MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80e4ff6169f0a61d0aad72d84f3eb7d14b60092d2d0a64685701f1c9c3273ee3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80e4ff6169f0a61d0aad72d84f3eb7d14b60092d2d0a64685701f1c9c3273ee3
SHA3-384 hash: ecbb29b70212ba819d90e646f4f8545472ec83e5a1e3fdd2bef624ee532f482372afc9d030a1e1ccc48b706f5a9c3535
SHA1 hash: f18046dde2c880fd8e29b3586df3018076a078bf
MD5 hash: 9a42c4303353aacc9b2e0e948ecd3754
humanhash: table-bravo-ceiling-grey
File name:SecuriteInfo.com.Artemis9A42C4303353.9857
Download: download sample
Signature Loki
Create hunting rule
File size:294'712 bytes
First seen:2020-11-03 22:49:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:4VhByvIXWLSv+n33ktglHDA/5i0J0w5JehcHARRalhlYbuMOBCQO+zCRTrH4f9v7:4VLhX2h3JODJZJvARRarfIeC1cfqL3
Threatray 2'283 similar samples on MalwareBazaar
TLSH EF54C0767D92586ECABB077240A585C1FEB622C33FA5CB0D715E430C0E01A2BEB5725B
Reporter SecuriteInfoCom
Tags:Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/82147/
Detection(s):
SecuriteInfo.com.Artemis9A42C4303353.9857.UNOFFICIAL
Create hunting rule

PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Running batch commands
Launching a process
Creating a file
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/519678
Signature
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the user root directory
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 308940 Sample: SecuriteInfo.com.Artemis9A4... Startdate: 04/11/2020 Architecture: WINDOWS Score: 88 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected Lokibot 2->40 42 2 other signatures 2->42 7 SecuriteInfo.com.Artemis9A42C4303353.exe 7 2->7         started        11 pcalua.exe 1 2->11         started        13 pcalua.exe 1 1 2->13         started        process3 dnsIp4 28 C:\Users\user\dbhy.exe, PE32 7->28 dropped 30 SecuriteInfo.com.A...A42C4303353.exe.log, ASCII 7->30 dropped 32 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 7->32 dropped 48 Drops PE files to the user root directory 7->48 16 cmd.exe 1 7->16         started        18 dbhy.exe 2 7->18         started        20 dbhy.exe 3 11->20         started        34 192.168.2.1 unknown unknown 13->34 file5 signatures6 process7 signatures8 23 reg.exe 1 1 16->23         started        26 conhost.exe 16->26         started        44 Multi AV Scanner detection for dropped file 20->44 process9 signatures10 46 Creates an autostart registry key pointing to binary in C:\Windows 23->46
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80e4ff6169f0a61d0aad72d84f3eb7d14b60092d2d0a64685701f1c9c3273ee3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-03 08:40:09 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qdsp6ylj6ctb2cvnolme6pvx2ffwacjnfufgi2cxahy4tqzhh3rq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
1d3d44df085d231a43397a495f061b15ccb2a398bbb249feeb2a736d2b817e3f
Loki
229c2a76e14bcb4b84636f972a2acdedad5295dac077e9f6d895ca8a4f37f6c3
Loki
3268f1c7fa17a732fee543ec75d3cfb6bf55354e751a25394bf2e980ec10e65b
Loki
3d611ca54f64546327d9bc6993662d5058a7f07fa8e16b81fc7ee6ff60d952f2
Loki
4f2b6c1fbfac2696eeae6c7d2484bbc42c8f211f167ec16ff9e5a16be7c06616
Loki
53edc68ef8a890aac3c8f6fe8c72e1a8cf5057c600a3f85d12b99b59b05e47be
Loki
56156c5b658580571c626897cd0e5c5ec46583f6907ead2ef5d73ee76324f18e
Loki
6691e9168b039728f0616a60def86e948c4a3a84e3120476c58eff14ef86d239
Loki
814b0968761c0dbd4a43208cd82d150aa6608538abb845561257687ed9cd0524
Loki
8867e72aaf3985ed148d3049c628d73ba0024e3129e466c17bd6a665be9e84f0
Loki
+ 2'273 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot persistence spyware stealer trojan
Link:
https://tria.ge/reports/201103-r3t3fbdj2a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Lokibot
Malware Config
C2 Extraction:
http://192.236.161.248/vak/1/cgi.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
80e4ff6169f0a61d0aad72d84f3eb7d14b60092d2d0a64685701f1c9c3273ee3
MD5 hash:
9a42c4303353aacc9b2e0e948ecd3754
SHA1 hash:
f18046dde2c880fd8e29b3586df3018076a078bf
Link:
https://www.unpac.me/results/f44b9817-b045-4f32-9bbc-a0b656ccfc49/
SH256 hash:
ffd39c4dee5c5deb25ed7d06f07635700848eb03933d7926d0d0ade7cd321e27
MD5 hash:
90640439bae09907e04b4c88a9b6bba7
SHA1 hash:
101159bc1f186dc769c97833cbbbf6ec6c4df646
Link:
https://www.unpac.me/results/f44b9817-b045-4f32-9bbc-a0b656ccfc49/
SH256 hash:
85149b884607f6bb7317c7fb893b8cabc550422ecd62bd59509a3d5fcf44b56d
MD5 hash:
a5baef204b1c2470b3692ead91645bcc
SHA1 hash:
636c826cd651b6817711353b140d7960731daec5
Link:
https://www.unpac.me/results/f44b9817-b045-4f32-9bbc-a0b656ccfc49/
SH256 hash:
93153097c84f9c58f26433d948fdbb67ea0acd13ce1cc03ba55419732b4e5c15
MD5 hash:
83e847c830eca309f80f1c4554b51228
SHA1 hash:
a3af5f5816055dd92affc082b66825d46379981a
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/f44b9817-b045-4f32-9bbc-a0b656ccfc49/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 80e4ff6169f0a61d0aad72d84f3eb7d14b60092d2d0a64685701f1c9c3273ee3

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/82147/
  
URLhaus
https://urlhaus.abuse.ch/url/783937/
  
Delivery method
Distributed via web download

Comments