MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 821bc12d61a9ad2698823b6f54bbba6b8e9fba81a167a438f7da728d1dcd381d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 821bc12d61a9ad2698823b6f54bbba6b8e9fba81a167a438f7da728d1dcd381d
SHA3-384 hash: b1f948ebc0600a1995557ef61c62fadee463389aa52cd5d9f64c0f87413a50caede355f86e61ad7fca4f8571e93145d4
SHA1 hash: a89d1121feecb8135d11ed321270054fcac6c4fc
MD5 hash: 9b5447056270eb207a4dfa18ab8fdfe7
humanhash: early-kentucky-kentucky-coffee
File name:Bank Payment Instruction 15062021.exe
Download: download sample
Signature Loki
Create hunting rule
File size:159'744 bytes
First seen:2021-06-16 18:15:46 UTC
Last seen:2021-06-16 18:57:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646b0badad20ba025cd8fef6f59a6973 (3 x Loki)
ssdeep 1536:P96TOAbqIsNSd7YUNwH37RAb3LlUUWUnGtHj0hVLoIWhD:1WOAbqI8Sd7YUNwHLSb3LC0GtU/gD
Threatray 4'976 similar samples on MalwareBazaar
TLSH 96F34E27AC6ADA65D2514A70D8B0C2BD27037D33AA57CE2363277F5FAC705979CA020D
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://63.141.228.141/32.php/jYuciSQpqtrra

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://63.141.228.141/32.php/jYuciSQpqtrra https://threatfox.abuse.ch/ioc/130847/

Intelligence

File Origin
# of uploads :
2
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bank Payment Instruction 15062021.exe
Verdict:
Malicious activity
Analysis date:
2021-06-16 18:33:52 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/71a68225-3229-45b5-afba-1d5ac2643fd3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.26637.20071.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6447fea7-c63c-44b1-8287-e05bb7ed1b6b
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/803271
Signature
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Potential malicious icon found
Potentially malicious time measurement code found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/821bc12d61a9ad2698823b6f54bbba6b8e9fba81a167a438f7da728d1dcd381d/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-06-16 02:03:22 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qin4cllbvgwsngechnxvjo52nohj7oubuft2iohx3jzi2honhaoq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
184676b18d687073308c791c9145f0b0c8bc6a75fd4ed7aff7803381701c06f0
Loki
2edfadf6a3fce7840cb3c3c5509f0f229c22b37b16b467139bc407f85d116eea
Loki
42b2f84e503000a98a9aa9f476d104389bdd766b74c3899b34a01b73138ea56d
Loki
4bb72d11d5f81e16f5113c8dc0c59d5331e0cf61259bea30dc57143ef30856b9
Loki
4ee78cf82b434634075e121ebbe7dce9aa4b0a18c04f54f70d84c891f7a56507
Loki
5e74833e8f9a6e8a92cca35de25fb0d6b68c84d0bc22b9c939b51737acb83494
Loki
6d0c8b1c8079ad4db2e523bdde3d9fed95003c5aa19073bceddb7b3375bfc6d2
Loki
8f1517666a1f5f7f6d0f38814909251d41de92126c2a7df0626de2fa1ae9ba1f
Loki
ced266ad59923661e84dca65e4412e0b99a11fe4868f4219142ebc49a8308fb2
Loki
e4effdebb79bd1b3d2e3a2510a96f44cbf9ca4961340c7ca1f276bd3c527afb2
Loki
+ 4'966 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:lokibot downloader spyware stealer trojan
Link:
https://tria.ge/reports/210616-cqn8kt3ag2/
Behaviour
Modifies system certificate store
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Guloader,Cloudeye
Lokibot
Malware Config
C2 Extraction:
https://drive.google.com/uc?export=download&id=1nv4LwDuUr2paAnupIvGty8wfI-qhHm4D
http://63.141.228.141/32.php/jYuciSQpqtrra
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/cd66027e-364f-4752-a7af-8b2abc4ba680/
SH256 hash:
821bc12d61a9ad2698823b6f54bbba6b8e9fba81a167a438f7da728d1dcd381d
MD5 hash:
9b5447056270eb207a4dfa18ab8fdfe7
SHA1 hash:
a89d1121feecb8135d11ed321270054fcac6c4fc
Link:
https://www.unpac.me/results/cd66027e-364f-4752-a7af-8b2abc4ba680/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/821bc12d61a9ad2698823b6f54bbba6b8e9fba81a167a438f7da728d1dcd381d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments