MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b680446afc64525e3d059c86bd50b8e0e8e24b890f4032485185adb8301b8cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b680446afc64525e3d059c86bd50b8e0e8e24b890f4032485185adb8301b8cd
SHA3-384 hash: 941ae5545a6f3945046800bf4b43f592f89839c014a138fbb5044bfdfa2c6c826c0247e9034d76938db671bee74e0b2a
SHA1 hash: 5a41c0d013a030c06cf8225a51a7ba99ec3401fb
MD5 hash: 04a855f670943999e33a10fd9b2b58b1
humanhash: fix-network-hotel-venus
File name:Scanned RFQ.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'454'080 bytes
First seen:2020-05-04 19:48:56 UTC
Last seen:2020-05-04 19:56:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:rtb20pkaCqT5TBWgNQ7a7YYrAA5rYHYpyDr1m6LGlFIEKC2PL26A:oVg5tQ7a7YYk0rYHYpmrn+IEd2S5
Threatray 2'333 similar samples on MalwareBazaar
TLSH D165E01263DDC365C3725273BA26B701AEBF782506A1F96B2FD80D3DE820161525EB73
Reporter jarumlus
Tags:Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27684.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Script-AutoIt.Trojan.Agenttesla
Create hunting rule
Status:
Malicious
First seen:
2020-05-04 14:39:34 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nnuairvpyzcsly6qlhegxvilryhi4jfysd2agjefdbnnxaybxdgq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0d6a98a80e0553364229b9d4fbd708f6c723c68aa3e8db535209bcc88c0af435
Loki
3b41268c22f208d755b5c6c9925088a6c5ff68a75e5cc003f574749c9f599a54
Loki
78b048f04b9e8f67609d91321edbf8cf27d3b94cafda8210568d67002c09855d
Loki
7d06c124b5bdde0cfcea40a6e56c407eaffd801ec7904f9db486add803463230
Loki
8ba79c48575e0541fe357ea7acfd5e20cf8c6924b293a42c909b8044305c4ec8
Loki
964df50eae0a8ed963ad142446e3ce8f347e5f1bcb86c87b0acda067ff4dce70
Loki
9e26d68332abb02fb2e80a924f83eb8614afe4e8b841f51c9f82fd0c986d4571
Loki
a222c72eef87b0ef0c5fbcd0847e10d0c788c05a4ed3dfd174aae6a7e4604f33
Loki
b54e9651f5a4cd0500cb048307ec03bae3acf0c23237a1de1970667bed51d5ce
Loki
c224d671ef8ea5bfdc03b9a33d7ae043827b83c2ddc96e7ce128efb36f26fb9e
Loki
+ 2'323 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/201109-vmh9g3qlpj/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://mecharnise.ir/da6/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments