MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6065a675d7139a622ce9b68fbd2b6909ce47acc09a24afcf697b170b8ed53b3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6065a675d7139a622ce9b68fbd2b6909ce47acc09a24afcf697b170b8ed53b3b
SHA3-384 hash: 9894bf6534ccf9b919ac205a6f304684baf4876503d51cb6b01ac3e7c0ac7041f9afe9f4cd795d96b446d159268d0b54
SHA1 hash: bbac972b8bf06457d066fe076fc44d0feb3d25e7
MD5 hash: 3d6ae742ec7b2d75583674e68eb36c83
humanhash: vegan-artist-eight-golf
File name:3d6ae742ec7b2d75583674e68eb36c83
Download: download sample
Signature Loki
Create hunting rule
File size:315'392 bytes
First seen:2021-10-20 07:27:47 UTC
Last seen:2021-10-20 08:12:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a17733709789367cb9619275f2367bbe (2 x Loki)
ssdeep 6144:D+Vi9RVh7Z+z2qONZYP5zeYs9MrIYlK5:DldFZ+z2qONZYP5Rs9MrI
Threatray 5'314 similar samples on MalwareBazaar
TLSH T1C5648D00ABA0C034F1F756F8497A9369A53EBAE16B7490CF62D526EA57746E0FC30317
File icon (PE):PE icon
dhash icon aad8a89cc6a68ee0 (2 x RedLineStealer, 1 x CryptBot, 1 x Tofsee)
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PI# P104634795.xlsx
Verdict:
Malicious activity
Analysis date:
2021-10-20 04:31:04 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan lokibot stealer
Link:
https://app.any.run/tasks/b192ea8f-ddb8-4561-a2a4-dc08c240da38

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198770/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.47218732.26019.20935.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Reading critical registry keys
Changing a file
Replacing files
Connection attempt to an infection source
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Query of malicious DNS domain
Moving of the original file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/616fc507a9d585e6d52e70c1/reports/625a35db-7f6c-4101-b2b3-8a76acf4f736/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/96014738-62bb-4b14-8646-9782fbcc9c6a
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/873643
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6065a675d7139a622ce9b68fbd2b6909ce47acc09a24afcf697b170b8ed53b3b/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-10-20 04:40:25 UTC
AV detection:
27 of 44 (61.36%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mbs2m5oxcongelhjw2h32k3jbhheplgatisk7t3jpmlqxdwvhm5q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
35a1292dcbbe0e8db0893318e876fefbceb3559abe32144604c5ff66ba4dbf18
Loki
62a98a16e7262b61b178e3b5d101373e41122b6763669be0779b932efde81076
Loki
69e8a7c05d1c336f32d92faffc8835c10074c2a9aa3e1a58dfeb1862c93a95d7
Loki
881df3054f29b28ef9fb5342b18591a295aefb3d7c2fe1d0f6272b10819e1f8b
Loki
a001d248a75b25696fc58e278aa37fb21a81dd6a2fa4ee5c126d37412cb4b993
Loki
ba7495813ffeac0429b6e26659f1a6c3638f9b2e7863f4a96aa3d030ddae9b9c
Loki
+ 5'304 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/211020-janx4sggb7/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://checkvim.com/fd4/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
2cf409f8118930987ab4dd551c491ced6e96387e6a3b82dbfd29c90cad9d541a
MD5 hash:
cc709db3e0b49a140ed475123898f048
SHA1 hash:
46611cf1e99da9b1bb4c08e8bbe44dc012f1dd34
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/247eea8d-9fb2-47f7-a060-c1a763043683/
Parent samples :
30cac5dddc6d9c235c35ae552ec995845eb34d82f9fdb74af722f193d8f53fcb
e9caf6704d5037f6a738897160fe43f3b49384174f62b37b68d5b28ce862b0b4
8e8611d4f594d003a87db801b69a0c132114fea33aca39c7fcc8a18cb17d1985
3c7cc3586c0ff5da2f3bd6911717e8a1ce15daa3c1d0e9729fd0bb5b07fe146a
1f0573284ea83d62476e97156074ba2a7a1f046e21cbe82244234725999e1bbf
7532843070bc15b8f344e854f792fd7238819519a9c6bd048030a3575bc2c891
895a3f8a366ed73ca1cab8ef49582ada6382880654ab28e95b2902cde46e3726
711d41ba139f51e91bbb8f691f91e55655a0ad5a40f61a6bfebd9fe3d1ae2e37
61469a1a12ec1dadb9f884a0f07c23d7de89e77cb687bb6919c555de6ca8dc22
4e51be51b27ae05959149ff78aa3ebdf1010ce97def9882590b843816318faa9
5276828cc9b76bee177d1ff0f6fa4209a00f01a7e8aa70561cc520f0adc4d856
4f28f8460abcaaf087c8f7ac3980916768846e60a096763429bc66bed1e62f57
6065a675d7139a622ce9b68fbd2b6909ce47acc09a24afcf697b170b8ed53b3b
a000b23522b61426cc40661c7a0d46b2e897d95c010f9496bbcd848576d64dc2
SH256 hash:
6065a675d7139a622ce9b68fbd2b6909ce47acc09a24afcf697b170b8ed53b3b
MD5 hash:
3d6ae742ec7b2d75583674e68eb36c83
SHA1 hash:
bbac972b8bf06457d066fe076fc44d0feb3d25e7
Link:
https://www.unpac.me/results/247eea8d-9fb2-47f7-a060-c1a763043683/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6065a675d713/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6065a675d7139a622ce9b68fbd2b6909ce47acc09a24afcf697b170b8ed53b3b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 6065a675d7139a622ce9b68fbd2b6909ce47acc09a24afcf697b170b8ed53b3b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1698669/
Cape
Cape
https://www.capesandbox.com/analysis/198770/

Comments


Avatar
zbet commented on 2021-10-20 07:27:48 UTC

url : hxxp://202.55.133.79/mms8081/csrss.exe