MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 701bb01a18a334705d23c8a03cbf85472adf5df3db38f8791c24d07e42cf6d5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 701bb01a18a334705d23c8a03cbf85472adf5df3db38f8791c24d07e42cf6d5e
SHA3-384 hash: 2e6c4e8bd28593dd42d769f499cd7334eb8c7c55ffe5bb5d8e65334c219508acef4de000974f00e1d27d3de12c55c8ee
SHA1 hash: 7cffa415fdce4d07c39f10478f09039e3a537da9
MD5 hash: 591666945b491491a62484957aaf37fa
humanhash: emma-grey-echo-cola
File name:scanned.exe
Download: download sample
Signature Loki
Create hunting rule
File size:323'231 bytes
First seen:2021-12-03 09:17:26 UTC
Last seen:2021-12-03 10:44:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:rGi55BADzAa9zCJhJBhrAfUuLkZf1scbkWfkU2kyc5FtUbuLpaKD:GcjnJrAfPLqf1jb9MOyAauLpPD
Threatray 5'689 similar samples on MalwareBazaar
TLSH T1B864229E1AD41FF3E1D545B146B647B9E9F3D19B2601070303EE9F1F39A28E38939262
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter GovCERT_CH
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
scanned.exe
Verdict:
Malicious activity
Analysis date:
2021-12-03 09:19:10 UTC
Tags:
installer trojan lokibot stealer
Link:
https://app.any.run/tasks/23fce138-9f40-4e3a-8524-57b342db5229

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/210948/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.24588.26513.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for analyzed file
DNS request
Sending a custom TCP request
Stealing user critical data
Moving of the original file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/626/overview
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
60%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61a9e0cd4d8e6f3a5e0cd363/reports/8c9c3b69-4ed7-496c-bbb0-94e46485e396/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f40598af-6593-4762-a228-97be3ef4258c
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/900736
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/701bb01a18a334705d23c8a03cbf85472adf5df3db38f8791c24d07e42cf6d5e/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2021-12-03 09:18:11 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oan3agqyum2haxjdzcqdzp4fi4vn6xpt3m4pq6i4etih4qwpnvpa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
037a4ae072c70cade6ca101962abd2ebf156642b04a43a182ad39868397a5fae
Loki
0ea0df4d2bf5d5bfb229abf712347f11e4da47ffbfb039d210da65eb96e7c995
Loki
23857e09339755abd6fc1933b0d6de532f86c378d00ad968abcd3902e303ec36
Loki
fa7fd0ba879cc08188f1fe1b5f7af61e4ec9a8e9b0bb72a1a32888d794bec159
Loki
fb58486744862437fbcbe4acc9cce0fc5727e253686ad0e495c82e827017c99c
Loki
fc6495bc4cea5446bd3c15ecff52abef10d2dedabdaeeb009ec15d4010e68d63
Loki
+ 5'679 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/211203-k9l38sahg6/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://63.250.34.171/tickets.php?id=539
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
701bb01a18a334705d23c8a03cbf85472adf5df3db38f8791c24d07e42cf6d5e
MD5 hash:
591666945b491491a62484957aaf37fa
SHA1 hash:
7cffa415fdce4d07c39f10478f09039e3a537da9
Link:
https://www.unpac.me/results/57383d62-b07a-4636-bed1-871f81c58027/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/701bb01a18a3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/701bb01a18a334705d23c8a03cbf85472adf5df3db38f8791c24d07e42cf6d5e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 701bb01a18a334705d23c8a03cbf85472adf5df3db38f8791c24d07e42cf6d5e

(this sample)

  
Dropped by
loki
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/210948/

Comments