MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f2711dffffeb5989c868de4480e0d84887ae4ae36a010558ea68c503b3161cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7f2711dffffeb5989c868de4480e0d84887ae4ae36a010558ea68c503b3161cd
SHA3-384 hash: 86ff98082559f60109cad1d9655f7932133d5fc48dd80eb6b48b5b351caa83cb4e4d080056fae0c1504d6b62d6174d65
SHA1 hash: b3b5e1c38eb6de9d244cbc628598af568fcc308e
MD5 hash: cf96c1c9dd6bff77458a131f6f77fddf
humanhash: robert-romeo-johnny-gee
File name:Rag Sefid Project FITTINGS-AG&UG.exe
Download: download sample
Signature Loki
Create hunting rule
File size:206'565 bytes
First seen:2022-05-26 12:25:31 UTC
Last seen:2022-05-30 07:54:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 55f3dfd13c0557d3e32bcbc604441dd3 (124 x Formbook, 18 x Loki, 13 x AgentTesla)
ssdeep 3072:Bvwfm4afmJ6ZHN+d15OYKKwBAYi18uHZzmHkIoxDR5R6X+iJy6fz37HkUulvHNjC:B0Y7t+d1Q9ix5zxpxDRiX+i3Z6V3UL
Threatray 7'934 similar samples on MalwareBazaar
TLSH T117141275F6C188FBF54A46311EA3BAB8DEF06F041822154F27186E6A7C1B6C6E4493D3
TrID 92.9% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter malwarelabnet
Tags:exe Loki Lokibot

Intelligence

File Origin
# of uploads :
3
# of downloads :
447
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
Rag Sefid Project FITTINGS-AG&UG.exe
Verdict:
Malicious activity
Analysis date:
2022-05-26 12:33:15 UTC
Tags:
installer trojan lokibot stealer
Link:
https://app.any.run/tasks/f8021b7e-3a95-4345-a463-35a76ddec85c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274741/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.59088.6282.8236.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Query of malicious DNS domain
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/628f7218054dcf0ecaf18307/reports/bba27982-6483-41ea-9a13-fb2ebf30da34/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c5303883-f12b-4e2d-b126-f4a323146f4f
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1002106
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7f2711dffffeb5989c868de4480e0d84887ae4ae36a010558ea68c503b3161cd/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2022-05-26 08:04:43 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p4trdx77722zrhegrxseqdqnqsehvzfog2qbavmou2gfaozrmhgq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
2289816fa967e230968ffe986a76950ba4938c6f0c3b27912ec480bf5c0e62d5
Loki
3851e1c8c896ecae1035576a4b37d1fafa0690df428e255ed709c155cf77279c
Loki
50cb7b0b1d15d89428745bd508343b52d5f197b5f57cdf83a077973bae3d1ec1
Loki
d705d1e518e32f4c1dcfdce42040cd87d30ad8cd032d9bd4fe1fde67285ac5b9
Loki
d902f942cd74852a9eb94d5261f41b6368114bd1a62f969b8f5def360b3b8b4b
Loki
da2f8b897d09228f81c3019c98676c771b85f0d68471628dfb685201af0422d5
Loki
fb64edef93ff134eaab5bcaa901f240719bfb6874f8f4f4615404e96979b1c56
Loki
+ 7'924 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220526-pl6vysbch9/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://sempersim.su/gg8/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
5c9441cb445392a403135038d3c2cce2d9c5ce830039dbe88528c60c6c6c7ceb
MD5 hash:
8567a9aeec15c0909fd1685d3a4c97c7
SHA1 hash:
df4bf786680058f887eb3275a9798e54ecf59815
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/b7d14462-d9db-489a-8b0e-8db3c4bd2702/
Parent samples :
dc567ec4e012d719e078ce163f7c993274b16c1124f025cc87e23ce641ecde2b
7f2711dffffeb5989c868de4480e0d84887ae4ae36a010558ea68c503b3161cd
SH256 hash:
0da299f6328e0b90f18d1eba1c2bccf23d51e21f8bdb70a3f641d0377d8e6034
MD5 hash:
486c65f2fafd7bfe1aac20694e805a7f
SHA1 hash:
1f05e2e7d931cd857839ed3988978676348483a5
Link:
https://www.unpac.me/results/b7d14462-d9db-489a-8b0e-8db3c4bd2702/
SH256 hash:
7f2711dffffeb5989c868de4480e0d84887ae4ae36a010558ea68c503b3161cd
MD5 hash:
cf96c1c9dd6bff77458a131f6f77fddf
SHA1 hash:
b3b5e1c38eb6de9d244cbc628598af568fcc308e
Link:
https://www.unpac.me/results/b7d14462-d9db-489a-8b0e-8db3c4bd2702/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/7f2711dffffeb5989c868de4480e0d84887ae4ae36a010558ea68c503b3161cd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 7f2711dffffeb5989c868de4480e0d84887ae4ae36a010558ea68c503b3161cd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2203524/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/274741/

Comments