MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61b4e3a2a7436c14b8383ba880dee73c0adbd8a9a33e0f7ec368eff5ab7c4e06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61b4e3a2a7436c14b8383ba880dee73c0adbd8a9a33e0f7ec368eff5ab7c4e06
SHA3-384 hash: 2ce9d266c7773e08b29d204d58cdfbcf966e69c50159b855bdc2e1ba4e06b4d49b1b97da5cb4ea8fbe474867c967b54e
SHA1 hash: 9446da3511331598c24c02f5e0ce92324225a5fd
MD5 hash: 204447e5289a25bf291890af16256a0c
humanhash: arizona-music-four-cup
File name:Order#051822.exe
Download: download sample
Signature Loki
Create hunting rule
File size:516'096 bytes
First seen:2022-05-23 11:56:35 UTC
Last seen:2022-05-23 12:58:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:XesvNzjCPcw5T7OYJkKT5RQESyOioDUWmPIjEIn:3ZjCrhJilp6VI
Threatray 8'085 similar samples on MalwareBazaar
TLSH T1DCB412A177B68B56CA7D1BFE61101051037B965F3851E3B81FCAA0CB3E1AF429B61B13
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.3% (.SCR) Windows screen saver (13101/52/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter adrian__luca
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
7483106135.zip
Verdict:
Malicious activity
Analysis date:
2022-05-23 12:49:50 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/b5a7bf7f-f2c1-477d-b3e5-157d930f93f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273635/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/628b76b36eb3ff326323aef9/reports/c8868cb5-c08e-44e2-a582-1b61e64145ba/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bcc4ec89-9f39-44ca-bda6-c89b53f7c357
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1000146
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/61b4e3a2a7436c14b8383ba880dee73c0adbd8a9a33e0f7ec368eff5ab7c4e06/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-17 02:33:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
25 of 41 (60.98%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mg2ohivhinwbjobyhouibxxhhqfnxwfjum7a67wdndx7lk34jyda._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
17601e8cd5da7f6b4030546780e2ea2793f104cb978db4aaeb634b8d9be642b8
Loki
42b9985586ad99224f2b238f89dcafda4c2dea3c6c76a70314e6080c41f0ab01
Loki
565511aeb0a6cbc266682081f79d492cd0be8063f7fd7147f5a0e4a33ff1898b
Loki
859c4d32d610fa0a47a5afd95c6dc1e1eb550ea8b93d6e2dc56f2db52354e345
Loki
e92c86e5d98095c3dbf954ff712640ceeb7d22b11971bec837a489bfc166d691
Loki
+ 8'075 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220523-n4lgasgedm/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://unitedcourierparcel.com/cjg/loki/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
97527da0af9e8321eb6aa2c760bc3a6453341b0fef90c44595a02945c2dd3144
MD5 hash:
332f0164e6b19699174c491d839d6ec9
SHA1 hash:
eadeadeaf7bf3978d86d633bd054e4ff317ecc40
Link:
https://www.unpac.me/results/1147f128-0c43-44d0-b628-6a6ae9dac862/
SH256 hash:
5aa3f3260780607d195aee98d5aaed5c6dd5d89a45c3a24b5148a5838e81ef08
MD5 hash:
2c8907852ffeef6bba7179ff1c2a7941
SHA1 hash:
c1fff1b293c880c4c3149a23e1a18b2974fd4ddd
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/1147f128-0c43-44d0-b628-6a6ae9dac862/
SH256 hash:
6617e0b54fd09ece03754af8633d7841f6d7f9e0c5750449539251482f676843
MD5 hash:
31376892689a17039bded2236ca76e6e
SHA1 hash:
b6b9192ae5aacabde780c92723d9113041d62135
Link:
https://www.unpac.me/results/1147f128-0c43-44d0-b628-6a6ae9dac862/
SH256 hash:
6a251a259c7035bbcb7a4de68ec65b8dd336cf29b5ac62b400142d47446c09a3
MD5 hash:
2cd694a66193d9feb81cda20341bb34e
SHA1 hash:
7370817fb76642aff47745d607e89b68fdc725f7
Link:
https://www.unpac.me/results/1147f128-0c43-44d0-b628-6a6ae9dac862/
SH256 hash:
61b4e3a2a7436c14b8383ba880dee73c0adbd8a9a33e0f7ec368eff5ab7c4e06
MD5 hash:
204447e5289a25bf291890af16256a0c
SHA1 hash:
9446da3511331598c24c02f5e0ce92324225a5fd
Link:
https://www.unpac.me/results/1147f128-0c43-44d0-b628-6a6ae9dac862/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61b4e3a2a7436c14b8383ba880dee73c0adbd8a9a33e0f7ec368eff5ab7c4e06

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 61b4e3a2a7436c14b8383ba880dee73c0adbd8a9a33e0f7ec368eff5ab7c4e06

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/273635/

Comments