MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73ab05f133367a68416c97ca773dee832f5468b7e5413ccd195ad1213b2899b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments 1

SHA256 hash:	73ab05f133367a68416c97ca773dee832f5468b7e5413ccd195ad1213b2899b9
SHA3-384 hash:	cb654c528d598181e82bd56debf2faa015b141911aa8ac9eecead4cc86973e1bf2aa24eb5807190436536ab39abc0cdb
SHA1 hash:	f54e8c8bcdc9169fdcaef13365aa8c02009c19a6
MD5 hash:	1bfd8144bd663827622e87cbd3718150
humanhash:	eight-grey-washington-magnesium
File name:	1bfd8144bd663827622e87cbd3718150
Download:	download sample
Signature	Loki Create hunting rule
File size:	352'768 bytes
First seen:	2022-01-20 08:53:17 UTC
Last seen:	2022-01-20 11:12:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:JsQXLF3ld9aggwLHiyJ0h2pk8eNAn0dJA6OMusnmpHf0KOfhtw4l55dY907J5FqF:68Hd9aKbtTpk8eNbj3usnCfgDw8DYkBk
Threatray	6'717 similar samples on MalwareBazaar
TLSH	T102740214B7F92B6EDBEA83F56531112057B9392A2232E36C0E9970DF6932F414281F37
Reporter	zbetcheckin
Tags:	32 exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

180

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

http://103.156.91.24/intel(R)/.csrss.exe

Verdict:

Malicious activity

Analysis date:

2022-01-20 08:54:57 UTC

Tags:

loader trojan lokibot stealer

Link:

https://app.any.run/tasks/bd62fde4-2099-41db-bb47-af160e2cf9a3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Loki

Link:

https://www.capesandbox.com/analysis/221007/

Detection(s):

SecuriteInfo.com.Artemis1BFD8144BD66.3286.15869.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for analyzed file

Stealing user critical data

Moving of the original file

Sending an HTTP POST request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61e92332d32385db630dd4c2/reports/b68cf852-ba72-4c08-a424-033283e333b1/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e7cb5d8b-eff9-477a-ad39-c995e9781cb8

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/924152

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/73ab05f133367a68416c97ca773dee832f5468b7e5413ccd195ad1213b2899b9/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-01-20 06:57:32 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=oovql4jtgz5gqqlms7fhoppoqmxvi2fx4vatztizlliscozitg4q._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

2b4a20c7ac0f31d680f8f86f10d31381040715e16cd9f605429d65957a917c4c

Loki

61469a1a12ec1dadb9f884a0f07c23d7de89e77cb687bb6919c555de6ca8dc22

Loki

63b3a7ba0a4323a0d4757115eb0091f3d388ed0391f75493c43a6cd61fa7f39e

Loki

a3237b31acd5448e7082cf28eb83ba819added0c2053c938cb603652aeecf177

Loki

ee77909a7c9ba5d8d88c1211683e9bfad01661d7ef0ac4aaf22e2a00b1475073

Loki

+ 6'707 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/220120-ktwmqshbg3/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://2.58.149.169/baba3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

0644b3059301c13b600dc8694d52508a1e4a36bc978adaf5f9ba3a994bdf7618

MD5 hash:

df7a63db79d288b3e23e34c951759ab3

SHA1 hash:

f914b49c33dc32b5f48f472664a44bc3eb7b0625

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/608bed29-addd-47f7-93bd-93b9d1f10e4d/

SH256 hash:

c358abd7df3e4cec3c9045a0d0552a31ace0ce7c906186f94ac2776ed47f5eb2

MD5 hash:

e3c756cb7d9606e0afa80817379515a8

SHA1 hash:

463efa85396d7fcfcf8e68609c99a33044290dbd

Link:

https://www.unpac.me/results/608bed29-addd-47f7-93bd-93b9d1f10e4d/

SH256 hash:

a7b72631e5f86c4cbd195f55777983798ce530db366912ec454c8fdffff4bf09

MD5 hash:

c6e42fa569d4f5f796537074a0f34b9e

SHA1 hash:

0b65ad83ad2d125bc0109560ffa76cf959839fe5

Link:

https://www.unpac.me/results/608bed29-addd-47f7-93bd-93b9d1f10e4d/

SH256 hash:

73ab05f133367a68416c97ca773dee832f5468b7e5413ccd195ad1213b2899b9

MD5 hash:

1bfd8144bd663827622e87cbd3718150

SHA1 hash:

f54e8c8bcdc9169fdcaef13365aa8c02009c19a6

Link:

https://www.unpac.me/results/608bed29-addd-47f7-93bd-93b9d1f10e4d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/73ab05f133367a68416c97ca773dee832f5468b7e5413ccd195ad1213b2899b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

exe 73ab05f133367a68416c97ca773dee832f5468b7e5413ccd195ad1213b2899b9

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1991791/

Cape

https://www.capesandbox.com/analysis/221007/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2022-01-20 08:53:18 UTC

url : hxxp://103.156.91.24/intel(R)/.csrss.exe