MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73b13cea2c234ce674dae5666bc66fe01ba387283672ccf2684735a1b8c9a643. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73b13cea2c234ce674dae5666bc66fe01ba387283672ccf2684735a1b8c9a643
SHA3-384 hash: e08410bab04f6b6d3ed9990e6b5a779ab488921aa5e849d80bb6f6fe5da557cf170bdb70d97de42e8d17c2eecf9d1dd5
SHA1 hash: e164ea1c1860c5a3f4dc3419be016c95a103c8fb
MD5 hash: e3cb4959e7cf0586b283e03efbbb7def
humanhash: pluto-avocado-july-dakota
File name:e3cb4959e7cf0586b283e03efbbb7def.exe
Download: download sample
Signature Loki
Create hunting rule
File size:882'176 bytes
First seen:2022-09-21 06:12:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:cSfeL73HoiwykvKQ/r0TLbIRnAJ7BtX+YzYw3nFTFJc/jaFU:BfefYiwWQj0HbfTBzz7cG+
TLSH T1C5159C2523E90F17F076ABF845A0D0B097B5BC16A47AC24E5EC56CDFB465F60CA60B23
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 74d298b898b0f8b4 (11 x AgentTesla, 11 x SnakeKeylogger, 9 x Formbook)
Reporter abuse_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
e3cb4959e7cf0586b283e03efbbb7def.exe
Verdict:
Malicious activity
Analysis date:
2022-09-21 06:16:53 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/327df8ac-6736-4cf1-a8ba-9d737009c65e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311958/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.6660.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
75%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/632aabbe865ed83c011b5929/reports/0953d831-30af-4a27-b4e0-759c8cb0e4a0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7571c064-a234-434f-8fbf-215d05c6b435
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1074384
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/73b13cea2c234ce674dae5666bc66fe01ba387283672ccf2684735a1b8c9a643/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-09-21 04:49:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ooytz2rmengom5g24vtgxrtp4an2hbzigzzmz4tii422dogjuzbq._file
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/220921-gyqqhafeb3/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://171.22.30.147/jungletwo/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5f7c1e6b-4fe2-4c5f-ba8f-e609ae771079
Unpacked files
SH256 hash:
161903f7d5633a0cdc5d416c229e1af16ad3f5a6d11dbe8d500aa9151a273f62
MD5 hash:
b460e7cd67e88a80f0b65f65d28b1c4c
SHA1 hash:
fef017687483cf2b5b9d5f8061b6f0645fdcf779
Link:
https://www.unpac.me/results/c8102067-81d1-454b-ad15-19fb4b8a6fc9/
SH256 hash:
0854637dc53de29662e3439ba814079c405a9fc73e5a59dbf562330667895a5b
MD5 hash:
7794c7342fe0b559152b836f90eee840
SHA1 hash:
ba0990f79dd5dcde95b14266199c5bc2f2678743
Link:
https://www.unpac.me/results/c8102067-81d1-454b-ad15-19fb4b8a6fc9/
SH256 hash:
2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af
MD5 hash:
c3a1924684ca30ed22234ce1d9111dfc
SHA1 hash:
7347706241422758c06440fd6044ae4e042b456b
Link:
https://www.unpac.me/results/c8102067-81d1-454b-ad15-19fb4b8a6fc9/
SH256 hash:
a2070d88565c6ec3dde332e0c1ba205ff4e4d5746b216df73af1a1a24dd4b14e
MD5 hash:
8332507e4c18b51b5005c6fc53abb97f
SHA1 hash:
6c290c127420b2104dcad0e5e05466d5927a8907
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/c8102067-81d1-454b-ad15-19fb4b8a6fc9/
Parent samples :
429562b75a63744ce15b9563e7e0329167d0b338c7610ca65a03548e44d9e495
a2070d88565c6ec3dde332e0c1ba205ff4e4d5746b216df73af1a1a24dd4b14e
73b13cea2c234ce674dae5666bc66fe01ba387283672ccf2684735a1b8c9a643
a822b982ef431f0a6813ef38dd672151c786aadb71c0787f8419bd04b127a44d
ef6e645afe538a63e44508816e3ac47126452043a5979c37bf0470e924412295
a9a73832599c23235d4848598f993f942245a816f83578fdf58a93c1b164c680
3e42cf8b782abc2372d1fda2e773caeda09fa83f0d95f8363ff456c479c26272
0ffac76af887d1aadbc9b52dab73c169caeee8ce9905289892fae5064f00099a
8f0885b3ea2ab91005404905a3bf062cb7eb435ee71658c28f4852e10b9db3c0
8356c85fce8acdbd11c01ac4fef7f86c25f262dd77c824f8310f969ec4f5d84e
SH256 hash:
b5923ffda64817619f24a21344c2bbcfe034bf40693b3c42ea23739e35c75a1f
MD5 hash:
04b3b2b1797de0e80c46d67e6c2f16bd
SHA1 hash:
3dcf743545db94b30ad92557a233baf40834f10c
Link:
https://www.unpac.me/results/c8102067-81d1-454b-ad15-19fb4b8a6fc9/
SH256 hash:
73b13cea2c234ce674dae5666bc66fe01ba387283672ccf2684735a1b8c9a643
MD5 hash:
e3cb4959e7cf0586b283e03efbbb7def
SHA1 hash:
e164ea1c1860c5a3f4dc3419be016c95a103c8fb
Link:
https://www.unpac.me/results/c8102067-81d1-454b-ad15-19fb4b8a6fc9/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/73b13cea2c23/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/73b13cea2c234ce674dae5666bc66fe01ba387283672ccf2684735a1b8c9a643

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 73b13cea2c234ce674dae5666bc66fe01ba387283672ccf2684735a1b8c9a643

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2271591/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/311958/
  
URLhaus
https://urlhaus.abuse.ch/url/2309470/

Comments