MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77ce5d839b7c135917a5089c55a3601d16ac8e803506162cb88d2f1c005682fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77ce5d839b7c135917a5089c55a3601d16ac8e803506162cb88d2f1c005682fc
SHA3-384 hash: 925bbf4930367b1e65c73bc1bdeba329da877c721e1100a01a3b7307f06ebc2fc72bb4abaf5b6631a699e1cef7a7bf60
SHA1 hash: 9bab6a8dfb09144e0c0b4d5836170eefcea2facb
MD5 hash: fb57623fd799411795240a99479b4648
humanhash: skylark-pasta-rugby-cup
File name:fb57623fd799411795240a99479b4648.exe
Download: download sample
Signature Loki
Create hunting rule
File size:253'952 bytes
First seen:2022-04-28 07:01:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1a4e3d3d047300d519343d22d03d612c (2 x Loki, 1 x RedLineStealer)
ssdeep 3072:RVMDbcMajB4lQAaLbXBQo0ieoJHzx3xvPfGmytn:bMUMajB4QbR1RTTHfGjt
Threatray 7'541 similar samples on MalwareBazaar
TLSH T1B944BF2275E08032D6F7293058B4A7A22E7FB862677485CF2798266E1F307D15FB8357
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 38b078cccacccc43 (123 x Smoke Loader, 83 x Stop, 63 x RedLineStealer)
Reporter abuse_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
http://172.245.94.136/200/vbc.exe
Verdict:
Malicious activity
Analysis date:
2022-04-28 07:11:31 UTC
Tags:
opendir loader stealer trojan lokibot
Link:
https://app.any.run/tasks/f116d392-c2f9-4b8d-b25b-dfe9e5b9ac81

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/267456/
Detection(s):
Win.Malware.Filerepmalware-9941437-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for analyzed file
Sending a custom TCP request
Stealing user critical data
Query of malicious DNS domain
Moving of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit
Link:
https://www.filescan.io/uploads/626a3bf52b32b1c37c6aa3ef/reports/3e74e7b1-9339-4130-9ae4-e00dc2f60cbe/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8ec5cceb-9e09-4675-bd2e-6e538d20ff6a
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/984605
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/77ce5d839b7c135917a5089c55a3601d16ac8e803506162cb88d2f1c005682fc/
Threat name:
Win32.Trojan.RelineStealer
Create hunting rule
Status:
Malicious
First seen:
2022-04-28 07:02:06 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o7hf3a43pqjvsf5fbcofli3adulkzduagudbmlfyruxryacwql6a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
067ba1eef584f508f510de3878bd69532e1e41d898a33f90f9bb5d39b3b5785f
Loki
6fa3ca5bec61c6c9427b467ecefd895568f9d2db64097a2acb5d987228f97b0c
Loki
733662f82e9957520803040fdc7ac39766988c8fbe989544be40154cafce3ed5
Loki
7ec8d23c5167687f3e60e57527cedf105a3de3b1d88e47924d96bad31bfe5385
Loki
8bf11c49109e41553a01c4845eaacd7dd10826686b2dd3f61b9d2f4526b57235
Loki
8c6e740b2a9841664d6824708850c48260c34646dae42455a6b9e31863a26bf9
Loki
c96cf705eb006595aacff76fd7bbca8e753c7205cc4959581d144c34ff074f4a
Loki
+ 7'531 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/220428-hs9rvsfddj/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://sempersim.su/gf4/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
bc592e495ec53486825dd9d5e3b4c02c2b614d62a39b4e3c150a546bd9f7d771
MD5 hash:
a4aceed5c71c4c3d3fd1650409c455d9
SHA1 hash:
73696994997e7b821356766acd5654d38351295b
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/68f61dae-7294-4e97-8f8e-f4a830beb7b3/
Parent samples :
92bb5012578914468bee4337e356ee6932c50ce7718a6ff7ce5ee89de97cc850
536b1a2e43876d21945ef534ad7beeaf57fa0617110306836c4c9cb78b6fe352
3e207688b841d8557a8ff3c065d55364a547e8397620c7f7ab149c2905c8f4bd
77ce5d839b7c135917a5089c55a3601d16ac8e803506162cb88d2f1c005682fc
SH256 hash:
77ce5d839b7c135917a5089c55a3601d16ac8e803506162cb88d2f1c005682fc
MD5 hash:
fb57623fd799411795240a99479b4648
SHA1 hash:
9bab6a8dfb09144e0c0b4d5836170eefcea2facb
Link:
https://www.unpac.me/results/68f61dae-7294-4e97-8f8e-f4a830beb7b3/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/77ce5d839b7c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77ce5d839b7c135917a5089c55a3601d16ac8e803506162cb88d2f1c005682fc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 77ce5d839b7c135917a5089c55a3601d16ac8e803506162cb88d2f1c005682fc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2168707/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/267456/

Comments