a3f8a366ed73ca1cab8ef49582ada6382880654ab28e95b2902cde46e3726

Loki

9e35ad79445831eb81e9fb5db0d30ef4ccd09344c6360014b7dd360029f80946

Loki

ae30c77472bd494b2116c5ef0fc7bedc11fca5a57c4796e316333d95ef61f437

Loki

e272af98ac66fa088b63aa66caeec5ea402966a2c78bb3df09d139168437cb0f

Loki

e4e0857b271733e43190c89d0f20bb647137f68fa7b2b5cc387b0c367ec1427c

Loki

f228ebe1b6d660825c71c76528486d30fe68858362b0bab96a203b4eba670c35

Loki

+ 5'097 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer suricata trojan

Link:

https://tria.ge/reports/211019-sgqvqahaak/

Behaviour

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Loads dropped DLL

Reads user/profile data of web browsers

Lokibot

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://63.250.40.204/~wpdemo/file.php?search=719442
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php