MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82d8ad240a6cbc8317aba85cc7426c853a83cfc183416184a5b80857280330ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	82d8ad240a6cbc8317aba85cc7426c853a83cfc183416184a5b80857280330ea
SHA3-384 hash:	b5fce1edbe4d5bbd997ecd0fba9a91e2b5b4dac39a72fa4e4ab4329106ff5277113e5e8ba5938d58daa432ba2df810c6
SHA1 hash:	7cfaef0b30039f559b5e9a9d1885703335e1320b
MD5 hash:	3b7e623b0cc415bf57c402a95b842ce2
humanhash:	mike-ceiling-mockingbird-princess
File name:	Obavestenje o prilivu za 0050·700·030·084·074·pdf.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	498'176 bytes
First seen:	2021-10-02 06:56:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:izbEZdn9RX79ZnQr53xFPnosPD50arlivE4:Ko7z/653rdGarli84
Threatray	4'820 similar samples on MalwareBazaar
TLSH	T14AB4F15E332BAA2BCE7802F952108CC2E7B45419194AE3ED9EC574ED65DBFEC0E41943
File icon (PE):
dhash icon	eac6a6cc96b28acc (16 x Loki)
Reporter	abuse_ch
Tags:	BIH exe geo Loki

Intelligence

File Origin

# of uploads :

# of downloads :

139

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Obavestenje o prilivu za 0050·700·030·084·074·pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-10-02 06:56:42 UTC

Tags:

trojan lokibot stealer

Link:

https://app.any.run/tasks/ef0856ab-49d9-44b2-9204-f71084fdf794

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Loki

Link:

https://www.capesandbox.com/analysis/194127/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

SecuriteInfo.com.Trojan.PackedNET.1068-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/067aecf3-ac4a-4447-8f77-380a6e9cea31

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/863086

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/82d8ad240a6cbc8317aba85cc7426c853a83cfc183416184a5b80857280330ea/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-02 01:59:00 UTC

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qlmk2jakns6igf5lvbomoqtmqu5iht6bqnawdbffxaefokadgdva._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

56962cd0611f65c29cb8dc9917483599c201ec067ca1b5db314a88fc56b88666

Loki

813643e0360e8502bbb023e01048d91c300fa8fdae2b5c3023d56fd3c4eaf409

Loki

8e46fce2bda79da5d4d8a9b5f3dc6c8295eee0968a9114e0559977f22dd71812

Loki

a6dcb375ec518dc845d50e3508c30168f0f12f9e28f221e14734c52fb7f29942

Loki

aed7b437005261830b850193ea274e143dbbc751e4be801665cd9555963f41b8

Loki

be06b8eb9fc296493c0f6838ad4b55993e2076c53383565cbfa03715af7cc2cd

Loki

e9fc037d21eef032a7ea060e7da811aae2e9d949839b37492610e9f28eea17cd

Loki

+ 4'810 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot evasion spyware stealer trojan

Link:

https://tria.ge/reports/211002-hqx1aadhc6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Maps connected drives based on registry

Reads user/profile data of web browsers

Checks BIOS information in registry

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

Lokibot

Malware Config

C2 Extraction:

http://136.243.159.53/~element/page.php?id=466
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

c8ec19ec69db95a370f642951483d397d547afb24ed393937233bede28d6e477

MD5 hash:

80e48e71d5e088487ccd664e54b83712

SHA1 hash:

dd2d1960955463198e3f6a559a331a7158753581

Link:

https://www.unpac.me/results/e2d6abf8-7748-4e5d-9ca3-11e7cf114da4/

SH256 hash:

8284626bb324db0a4b2516f9b5dc1da92a26e6315f7a2fe771079a99021125fe

MD5 hash:

eaddb22aa4c81beb01cd9f45fb47809c

SHA1 hash:

dca3c2c7c76f332ad5cf31ab7be227de4e0aa6c8

Link:

https://www.unpac.me/results/e2d6abf8-7748-4e5d-9ca3-11e7cf114da4/

SH256 hash:

7935c40f7f1e5727b917a68dde224a5f3c7bc624db258629f7899f8e5c4f97f7

MD5 hash:

bf34639d2e354d82518929efb0bbfab5

SHA1 hash:

6369631949bcff9cce3e4f8bea91fc35d0f61ccb

Link:

https://www.unpac.me/results/e2d6abf8-7748-4e5d-9ca3-11e7cf114da4/

SH256 hash:

8a05bb1d878c4de68dd06ab1ad7a43af1cb5f6299f9d8ccf688447fec5675afd

MD5 hash:

ff433a04a0163cde9da4c902ef723b68

SHA1 hash:

33b083c791fbc0b512d18467c4baf83e6252871e

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/e2d6abf8-7748-4e5d-9ca3-11e7cf114da4/

Parent samples :

0a63444e894541bf79ebcca5ed0878a488ab5b184ba2631a6e9492aa71021c6e
9196a49f6a366b5e4ea9746f79d12e8298b0d1742473ad80f3c1aca2bbad1239
235edee105bd7805d4650b7120bb35600b96df1e1ac169d7b7979e3d4f976a3a
82d8ad240a6cbc8317aba85cc7426c853a83cfc183416184a5b80857280330ea

SH256 hash:

82d8ad240a6cbc8317aba85cc7426c853a83cfc183416184a5b80857280330ea

MD5 hash:

3b7e623b0cc415bf57c402a95b842ce2

SHA1 hash:

7cfaef0b30039f559b5e9a9d1885703335e1320b

Link:

https://www.unpac.me/results/e2d6abf8-7748-4e5d-9ca3-11e7cf114da4/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/82d8ad240a6c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/82d8ad240a6cbc8317aba85cc7426c853a83cfc183416184a5b80857280330ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/194127/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample