MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8083fc125756be5ccebc8b837ffd80063f42696159291e0df941c28f03170b07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8083fc125756be5ccebc8b837ffd80063f42696159291e0df941c28f03170b07
SHA3-384 hash: fb6679ab13756961d98da72aead9a698dfe5c1782c79676cf5253397b1e9993af6abe90642647ec0e6edfbd4b0de1aa3
SHA1 hash: 01c9097664cafdec4058a4ba8553cbf7d0c333f5
MD5 hash: 97c2aecf2380200fc50b84d72af34480
humanhash: autumn-low-black-victor
File name:97c2aecf2380200fc50b84d72af34480
Download: download sample
Signature Loki
Create hunting rule
File size:376'832 bytes
First seen:2021-08-27 06:13:45 UTC
Last seen:2021-08-27 07:42:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ef471c0edf1877cd5a881a6a8bf647b9 (74 x Formbook, 33 x Loki, 29 x Loda)
ssdeep 6144:64XrK9PX7Fp6Gh2wWRGl0EDDf1PisZQ5rAGQwg1QtP1f4paaYlsdcaMJEdbI0Pzy:xXe9PPlowWX0t6mOQwg1Qd15CcYk0WeC
Threatray 5'523 similar samples on MalwareBazaar
TLSH T1FC84124548C4CCA6E72AB370D0B7CE9819757832CCD56B689754EA2EB870343B853E6F
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
97c2aecf2380200fc50b84d72af34480
Verdict:
Malicious activity
Analysis date:
2021-08-27 06:16:51 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/91ad1dc8-2614-429b-9906-df69b9016e90

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182802/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Reading critical registry keys
Changing a file
Replacing files
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Sending a UDP request
Stealing user critical data
Moving of the original file
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0e7ca3a0-b3f8-466a-ad1a-373c5ca97e3f
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/840199
Signature
AutoIt script contains suspicious strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8083fc125756be5ccebc8b837ffd80063f42696159291e0df941c28f03170b07/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-08-27 05:48:15 UTC
AV detection:
13 of 46 (28.26%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
2d65a3c7da04463e34efa56f9754da234575e1082c239ce1aad1d2115d4d029a
Loki
3dd38daa4ca8630ccda829c5d97e744ed278ddbf9c79161450cdb9517c74e027
Loki
4a6b31994025e7a6dcfeab2954dd3ae8aba701d227ac5b9684ca97e1031256c5
Loki
8344690f025846a5a0dcf5d6012a94cddcfe48ffcc06fa6d566bb4ef149e6716
Loki
989e2813477a4245e0357e0f8e49afae384af828c95eea29c0e56b905d8290fe
Loki
a576c7f2ef99f454afdd5c93e22bfdcd0dcbe75c2bd909f37fed84226caaaa14
Loki
ad03d6c2459c0ee88848bd587581f4dc1183017aac47a757e566e0390e727f4d
Loki
ae3ba262ffc14ea78944dee9331e9336f508b0b283481262ab2ee81b90023bd1
Loki
e9e3490df4628c80e10723892c75cd036d340e4a09ca9527c5710e1b01e3847a
Loki
+ 5'513 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/210827-zjcjrj3a1e/
Behaviour
Modifies system certificate store
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://brokenislegion.cf/BN1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
50a3f1816a2aa389d5da0e0bae29bb14ebb9d35a5183d77b9607108fb09a02d4
MD5 hash:
0929c6a757b546bf4a85d3c527cdb6ed
SHA1 hash:
565f6b072cf308d32dcd76d4d2e950b650ee624c
Link:
https://www.unpac.me/results/e7223d14-18af-4968-adbb-374d29690f65/
SH256 hash:
8083fc125756be5ccebc8b837ffd80063f42696159291e0df941c28f03170b07
MD5 hash:
97c2aecf2380200fc50b84d72af34480
SHA1 hash:
01c9097664cafdec4058a4ba8553cbf7d0c333f5
Link:
https://www.unpac.me/results/e7223d14-18af-4968-adbb-374d29690f65/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8083fc125756/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/8083fc125756be5ccebc8b837ffd80063f42696159291e0df941c28f03170b07

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 8083fc125756be5ccebc8b837ffd80063f42696159291e0df941c28f03170b07

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/182802/
  
URLhaus
https://urlhaus.abuse.ch/url/1568586/

Comments


Avatar
zbet commented on 2021-08-27 06:13:46 UTC

url : hxxp://192.3.122.174/union/vbc.exe