MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77e61bf1219434c1924c11257cd1de23e916b62b43416c1a9678eb676f2c2205. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77e61bf1219434c1924c11257cd1de23e916b62b43416c1a9678eb676f2c2205
SHA3-384 hash: 1f1f0891b72681be4e3fb74f0ffd8ac2f359e71e9682ab84f472b4cb84949fd3ebbaf145df2f3d0a43a4b09b73c33ed4
SHA1 hash: a92a86b932a6b7b169e53b014c46781d46ad52cb
MD5 hash: bb50f6790be3d4e60295f4aa4c1a7ec0
humanhash: eight-robert-black-apart
File name:8bb0000.dll
Download: download sample
Signature Loki
Create hunting rule
File size:376'832 bytes
First seen:2024-10-20 20:18:11 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 6144:5jeD5uheUkCRh1rmMOcN3+G1279XJ7j69ZZ25J2F8PMBj0G:BIIA/CEMOcN3+G12jj6935wG
Threatray 4'257 similar samples on MalwareBazaar
TLSH T12B846B15FF15DA5FCE8A46BBC0E50C5493B8A916A11BF71B60410AE48D07FABEF012D7
TrID 87.2% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
3.8% (.EXE) Win64 Executable (generic) (10522/11/4)
2.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter NDA0E
Tags:dll Loki unpacked

Intelligence

File Origin
# of uploads :
1
# of downloads :
429
Origin country :
JP JP
Vendor Threat Intelligence
Detection(s):
Win.Malware.Zusy-10009321-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=671565bd5a02f8393c72a56e
Tags:
Injection Exploit Msil
Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/671565b7c7aed0374dac13ed/reports/b07228c9-50a4-4f56-be87-c4bcd7092622/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/77e61bf1219434c1924c11257cd1de23e916b62b43416c1a9678eb676f2c2205
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/90663183-0c09-4555-90c9-67159bff204a
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1538257
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1538257 Sample: 8bb0000.dll Startdate: 20/10/2024 Architecture: WINDOWS Score: 60 15 Multi AV Scanner detection for submitted file 2->15 17 .NET source code contains potential unpacker 2->17 19 Machine Learning detection for sample 2->19 21 AI detected suspicious sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/77e61bf1219434c1924c11257cd1de23e916b62b43416c1a9678eb676f2c2205
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77e61bf1219434c1924c11257cd1de23e916b62b43416c1a9678eb676f2c2205/
Threat name:
Win32.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2024-10-20 20:19:04 UTC
File Type:
PE (.Net Dll)
Extracted files:
6
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o7tbx4jbsq2mdesmcesxzuo6epurnnrlinawyguwpdvwo3zmeicq._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
Similar samples:
04377a42bf3b120450e0e71b6a956705c367098a7e003113a26e9161166684e5
Loki
77ca4ee4e11265fae0cb39bd6ebbaca1e771411098fdd5c11a4ad6eb73b1a85c
Loki
77e61bf1219434c1924c11257cd1de23e916b62b43416c1a9678eb676f2c2205
Loki
9a4276ad411ae7595972921b035d7b625f360c1ac72d394be5f67dbcd8b483f1
Loki
a8b6ba98e17c9d17dfc5d46b89b42f6fa394a758db6e64f9f7259744e1c3a45e
Loki
error
Loki
+ 4'247 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/241020-y3trdszepq/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
77e61bf1219434c1924c11257cd1de23e916b62b43416c1a9678eb676f2c2205
MD5 hash:
bb50f6790be3d4e60295f4aa4c1a7ec0
SHA1 hash:
a92a86b932a6b7b169e53b014c46781d46ad52cb
Link:
https://www.unpac.me/results/b5806479-0daa-4046-a977-da318b135d63/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/77e61bf1219434c1924c11257cd1de23e916b62b43416c1a9678eb676f2c2205

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Loki

Executable exe 9a4276ad411ae7595972921b035d7b625f360c1ac72d394be5f67dbcd8b483f1

Loki

DLL dll 77e61bf1219434c1924c11257cd1de23e916b62b43416c1a9678eb676f2c2205

(this sample)

  
Dropped by
SHA256 9a4276ad411ae7595972921b035d7b625f360c1ac72d394be5f67dbcd8b483f1
  
Dropped by
MD5 d15a91a6d81b2797756a27ea8fe15874

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments