MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f9d22364554c8a0d96ce882e24da1f186f03a0b5769439fe9a3fd1f32d89356. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f9d22364554c8a0d96ce882e24da1f186f03a0b5769439fe9a3fd1f32d89356
SHA3-384 hash: fc2b214a7910153ae87f823c005db69f897f391ab60f948888b2cdab4dcabc5214e4ca380db6f4d15c148f8889463703
SHA1 hash: 4481618b5919b43e4975239e7485033589054915
MD5 hash: 6bb6170e798424cb7cf1fed054d2e4ae
humanhash: pip-cardinal-orange-may
File name:6bb6170e798424cb7cf1fed054d2e4ae.exe
Download: download sample
Signature Loki
Create hunting rule
File size:341'751 bytes
First seen:2021-07-29 06:10:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4eb4fa387aa9e72a2c5a5335b8957253 (2 x Formbook, 1 x SnakeKeylogger, 1 x NetWire)
ssdeep 6144:lG9Y66H/Bcgqh3SBrS6HoRwdoqz0Pv8QUGm/ZNMf+4lWDxTpknGn8o7y:lRPH/O026IWv0PEZt/ZNMjWDxT6ncVG
Threatray 3'836 similar samples on MalwareBazaar
TLSH T1D074E01031C8D6B1D8B21935C078E6329A7CFD722A1ED9DB7354612A0E246D1DB39FBB
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://brokenethicalgod.tk/BN2/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://brokenethicalgod.tk/BN2/fre.php https://threatfox.abuse.ch/ioc/163698/

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6bb6170e798424cb7cf1fed054d2e4ae.exe
Verdict:
Malicious activity
Analysis date:
2021-07-29 06:13:32 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/662a1776-9217-40c2-8b72-21f46764148f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/174869/
Detection(s):
Win.Trojan.Filerepmalware-9882244-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c1a79137-f468-4129-891d-345e1b51f354
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823568
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 22:44:09 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l6osensfktekbwlm5cboetnb6gdpaoqlk5uuhh7jup6r6mwysnla._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0fb699b995c7844be905bde197f7ba9da846861a5030b1bbf15bf5a5cc9c460b
Loki
19bb2b0774e1638edbdcccc7e2fb936773727966acd3977137a8acfe0823266d
Loki
24f818a962ee0e10764924354cb05a357503eb325c71dc3074091d917014b63c
Loki
2c75665cd0b8e4c00b4c1db314011a620759cbe725e2eddbaaa71db7e94dc446
Loki
3353c2ea708d348c56facaab5c7aebb5a2ec6c820d076d25dc41f30fac712f6d
Loki
44df96504ff0a727740da2a67982e2d214849ecf98a64de1ffcbf92bb46331a1
Loki
871fa4ba1f0c569a5e3eecc4580b37039a5ba0ea1b07435b881e021ec7532785
Loki
89b691f7c5016920b20535dc985904842bdf04ab6a8dd34f1716883083b3f47c
Loki
+ 3'826 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer suricata trojan
Link:
https://tria.ge/reports/210729-4lyjqac3sx/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://brokenethicalgod.tk/BN2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
769ff21565dc61ed76cd2c3017bcca8420ffa9c593389580c31b58a7050d0e16
MD5 hash:
a92719430d3824d1ece91ab1e038971e
SHA1 hash:
4548d1af76b641006d8afa71aa67dd5eb8e308cb
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/0fe9a5a8-4199-4118-99d3-bfdaabd0301b/
Parent samples :
5f9d22364554c8a0d96ce882e24da1f186f03a0b5769439fe9a3fd1f32d89356
4ace847e222f6d7a991dc958192345b807eaa7b717cd63833d6d70a866c21d9f
SH256 hash:
5f9d22364554c8a0d96ce882e24da1f186f03a0b5769439fe9a3fd1f32d89356
MD5 hash:
6bb6170e798424cb7cf1fed054d2e4ae
SHA1 hash:
4481618b5919b43e4975239e7485033589054915
Link:
https://www.unpac.me/results/0fe9a5a8-4199-4118-99d3-bfdaabd0301b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/5f9d22364554c8a0d96ce882e24da1f186f03a0b5769439fe9a3fd1f32d89356

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 5f9d22364554c8a0d96ce882e24da1f186f03a0b5769439fe9a3fd1f32d89356

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1335109/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/174869/

Comments