MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f10fec31121883e725f46663c338b79694ad5de1636f974a724961aed9a16ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f10fec31121883e725f46663c338b79694ad5de1636f974a724961aed9a16ff
SHA3-384 hash: de5ad2e18a2a64b4ef0e55432a9c9fee9cc1b6de0e2015dbf171736112ab223cacb58e470a688670bd27c90cc2ae8d85
SHA1 hash: 2cd78786b41171da0e3ebe41bb16f49bcbfe35bc
MD5 hash: 4dad1a7b5bdc7a8312a431649b0707d1
humanhash: white-virginia-maryland-monkey
File name:PO 200810-15A.exe
Download: download sample
Signature Loki
Create hunting rule
File size:753'664 bytes
First seen:2020-10-08 05:40:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:y9wjJaCi5/QcRH667GFF1CgkyBe27QmHFQ672VIj1ou8XXvXe7I:s8J0Fp74rC0T7Q2FQW2VIj6XXv
Threatray 1'807 similar samples on MalwareBazaar
TLSH 2DF4BE243B99D78FC22E4F7A801344609BE0D6639307F3CB7DD669E8495B79D8E21293
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: mail-smail-vm46.hanmail.net
Sending IP: 203.133.180.234
From: 권토중래 <kgby615@hanmail.net>
Subject: 견적 요청
Attachment: PO 200810-15A.cab (contains "PO 200810-15A.exe")

Loki C2:
http://79.124.8.8/plesk-site-preview/coautomaquinaria.com/http/79.124.8.8/kiriko/Panel/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69081/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Reading critical registry keys
Changing a file
Replacing files
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Connection attempt to an infection source
Moving of the original file
Sending an HTTP POST request to an infection source
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/484957
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f10fec31121883e725f46663c338b79694ad5de1636f974a724961aed9a16ff/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 04:16:57 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l4ip5qyreged44s7iztdym4lpfuuvvo6cy3ps5fheslbv3m2c37q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
199528b69b42d1af70f525973be5e53bcd16c19b39a117cfaa27ba1a515723f8
Loki
1b3b81cd526d60f60fa1c193ba72438ec0f1c4059d5d7f195059d1aacfb453e3
Loki
1ef4b0a5bad6d091ba8e79641a6a5893477dd0124d6791f46a65b28b66521d52
Loki
276c169d7b842d092da93f16ae55bda7b01b0ded9bb12166b4c6eddc1dc49462
Loki
33ebfd8e209828818c29eac889a86e84eba1e9f428dc839f3a2a2fb57ade8d22
Loki
5312fab3ad83a00863c90baec3bbe7f1265cc6d94398b364f2cd7c11369af074
Loki
96ff361eeb8ab440652d1cbb8b28146f8dd9ee8cf9885f84ff4592b2551da57f
Loki
e0b5a7aa2ae1c4df12a5fa90c2f68c615690a58d80af00ff60ed5d7ab30c2f46
Loki
e91763b67687e25f299bfd0b9c30863546f6bc3e1d734c382675ce41ad87b2c6
Loki
f94e8615fb3b739ab3ad8ec81511b5439a72d4e865a5f9975aa524ac6036d3c2
Loki
+ 1'797 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/201008-8h8g8el31e/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://79.124.8.8/plesk-site-preview/coautomaquinaria.com/http/79.124.8.8/kiriko/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
5f10fec31121883e725f46663c338b79694ad5de1636f974a724961aed9a16ff
MD5 hash:
4dad1a7b5bdc7a8312a431649b0707d1
SHA1 hash:
2cd78786b41171da0e3ebe41bb16f49bcbfe35bc
Link:
https://www.unpac.me/results/4115e0c8-426e-4c92-83bf-6143b7594818/
SH256 hash:
75c8e167ac473f846175695f3ca99848dfbd87c7d1054325307bcfa301b5ac9d
MD5 hash:
bb615058f446c670c733ea4ba4e633f0
SHA1 hash:
19d35aa6d9bae8606846236b2cc3db621a61c475
Link:
https://www.unpac.me/results/4115e0c8-426e-4c92-83bf-6143b7594818/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/4115e0c8-426e-4c92-83bf-6143b7594818/
SH256 hash:
db062545b1f734963c6e4d2614132495e37f7d7b295f25fa1033bb6a687acca8
MD5 hash:
e84ef5e5e9a5ce278c8e249aa9ef10bd
SHA1 hash:
823b72caafeb855dde1704ed9017f73544d15693
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/4115e0c8-426e-4c92-83bf-6143b7594818/
Parent samples :
59e3d88395cd8c96d5417565ba343cb43c0f336ba9b7099e9314d3fe1795ef51
5f10fec31121883e725f46663c338b79694ad5de1636f974a724961aed9a16ff
95aa19eb5f26f4bc344f51d934138cb3f9a435fccb29a1d53277b06ecbb926cd
SH256 hash:
23e98d7295504d903e912521df96c0014557847b8f4bb14a721ae56dd8d63052
MD5 hash:
b529dd54dcab3f47b27877489160c881
SHA1 hash:
df1899820bfd246cc653f54f53ed9ab51c78a355
Link:
https://www.unpac.me/results/4115e0c8-426e-4c92-83bf-6143b7594818/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f10fec31121883e725f46663c338b79694ad5de1636f974a724961aed9a16ff

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

cab 8368ac39da7d78e93a9051638cc67f7a1e6f465fd6ba3e808e94df1edc971736

Loki

Executable exe 5f10fec31121883e725f46663c338b79694ad5de1636f974a724961aed9a16ff

(this sample)

  
Dropped by
MD5 677f179fdda7c54ebcb4cbff747053c5
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8368ac39da7d78e93a9051638cc67f7a1e6f465fd6ba3e808e94df1edc971736
Cape
Cape
https://www.capesandbox.com/analysis/69081/

Comments