MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76455f7336aa729ffcfa29bfd7b2d558be37e5996b6906c56f6a7e7d01a52764. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76455f7336aa729ffcfa29bfd7b2d558be37e5996b6906c56f6a7e7d01a52764
SHA3-384 hash: b12f73a106d118284e642eaacb502d0052f49efa9af287fa80f739e67e54031b9c4161e8d74c919dabc1f140e1210e56
SHA1 hash: d2059928700b35792850fb5995788bd45f60a8c1
MD5 hash: 02c68ade0e640be3bab30307f1326981
humanhash: jupiter-leopard-don-triple
File name:Tpxgwea.exe
Download: download sample
Signature Loki
Create hunting rule
File size:227'128 bytes
First seen:2021-05-04 16:04:21 UTC
Last seen:2021-05-04 17:03:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:7eDu5P+vZJKZ0HTzk2hyLp/ChdWKEsth6xvzCKz4R6/IopNAOrseKpHKGu:wN4Qt+2NEi6xv+x6/IoIOtMKG
Threatray 36 similar samples on MalwareBazaar
TLSH 1424DF12BED49711C5B04937C6E2C1387B72AF829512C66B7D9F730647333ED990AE8A
Reporter James_inthe_box
Tags:exe Loki signed

Code Signing Certificate

Organisation:Discord Inc.
Issuer:DigiCert EV Code Signing CA (SHA2)
Algorithm:sha256WithRSAEncryption
Valid from:2018-03-14T00:00:00Z
Valid to:2021-02-18T12:00:00Z
Serial number: 04f131322cc31d92c849fca351d2f141
Intelligence: 17 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 584035e0344227fc32c92a7f3fd4d88594a26c2e953360543d613329e99122dd
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan0057be311.15568.31956.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/710385
Signature
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/76455f7336aa729ffcfa29bfd7b2d558be37e5996b6906c56f6a7e7d01a52764/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-05-04 16:03:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ozcv64zwvjzj77h2fg75pmwvlc7dpzmznnuqnrlpnj7h2anfe5sa._file
Verdict:
suspicious
Similar samples:
19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0
Loki
2afd183ed90b0d240dad19c417fa762da0295aa0614dd20809b406e33ff2304f
Loki
55f1a2084fd1c1d5477519f06b02aa4fa4d917aaceffd116fc45820dc49a7795
Loki
87763547e91a17c7070d90ab3619415a470e8bf4397a57ad38d0b3dd43fc45c7
Loki
b25aeadf9b7a24092bf9cc73be9f45ccfa08ac94c5a883aff2d8d8a5df68ffd9
Loki
b8f8eab3a49bec6b9306853e8e5e2da49ba66b5773b259a2d6edfba479d10e85
Loki
c582dac0f0f94c07579c35ab71f62b25bf499123d3bea89a33a6b8a80ee3325c
Loki
f13627e2828eca6397c7dc7af40f006250e7583857e909615aad94b340bcb30e
Loki
f8fc64a8c85d805e7f6314711dc42052000c831657472cd65a9becb50ad3263c
Loki
fe5893ebe83a275869f55b370b0cd5334dabc2ff55d6ec03e923d89ae662f2f3
Loki
+ 26 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210504-ew82ze172s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://209.141.50.70/D3/13/pin.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
a635bca9ef36d8e1aa4d0d0ca12df152041673d5f0b4c5556f16b724d4cefad6
MD5 hash:
f2ff4af9f87bfcaa72da865e194d5ba2
SHA1 hash:
b7f4af9811e9ee5de46e69f6395f7ce644777ed4
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/bcc6c6e3-85c3-4152-af7e-b1357ddd63ab/
SH256 hash:
1c1c8dfbc6602bbf83551245a3a3ab6964bb75f2f4a271faea8af3f20c388d1e
MD5 hash:
da08dc6e2e326096ab72b9f000ff035a
SHA1 hash:
be72a1dc96fe92e95ff980ad3ffe6f8f05ee6440
Link:
https://www.unpac.me/results/bcc6c6e3-85c3-4152-af7e-b1357ddd63ab/
SH256 hash:
8599c6584374743bf1941e9caa5874f97cff80fb10c247786ec67f6506791e26
MD5 hash:
c082c5661d0b89d7b3401bb3a75027c9
SHA1 hash:
832494657de4cc2f83ad192a9bba10d9095f489c
Link:
https://www.unpac.me/results/bcc6c6e3-85c3-4152-af7e-b1357ddd63ab/
SH256 hash:
76455f7336aa729ffcfa29bfd7b2d558be37e5996b6906c56f6a7e7d01a52764
MD5 hash:
02c68ade0e640be3bab30307f1326981
SHA1 hash:
d2059928700b35792850fb5995788bd45f60a8c1
Link:
https://www.unpac.me/results/bcc6c6e3-85c3-4152-af7e-b1357ddd63ab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76455f7336aa729ffcfa29bfd7b2d558be37e5996b6906c56f6a7e7d01a52764

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:INDICATOR_KB_CERT_04f131322cc31d92c849fca351d2f141
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:pe_imphash
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/1193502/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-04 17:02:25 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection