MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fc4a212a633dfb96b0e8150b822599ce2e49d63f016a8af9ca76870e38f7513. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 19

Intelligence 19 IOCs YARA File information Comments 1

SHA256 hash:	5fc4a212a633dfb96b0e8150b822599ce2e49d63f016a8af9ca76870e38f7513
SHA3-384 hash:	4c99224bcd379dc682cc2b17b20067b62e708ea95fdec71ed9d2aea3473c0f68b665ac565645732abd6e60b9f924c56f
SHA1 hash:	3140298ee33bd081403bd32852d090f1bee735f1
MD5 hash:	3315bdebdc17d6688165fd98c0c5209c
humanhash:	table-venus-bluebird-cold
File name:	3315bdebdc17d6688165fd98c0c5209c
Download:	download sample
Signature	Loki Create hunting rule
File size:	292'352 bytes
First seen:	2023-06-11 04:35:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	af40ca862bb560756a6239b041d2950a (2 x Amadey, 2 x RedLineStealer, 1 x GCleaner)
ssdeep	3072:QnIMJUNJ1Nz/OExSRIlsxCK0wKtHk0fg8DpdfF6akV95XR0s27HmJt:1MJO1Nz/OUVsxtoE0fgyAaK95XmmJ
Threatray	4'231 similar samples on MalwareBazaar
TLSH	T1EF54F71393A17C54E53D8BB38F2EC6F8760DF6508E797B692219AF2F16B0072C263651
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	9096ca4252606848 (1 x Loki)
Reporter	zbetcheckin
Tags:	32 exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

346

Origin country :

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

ef5538a4f8523b8087a46a4f0319a2ff

Verdict:

Malicious activity

Analysis date:

2023-06-11 03:52:53 UTC

Tags:

opendir exploit cve-2017-11882 loader trojan lokibot

Link:

https://app.any.run/tasks/ff7c3070-8edc-4cb3-8b71-f284a1599182

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/397681/

Detection(s):

Win.Packed.Zusy-10003906-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for analyzed file

Stealing user critical data

Moving of the original file

Sending an HTTP POST request to an infection source

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/90252/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed ransomware zusy

Link:

https://www.filescan.io/uploads/64854f330c5a15dac562cff1/reports/94f074e8-247b-453d-b716-a9bfa570a880/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/5fc4a212a633dfb96b0e8150b822599ce2e49d63f016a8af9ca76870e38f7513

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/00c1729a-9f03-4eb4-b8df-68000e378b1d

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1252504

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/5fc4a212a633dfb96b0e8150b822599ce2e49d63f016a8af9ca76870e38f7513/

Threat name:

Win32.Trojan.Lockbit

Status:

Malicious

First seen:

2023-06-08 12:53:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l7ckeevggpp3s2yoqfilqiszttrojhld6alkrl44u5uhby4poujq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230611-e78xbsge76/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://185.246.220.85/chang1/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php