MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 727610ecf5d6c090e8b2ff1ae1198a587429521d215ffefb91069ff2bff72353. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 2 File information Comments

SHA256 hash:	727610ecf5d6c090e8b2ff1ae1198a587429521d215ffefb91069ff2bff72353
SHA3-384 hash:	9beb0cb8a00581344801b06b2fbe8180adbd481d78077bbfa588fc5f5e859ac231c0e0b98283b98012157d3a5b756dd9
SHA1 hash:	83eaff1db7741da371cf1f91450388c5ff7cfae2
MD5 hash:	3e5d1b23a6cf66a116ebb7e7d04ab0ef
humanhash:	minnesota-muppet-jersey-seven
File name:	WGR7gHH0j05O6w1.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	827'904 bytes
First seen:	2022-02-14 04:10:45 UTC
Last seen:	2022-02-14 05:59:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:Vh+bFtpLZfhSY+Yyw9BUCHHi6qEG5ExoVjDV:CbFtptfgYDJ9BU6G5PVjZ
Threatray	6'334 similar samples on MalwareBazaar
TLSH	T1EB050209BBA6D615C6A20FBAE4A042945B34EE2E1507C77F70AD3DCD3FAB3560532532
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://164.90.194.235/?id=29754409988072703

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://164.90.194.235/?id=29754409988072703	https://threatfox.abuse.ch/ioc/387397/

Intelligence

File Origin

# of uploads :

# of downloads :

216

Origin country :

n/a

Vendor Threat Intelligence

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/241232/

Detection(s):

SecuriteInfo.com.Trojan.Crypt.MSIL.5562.8021.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Changing a file

Sending an HTTP POST request

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for analyzed file

Stealing user critical data

Moving of the original file

Gathering data

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3eecc19a-a2f1-4517-8485-df4932bb2cc8

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/939085

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/727610ecf5d6c090e8b2ff1ae1198a587429521d215ffefb91069ff2bff72353/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-02-14 04:11:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oj3bb3hv23ajb2fs74nocgmklb2csuq5efp7564ra2p7fp7xenjq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

78fd4e091b66540f612e7c3bd324d4bfa1abeebac2487d192f672686d09ed1a1

Loki

7fe467ef6f392039c0ce5edaadf85c19a8406a0b0b7332131e2b2ddc9f074bb6

Loki

8cce39c9d68c3ddba4ec97275d8832ff04d88c0ad1eb2a68972f5d9fffc35c95

Loki

91f0141821d1acad32ea97bdc0bebbe911a607cf89c2505379a60e14537c7805

Loki

9740fa7b19f17e4c6df857ec1240c243a77ad689894ecaa92bd112709c242664

Loki

bc4e9db6c6cc42bb03d7257abbf2105e1ed6c4fe24ccaabcd3db84fe8a935c1b

Loki

f039438332a76f2adbc5af5bbfbc3b57812543029c60a827b48293bb5d5bf33d

Loki

+ 6'324 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

4/10

Tags:

n/a

Link:

https://tria.ge/reports/220214-eryfnaefc4/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Drops file in Windows directory

Unpacked files

SH256 hash:

eea4db19686d031549e3a67c5923d07249fc71fc7998d3baa32ed0fd499efdc7

MD5 hash:

5ba4afa502a4133413728caceb56cf88

SHA1 hash:

d457e8ab54fefda76bf0d6c0005ab5b2f3d21709

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/aa5fb53b-6ce9-4be4-a826-1ff7cf98daf8/

Parent samples :

727610ecf5d6c090e8b2ff1ae1198a587429521d215ffefb91069ff2bff72353
8745bcfcc6dcae5b29429a611278c58127abaf751650d7177bb94b801ea67e81
998ed32fbb6ea4071abf6069a88a0140d3428d5823ddee900a072c66446ae0cc

SH256 hash:

3ca74eb4ce4c2c5604dc298949ae47996d93063abfde0682d689205561d17d44

MD5 hash:

4e35b541f3d9162d0ac93d336df67779

SHA1 hash:

bb9e65761186806d4bada659e9d5db0c070501d4

Link:

https://www.unpac.me/results/aa5fb53b-6ce9-4be4-a826-1ff7cf98daf8/

SH256 hash:

615eddb8a549ce291727b4313a1cb1a6dc00182f2d4202403c7117870e71bd2c

MD5 hash:

ae3ce1397fe92c6a23e58ff67ba257f9

SHA1 hash:

65a2dacc50c8d915fd5f32dcdeaa7f4f836bfaf0

Link:

https://www.unpac.me/results/aa5fb53b-6ce9-4be4-a826-1ff7cf98daf8/

SH256 hash:

a997cc713ed3aaab3771576fed54cf6871e2588a22adda657cb1047682fa374a

MD5 hash:

19c7d6f1bb2a95332b3cc23b0f111f90

SHA1 hash:

12d8c8136d8e636a264c20083de054ea3fe939e8

Link:

https://www.unpac.me/results/aa5fb53b-6ce9-4be4-a826-1ff7cf98daf8/

SH256 hash:

727610ecf5d6c090e8b2ff1ae1198a587429521d215ffefb91069ff2bff72353

MD5 hash:

3e5d1b23a6cf66a116ebb7e7d04ab0ef

SHA1 hash:

83eaff1db7741da371cf1f91450388c5ff7cfae2

Link:

https://www.unpac.me/results/aa5fb53b-6ce9-4be4-a826-1ff7cf98daf8/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/727610ecf5d6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/727610ecf5d6c090e8b2ff1ae1198a587429521d215ffefb91069ff2bff72353

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/241232/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample