MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7986de346479a9d3203949e22f990d9e8fadf86b7cdcf573ff9a2da2d7d9867c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7986de346479a9d3203949e22f990d9e8fadf86b7cdcf573ff9a2da2d7d9867c
SHA3-384 hash: a4a085634811ae860550b5cca4f69975d3b20a40aa871556e0cb1a23189b0aa375c2761b9ac9e830e0164a7f9831c975
SHA1 hash: deb295c1985b41b581ffa83b738cb1393d9d29b2
MD5 hash: cb1aa8895db7b5598823e583102f9fc6
humanhash: king-nebraska-nebraska-california
File name:cb1aa8895db7b5598823e583102f9fc6
Download: download sample
Signature Loki
Create hunting rule
File size:292'864 bytes
First seen:2021-10-04 12:44:30 UTC
Last seen:2021-10-04 14:01:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 00e4a9909e1dd2f9b23ab751bea778c3 (4 x RaccoonStealer, 2 x ArkeiStealer, 2 x Smoke Loader)
ssdeep 6144:KQx21wWMsvXOWHDNVHz5buM7+ROhxxpeTr/ekI:D21wWMs2YjFuKrzxp6L
Threatray 4'840 similar samples on MalwareBazaar
TLSH T19954BE183080D7F2D6B60530ABE6CBF4592EBC6D4A66568F2BD4371E1F393E1B625302
File icon (PE):PE icon
dhash icon fcfc94f4d4dcd8c0 (3 x RaccoonStealer, 2 x RedLineStealer, 1 x DanaBot)
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cb1aa8895db7b5598823e583102f9fc6
Verdict:
Malicious activity
Analysis date:
2021-10-04 12:46:14 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/f578942f-fba0-4707-aa1a-cd3c0c261feb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194613/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.13176.11839.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Reading critical registry keys
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Moving of the original file
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f2f99a2-a767-4c05-b2a9-e80a6db5438a
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/863940
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7986de346479a9d3203949e22f990d9e8fadf86b7cdcf573ff9a2da2d7d9867c/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-10-04 12:45:15 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pgdn4ndepgu5gibzjhrc7gint2h236dlptopk477tiw2fv6zqz6a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
322d1102ed98c04de52a497d092cfd2adbec5eb974a77537601f90ad5eadf6db
Loki
47335767127792ab5cd98cc998c3f148bae889769741a28e151263f4d4dddd23
Loki
4d566be76db8dde4b26fc6647932d65750edfb47b46d909ec4d4ef3c6e12dadb
Loki
51fcc5eebacd36d6c7d517b0fe8d73404bc475a114739be7d734f336212f7157
Loki
6a65000d2899ac262440e41a15b5cd30f196cde449bcc5bb4af7824a253dfdfc
Loki
78a4072c06fb761e449186c822a647cc74425180151f98f371af8e242cb515d0
Loki
88bf715d49aa88d60cb119f371d20ace55f3c860b7ad8ab4d32053f8e814ed54
Loki
e272af98ac66fa088b63aa66caeec5ea402966a2c78bb3df09d139168437cb0f
Loki
e3efaf72472faf918f7ff2a430db45cf5ffc2eb595e1b96d4dc403603b0acced
Loki
+ 4'830 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/211004-py3dasgce5/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://136.243.159.53/~element/page.php?id=475
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
35345c8777aa8ecd5257d44bc0b2cb2ff9cae106caf5ee174fe5655625b37f2e
MD5 hash:
8a29d2431d43cf80fb534a0ed540ecf0
SHA1 hash:
f141b98493cbd182fb1233e2065b86fca570726b
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/d566607e-3c15-439e-97d2-734a50a0f82c/
Parent samples :
4d566be76db8dde4b26fc6647932d65750edfb47b46d909ec4d4ef3c6e12dadb
8680641d5644828bf4ed6bb714bf7fc8a018748e912b56745875e471e136c953
7986de346479a9d3203949e22f990d9e8fadf86b7cdcf573ff9a2da2d7d9867c
e3efaf72472faf918f7ff2a430db45cf5ffc2eb595e1b96d4dc403603b0acced
35a1292dcbbe0e8db0893318e876fefbceb3559abe32144604c5ff66ba4dbf18
fbf8573e839732a10b86926f7431ec61f95b328db6bb074dd0f8173cbea75f2e
SH256 hash:
7986de346479a9d3203949e22f990d9e8fadf86b7cdcf573ff9a2da2d7d9867c
MD5 hash:
cb1aa8895db7b5598823e583102f9fc6
SHA1 hash:
deb295c1985b41b581ffa83b738cb1393d9d29b2
Link:
https://www.unpac.me/results/d566607e-3c15-439e-97d2-734a50a0f82c/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/7986de346479/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7986de346479a9d3203949e22f990d9e8fadf86b7cdcf573ff9a2da2d7d9867c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 7986de346479a9d3203949e22f990d9e8fadf86b7cdcf573ff9a2da2d7d9867c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/194613/
  
URLhaus
https://urlhaus.abuse.ch/url/1654276/

Comments


Avatar
zbet commented on 2021-10-04 12:44:32 UTC

url : hxxp://192.227.225.173/001444/vbc.exe