MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82b4deebf79267e382a6fb39d382a224aa72172e14edb7c52ad190e3dd2909ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82b4deebf79267e382a6fb39d382a224aa72172e14edb7c52ad190e3dd2909ea
SHA3-384 hash: 3257860d8a712188d2a4ad2ac577897a37be6be27bc91fdd97ed548a47d8a448efd1b6e6f296184f21bf9c6c191a0255
SHA1 hash: 7f4cca369623846b45ff6b8a1392910e8b79c48b
MD5 hash: b5f70b431f67761251ca5ebdb9db5536
humanhash: twelve-delaware-jig-november
File name:AWB# 508628225003 FedEx Receipt.exe
Download: download sample
Signature Loki
Create hunting rule
File size:133'127 bytes
First seen:2021-07-12 11:37:34 UTC
Last seen:2021-07-12 12:42:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (290 x GuLoader, 50 x VIPKeylogger, 48 x RemcosRAT)
ssdeep 3072:hDxaVzwmg4CSW8JSuQbop7a1Gwn+hVmCv3ZuFxO3qE22QjQvnqyxrliS:xMm4CCAIIGwn+hVmC/66QcfiS
Threatray 3'536 similar samples on MalwareBazaar
TLSH T1D2D302103BE4C4F7F9B24771193A5B16ABF8F63704B0871F13E08F8DBA66A51951A742
Reporter malwarelabnet
Tags:exe Loki Lokibot

Intelligence

File Origin
# of uploads :
2
# of downloads :
411
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AWB# 508628225003 FedEx Receipt.exe
Verdict:
Malicious activity
Analysis date:
2021-07-12 11:47:44 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/9fa7aca2-ad28-4ff9-9c82-13c972677443

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171060/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.43301.1274.23015.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b0dbcca3-9860-4eab-8438-22fe7511290d
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814783
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82b4deebf79267e382a6fb39d382a224aa72172e14edb7c52ad190e3dd2909ea/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 04:16:48 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qk2n527xsjt6havg7m45havcesvhefzoctw3prjk2giohxjjbhva._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
47aa20a304624dbf8b71da1804f3f848ab12f2797390d0788067b542dc2c6a9c
Loki
6ebd45483d2222727a82c70feeb7c19017751b381247c7917462f26678d313d8
Loki
98ee9eb5449562fdfe5e0a448cec7ef60f315e5f8a7c65c40a5b61290bcbe97d
Loki
c4039980d8050f9deeba61533e38ffff74571e48f7304940825852c2cf8f0932
Loki
d29732d660ad3b3e1f478b179c69afae0274e5e40354e5136e22376371e795b6
Loki
d324d33233edf16f00bb4c9a06a14eee0ef15f8d90a3b9f62213e0ea9054312d
Loki
de3292924ba69a7f7dfd5b6687d6c774a7aecf8e2ac1368d30ce81c61a14e73f
Loki
+ 3'526 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210712-1qk4rjew9a/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Lokibot
Malware Config
C2 Extraction:
http://185.227.139.18/dsaicosaicasdi.php/tv9F9tOWmL3Dq
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
968e6305d5c30f227a8f621e0ecd4ba85334cde01e255415303fa582aa771d86
MD5 hash:
c4bf241a9b024d3014b06a14223d0e2e
SHA1 hash:
c7e697ccb0e4fbe7244f9f67e33d7700997e3d75
Link:
https://www.unpac.me/results/255b1a0e-19cf-44b6-962e-ee3be559c03f/
SH256 hash:
d63a0cca3c4c3bba62d82e2f3b67cfc872160cc4cc9e44a4fec011a5bf44e54a
MD5 hash:
18cac13f6bf7ef21aeab6d8effc53521
SHA1 hash:
52417de0075af70acc85988e9d72468a33de7ae0
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/255b1a0e-19cf-44b6-962e-ee3be559c03f/
Parent samples :
5bf72f77315cd7a56e2acab833c8886a06f3d0b7bd5bc617dfe71ae74d3b7d77
de3292924ba69a7f7dfd5b6687d6c774a7aecf8e2ac1368d30ce81c61a14e73f
d29732d660ad3b3e1f478b179c69afae0274e5e40354e5136e22376371e795b6
82b4deebf79267e382a6fb39d382a224aa72172e14edb7c52ad190e3dd2909ea
SH256 hash:
a2f1bf26fcde14cf40dfa2d2509a64ff6ec18b238a94479c8fe8245cef249200
MD5 hash:
4cca9aba745db327503aaeeec51ecc62
SHA1 hash:
37a98ef66578dbaa64d8744d8a991814489eea94
Link:
https://www.unpac.me/results/255b1a0e-19cf-44b6-962e-ee3be559c03f/
SH256 hash:
82b4deebf79267e382a6fb39d382a224aa72172e14edb7c52ad190e3dd2909ea
MD5 hash:
b5f70b431f67761251ca5ebdb9db5536
SHA1 hash:
7f4cca369623846b45ff6b8a1392910e8b79c48b
Link:
https://www.unpac.me/results/255b1a0e-19cf-44b6-962e-ee3be559c03f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/82b4deebf79267e382a6fb39d382a224aa72172e14edb7c52ad190e3dd2909ea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171060/

Comments