MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74c7307aa85a7a73d924dfcc7101941975b746d8d21b10e8807bf10ed19d3c02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74c7307aa85a7a73d924dfcc7101941975b746d8d21b10e8807bf10ed19d3c02
SHA3-384 hash: b59b87504d95aa3f3deff13cb12324ec793a0c2f2daa1dde7bdd4c22182c0a3e481cf0f2d467ddf19e275dbb3b4f476c
SHA1 hash: 221cefb7dc04927fdead5f1c775cdb6457580e36
MD5 hash: f7a0a3105745f26502de6d9f93790653
humanhash: alanine-beer-july-lamp
File name:f7a0a3105745f26502de6d9f93790653.exe
Download: download sample
Signature Loki
Create hunting rule
File size:799'232 bytes
First seen:2023-06-13 02:50:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:jdcvG73htU7/2eQ1x9xN4Ta29FNgRBhnnQVsBps5rK0uPIc:jdgG1tCueiLqucFKFnQ80D
Threatray 3'370 similar samples on MalwareBazaar
TLSH T16A0501463544481BC27677F94F1272B537FF8B8A3A19E7CB2C87B0859DD6B462B20A13
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0661697171716906 (9 x AgentTesla, 4 x Loki, 4 x Formbook)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://161.35.102.56/~nikol/?p=8254674426

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
f7a0a3105745f26502de6d9f93790653.exe
Verdict:
Malicious activity
Analysis date:
2023-06-13 02:53:10 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/a7ac0748-cc0b-45aa-961c-f7a5b504239e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/398127/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.18648.25997.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for analyzed file
Stealing user critical data
Moving of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6487d99728381b85ed1a1c2e/reports/e8487e53-3056-4c0e-8a98-9f901da6a8f5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/74c7307aa85a7a73d924dfcc7101941975b746d8d21b10e8807bf10ed19d3c02
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03b952db-7e8b-45c3-93c9-efcf09114f0f
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1253346
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74c7307aa85a7a73d924dfcc7101941975b746d8d21b10e8807bf10ed19d3c02/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2023-06-13 02:51:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=otdta6vilj5hhwje37ghcamudf23orwy2inrb2eappyq5um5hqba._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
1290e2fa7dd284fcddc2bf9caeac02ccbae1f1e715766eefd7644c245a6ecc53
Loki
5c01a6552e36179e065fcc044162f061bc780efdaaac71e7b0fe94efce6b449f
Loki
8699f030698874a541a877ae7068bde48d11e74fd9a6c817d45885e1815e0dcd
Loki
9329a473fbc644201fef14d26d708eca73a6d524c629c6b2881527525bfff3a6
Loki
9d19092e410ffb1914d7cd9271ec34b5aa8973eda65fd821851e53921a7017fe
Loki
9d4dab822267b1a1423a1a8ce5a459b1734327639db754549e60bd706648ab8d
Loki
c6b9515b2ec0ab542e367db58cefdedcd446f00ea5bf864ed1906c38ceba1e1a
Loki
fc4e8b16874c86e3d8ad3ce052b15421cd95d6c6f194587f2f5e08fa79e54172
Loki
fd5030b33e9f626dceea517a8ff935dcd2f9d9d8d6ff9ded6f998ecee7de7e52
Loki
ff927067632cbc9312282420e5ed0e75505e871970b76c169cd57f0ca52c3d84
Loki
+ 3'360 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230613-db6awsfb2t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://161.35.102.56/~nikol/?p=8254674426
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
70bb528748611508cd38ef31b923abd77882530db2ac11418614fb4c3a9b6f9c
MD5 hash:
e3bca27fd272194647999061652f8323
SHA1 hash:
fdd2164b6d9ab0e3f55b0bf3223e5393145048a2
Link:
https://www.unpac.me/results/de5d57ed-9bf4-47ae-a229-cb29fa4717eb/
SH256 hash:
e2877ae666fc788353dd357cb6666d2401e6fad19f9b06790439c7fc46b79523
MD5 hash:
fd1e608512e947a1013c85b188dec2f1
SHA1 hash:
e196384b690f35439c547cd0c572dc1fb78881b6
Link:
https://www.unpac.me/results/de5d57ed-9bf4-47ae-a229-cb29fa4717eb/
SH256 hash:
35f635638695a5ce0a79565111e11cfcd8d59547d6b04cde2d45b5b2a7de7922
MD5 hash:
0fd2ad5079ffdcbda61afce86fe52247
SHA1 hash:
c437248ef3bf741ee02b1407c848a6367b79c334
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/de5d57ed-9bf4-47ae-a229-cb29fa4717eb/
Parent samples :
74c7307aa85a7a73d924dfcc7101941975b746d8d21b10e8807bf10ed19d3c02
5db6a8dfafd6956beaf4127500cd5232d78d70165a1775fa1da58277a43327ed
852e0d9a8f474077261d053d587868b211e70eff320a7e7067c3fc1cb3253ea5
0a9a1a3c031e0eb6c938510830144f26f88effe94230b1467e09123393b99650
SH256 hash:
c3d21715277db7ebb04601f6a4f0b190b03ea06841fa476d9f986de03644a3d3
MD5 hash:
a3180feba465cce43ff7f5fb2d6bbda4
SHA1 hash:
b95508cd3ef354d17959c3de991ecc9110aabd9c
Link:
https://www.unpac.me/results/de5d57ed-9bf4-47ae-a229-cb29fa4717eb/
SH256 hash:
13e9be0aba1cef3943954d2a204472356721075f8ecbfe565a476aec8346fdc6
MD5 hash:
4ce78b41df3f0bb4dff20793bcc9f78d
SHA1 hash:
4de22b09a356224b9916836ba2ee181d369d5f4f
Link:
https://www.unpac.me/results/de5d57ed-9bf4-47ae-a229-cb29fa4717eb/
SH256 hash:
74c7307aa85a7a73d924dfcc7101941975b746d8d21b10e8807bf10ed19d3c02
MD5 hash:
f7a0a3105745f26502de6d9f93790653
SHA1 hash:
221cefb7dc04927fdead5f1c775cdb6457580e36
Link:
https://www.unpac.me/results/de5d57ed-9bf4-47ae-a229-cb29fa4717eb/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/74c7307aa85a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/74c7307aa85a7a73d924dfcc7101941975b746d8d21b10e8807bf10ed19d3c02

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 74c7307aa85a7a73d924dfcc7101941975b746d8d21b10e8807bf10ed19d3c02

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2649114/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/398127/

Comments