MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 771446f2808b2b3f82b2140a833e68c3eec3e2d1e1ccc68b43e2ec25560cd19c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 771446f2808b2b3f82b2140a833e68c3eec3e2d1e1ccc68b43e2ec25560cd19c
SHA3-384 hash: 11a782a48025a223e197172079fa246828cd5759e87bcd9c919a75b707cb194ced3a3a763186e1815e6c7e1d55a50fa9
SHA1 hash: c5a1191a30e23faba26015516e5d8d4b4de45ace
MD5 hash: fa6536e054d60cc2d1437f224dccd8a9
humanhash: six-east-low-magazine
File name:SecuriteInfo.com.Trojan.PWS.Stealer.23680.15049.4950
Download: download sample
Signature Loki
Create hunting rule
File size:359'424 bytes
First seen:2020-10-15 15:42:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:d+9jBnQurvvBpUcJgyr4OmKhcriu2fUUy/CEOTG:d+xBNLBTJgEfWrIOCE
Threatray 1'908 similar samples on MalwareBazaar
TLSH DB74BFA015D5B52DCA2A9F72E2B203C0F96862867EF4460C3D7EC14D0D2EA9B775133E
Reporter SecuriteInfoCom
Tags:Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71460/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.23680.15049.4950.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a window
Creating a file
Running batch commands
Launching a process
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492704
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298816 Sample: SecuriteInfo.com.Trojan.PWS... Startdate: 15/10/2020 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 5 other signatures 2->41 7 SecuriteInfo.com.Trojan.PWS.Stealer.23680.15049.exe 9 2->7         started        11 pcalua.exe 1 2->11         started        13 pcalua.exe 1 2->13         started        process3 file4 27 C:\Users\user\usbg.exe, PE32 7->27 dropped 29 C:\Users\user\usbg.exe:Zone.Identifier, ASCII 7->29 dropped 31 SecuriteInfo.com.T...23680.15049.exe.log, ASCII 7->31 dropped 33 2 other files (none is malicious) 7->33 dropped 51 Drops PE files to the user root directory 7->51 53 Tries to detect virtualization through RDTSC time measurements 7->53 15 cmd.exe 1 7->15         started        17 usbg.exe 2 7->17         started        19 usbg.exe 3 11->19         started        signatures5 process6 signatures7 22 reg.exe 1 1 15->22         started        25 conhost.exe 15->25         started        43 Multi AV Scanner detection for dropped file 19->43 45 Machine Learning detection for dropped file 19->45 47 Tries to detect virtualization through RDTSC time measurements 19->47 process8 signatures9 49 Creates an autostart registry key pointing to binary in C:\Windows 22->49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/771446f2808b2b3f82b2140a833e68c3eec3e2d1e1ccc68b43e2ec25560cd19c/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 01:20:00 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
199528b69b42d1af70f525973be5e53bcd16c19b39a117cfaa27ba1a515723f8
Loki
3d611ca54f64546327d9bc6993662d5058a7f07fa8e16b81fc7ee6ff60d952f2
Loki
53edc68ef8a890aac3c8f6fe8c72e1a8cf5057c600a3f85d12b99b59b05e47be
Loki
62a3f96dbc53b59dc32cac8f2627992d4152cbd6735e488c4ae86f089dc97aa8
Loki
814b0968761c0dbd4a43208cd82d150aa6608538abb845561257687ed9cd0524
Loki
8867e72aaf3985ed148d3049c628d73ba0024e3129e466c17bd6a665be9e84f0
Loki
96ff361eeb8ab440652d1cbb8b28146f8dd9ee8cf9885f84ff4592b2551da57f
Loki
a702e991a5cf37a366df45fe22e62035795de3d38a36b87c17403c4283abf369
Loki
f5744fe38455554d445847e8dd1794570176bab8fc9b56f9bdd9406a59010a7e
Loki
f94e8615fb3b739ab3ad8ec81511b5439a72d4e865a5f9975aa524ac6036d3c2
Loki
+ 1'898 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
persistence spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/201015-em4f13c62a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
Malware Config
C2 Extraction:
http://192.236.178.210/sick1/33/cgi.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
771446f2808b2b3f82b2140a833e68c3eec3e2d1e1ccc68b43e2ec25560cd19c
MD5 hash:
fa6536e054d60cc2d1437f224dccd8a9
SHA1 hash:
c5a1191a30e23faba26015516e5d8d4b4de45ace
Link:
https://www.unpac.me/results/b6a56010-4551-4be2-b189-cfdde2cd4a73/
SH256 hash:
fe2704a83d24aeed843b24544f1097fac72c778ae366013d467c856f89516012
MD5 hash:
426994c458b2db44f9d1965ec016af2b
SHA1 hash:
2b5b5a39d1fed3925e05ce730a85e542e0d5b1cc
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/b6a56010-4551-4be2-b189-cfdde2cd4a73/
Parent samples :
db83a3e2df5a18c17425bfd6e073a153975b2127712cfea49ea3212068cd77f6
771446f2808b2b3f82b2140a833e68c3eec3e2d1e1ccc68b43e2ec25560cd19c
SH256 hash:
55e47b79a8544a6c62254588691f067f0f02e246f4ccdc2a38e5377d6c767c7e
MD5 hash:
39c366e22cdb28731d2899a2f7fcbe57
SHA1 hash:
32df7b896ecd52dcfd5acdd1711eb0e480a4abf0
Link:
https://www.unpac.me/results/b6a56010-4551-4be2-b189-cfdde2cd4a73/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/b6a56010-4551-4be2-b189-cfdde2cd4a73/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
e3f3f21f1da73f127615d0ce7f20b1159facd9b5015ef223de73dddbcdf1f59a
MD5 hash:
7a4f8f06291d4cff66c36c4963e2d0e6
SHA1 hash:
dfe8b19e175fb63bd891664e11e9f7fa646f4bf1
Link:
https://www.unpac.me/results/b6a56010-4551-4be2-b189-cfdde2cd4a73/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/771446f2808b2b3f82b2140a833e68c3eec3e2d1e1ccc68b43e2ec25560cd19c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 771446f2808b2b3f82b2140a833e68c3eec3e2d1e1ccc68b43e2ec25560cd19c

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/71460/
  
URLhaus
https://urlhaus.abuse.ch/url/697813/
  
Delivery method
Distributed via web download

Comments