MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 80f4803c1ae286005a64ad790ae2d9f7e8294c6e436b7c686bd91257efbaa1e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Loki
Vendor detections: 15
| SHA256 hash: | 80f4803c1ae286005a64ad790ae2d9f7e8294c6e436b7c686bd91257efbaa1e5 |
|---|---|
| SHA3-384 hash: | e657545c705a137a12da14e01511c2a5b7aed19e0818023f9d043436190e166906a9b6d2aa826f93dc951dbe26022ed0 |
| SHA1 hash: | 5ab2b06e5c32c58cb02ad5b5681900bdd5ecc604 |
| MD5 hash: | 7788af5a8c3b75f2ed179ec0a4baa162 |
| humanhash: | queen-connecticut-three-undress |
| File name: | 7788af5a8c3b75f2ed179ec0a4baa162.exe |
| Download: | download sample |
| Signature | Loki |
| File size: | 954'368 bytes |
| First seen: | 2023-05-31 05:40:20 UTC |
| Last seen: | 2023-05-31 06:34:12 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | b24370f0178612108b2f925af7d8bf9e (4 x Loki) |
| ssdeep | 12288:i6sBglkYEIEPeZCSwX8Qz7OraG4E7afdhYWlvU1lDY++RvRJx:i6s+i78CSwt7LGb4IlDYTvT |
| Threatray | 145 similar samples on MalwareBazaar |
| TLSH | T1EB152C153A5F221EF18CA975BF5535AE22162F239212C03103F7F76E627DC7A1CA43A9 |
| TrID | 41.6% (.OCX) Windows ActiveX control (116521/4/18) 29.3% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 4.6% (.SCR) Windows screen saver (13097/50/3) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) |
| File icon (PE): |  |
| dhash icon | 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger) |
| Reporter |  abuse_ch |
| Tags: | exe Loki |
Intelligence
File Origin
# of uploads :
3
# of downloads :
257
Origin country :
NLVendor Threat Intelligence
Malware family:
lokibot
ID:
1
File name:
7788af5a8c3b75f2ed179ec0a4baa162.exe
Verdict:
Malicious activity
Analysis date:
2023-05-31 05:41:00 UTC
Tags:
lokibot
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Result
Verdict:
Clean
Maliciousness:
Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
anti-debug hacktool lolbin packed
Verdict:
Malicious
Labled as:
Zusy.Generic
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Verdict:
Malicious
Result
Threat name:
Lokibot
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Casdet
Status:
Malicious
First seen:
2023-05-29 15:36:34 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
21 of 24 (87.50%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Similar samples:
+ 135 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Score:
10/10
Tags:
family:lokibot collection spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://95.164.23.2/swe/h/pin.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
e060fe65eb27aa99429bb575a5b2ce0d6999244d74fde0fbeac2d4eb6699bfdd
MD5 hash:
2564fd1b2703b44aafea046441bd070b
SHA1 hash:
7a0178dbcd93a5909e95c0276809019f1609afd5
SH256 hash:
e4d6e26d22ae36e06e1736f22515051b3c9fb702b28c1b7cbcdb2b432886d7de
MD5 hash:
09bea60cf0fcfad42205cde8ae5c79e5
SHA1 hash:
649f5a7e6555b928f7e58957868d8a1727193fcd
Detections:
lokibot
win_lokipws_auto
win_lokipws_g0
lokibot
win_lokipws_auto
win_lokipws_g0
SH256 hash:
e060fe65eb27aa99429bb575a5b2ce0d6999244d74fde0fbeac2d4eb6699bfdd
MD5 hash:
2564fd1b2703b44aafea046441bd070b
SHA1 hash:
7a0178dbcd93a5909e95c0276809019f1609afd5
SH256 hash:
82ece6ffe6ec5de29691d1d9e415cd8afc6190c31954bbb171101ac224689994
MD5 hash:
dfed7a546408b4b308bbc72f01ee1bd2
SHA1 hash:
c588c7b36f997c5e6fd93231000bab03da080faf
SH256 hash:
e4d6e26d22ae36e06e1736f22515051b3c9fb702b28c1b7cbcdb2b432886d7de
MD5 hash:
09bea60cf0fcfad42205cde8ae5c79e5
SHA1 hash:
649f5a7e6555b928f7e58957868d8a1727193fcd
Detections:
lokibot
win_lokipws_auto
win_lokipws_g0
lokibot
win_lokipws_auto
win_lokipws_g0
SH256 hash:
6da323ccc53edb10848665d5bdab819045063f6003a6fccdac7a2ab9f86b1b86
MD5 hash:
baf5f65428580b65f50832c774539a42
SHA1 hash:
335bc979398804bf8f262d87f55ab4683e86cef0
Detections:
lokibot
win_lokipws_auto
win_lokipws_g0
SH256 hash:
19a75f1e7f3a4fb5a70f70724f6c1d3d8bfb9c1f9024cafbcd32df7eee17a181
MD5 hash:
920929cbe4ca460d1cf646d38a954115
SHA1 hash:
676c62ce453fad057fdc268a6af34b6bae32c234
SH256 hash:
df474d3566b51aae53645dcd3f99887a12dd9f355f46220445e035d540f57def
MD5 hash:
4e61297e737afcdf81386182b1d1d072
SHA1 hash:
4a0b6c69b529f4475bc202b34f31ddc2f8c59d85
SH256 hash:
80f4803c1ae286005a64ad790ae2d9f7e8294c6e436b7c686bd91257efbaa1e5
MD5 hash:
7788af5a8c3b75f2ed179ec0a4baa162
SHA1 hash:
5ab2b06e5c32c58cb02ad5b5681900bdd5ecc604
Malware family:
Lokibot
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | HeavensGate |
|---|---|
| Author: | kevoreilly |
| Description: | Heaven's Gate: Switch from 32-bit to 64-mode |
| Rule name: | INDICATOR_SUSPICIOUS_Binary_References_Browsers |
|---|---|
| Author: | ditekSHen |
| Description: | Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many file transfer clients. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_GENInfoStealer |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables containing common artifcats observed in infostealers |
| Rule name: | infostealer_loki |
|---|
| Rule name: | infostealer_xor_patterns |
|---|---|
| Author: | jeFF0Falltrades |
| Description: | The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads. |
| Rule name: | Loki |
|---|---|
| Author: | kevoreilly |
| Description: | Loki Payload |
| Rule name: | LokiBot |
|---|---|
| Author: | kevoreilly |
| Description: | LokiBot Payload |
| Rule name: | malware_Lokibot_strings |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Lokibot in memory |
| Reference: | internal research |
| Rule name: | meth_get_eip |
|---|---|
| Author: | Willi Ballenthin |
| Rule name: | PE_Potentially_Signed_Digital_Certificate |
|---|---|
| Author: | albertzsigovits |
| Rule name: | STEALER_Lokibot |
|---|---|
| Author: | Marc Rivero | McAfee ATR Team |
| Description: | Rule to detect Lokibot stealer |
| Rule name: | SUSP_XORed_URL_in_EXE |
|---|---|
| Author: | Florian Roth (Nextron Systems) |
| Description: | Detects an XORed URL in an executable |
| Reference: | https://twitter.com/stvemillertime/status/1237035794973560834 |
| Rule name: | SUSP_XORed_URL_in_EXE_RID2E46 |
|---|---|
| Author: | Florian Roth |
| Description: | Detects an XORed URL in an executable |
| Reference: | https://twitter.com/stvemillertime/status/1237035794973560834 |
| Rule name: | Windows_Trojan_Lokibot_0f421617 |
|---|---|
| Author: | Elastic Security |
| Rule name: | Windows_Trojan_Lokibot_1f885282 |
|---|---|
| Author: | Elastic Security |
| Rule name: | win_lokipws_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.lokipws. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.