MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 842b584e7a7c683cb7beb6b166149c6a0dd6d4a189cd6cf951af924e0b6327b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 2 File information Comments

SHA256 hash:	842b584e7a7c683cb7beb6b166149c6a0dd6d4a189cd6cf951af924e0b6327b5
SHA3-384 hash:	8be6d1b460109d51a8f8a53ec904507ed0fcfcab4faef4285e608f4efb3d2376f30b95f66f2a5fda7f0818d5f0996420
SHA1 hash:	7275e85721129884b7390b6f5407c7d1ffc746c8
MD5 hash:	c55daada64b16d13eb9685187cc9da86
humanhash:	venus-mike-magazine-table
File name:	c55daada64b16d13eb9685187cc9da86.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	371'712 bytes
First seen:	2022-02-04 21:11:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:Lc6VO7JpyTaNQ4bNF9W/6Xib1OHj6mHc6gvyL49WMbLCaWoojc:Lc6VO7JDQ4JF9fXib1OHOm87qL495uTK
Threatray	7'365 similar samples on MalwareBazaar
TLSH	T1B8847BB4B1A78590F10B8974257CF9A402B234E3A8CA0D79277A3645CFEDE943F8564F
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://filcoco.xyz/ro/dc/pos.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://filcoco.xyz/ro/dc/pos.php	https://threatfox.abuse.ch/ioc/379391/

Intelligence

File Origin

# of uploads :

# of downloads :

235

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

c55daada64b16d13eb9685187cc9da86.exe

Verdict:

Malicious activity

Analysis date:

2022-02-04 21:54:49 UTC

Tags:

trojan lokibot stealer

Link:

https://app.any.run/tasks/8cfd6d7c-4d19-4c3f-ad85-3a0e1191ef6a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/233377/

Detection(s):

SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Changing a file

Sending an HTTP POST request

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for analyzed file

Stealing user critical data

Moving of the original file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/664d8a39-5426-4978-8ec5-5ea5ee903d86

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/934300

Behaviour

Behavior Graph:

n/a

Gathering data

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-02-04 04:05:22 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 43 (60.47%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qqvvqtt2prudzn56w2ywmfe4nig5nvfbrhgwz6krv6je4c3de62q._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

1e515ef044e4ac7ab2daaeb36c3c2d0a4997220c307d63fbbba0d131e7dcdbbc

Loki

71838c0510a2a1afcda841226edfdc2bcbb636dfb6785a3c026871b0ee53b020

Loki

7b12e253b0bf89ef0535a8dc539361954c67511bcdbc709060c0b1e6ed539cb6

Loki

98a1743d70be4d658c224d74d0ed47fe330c212ac90f1ed17d48daea53500d7e

Loki

af9ac07263f577041536d7c65a5aa6f9609613e7565ee6167e95e18f6f2e1110

Loki

bd6cf98ff23cdad2f5bb43bb60e61275d8ad1ad7baeb609aa0a812fc048fede0

Loki

dc0c244674ff2d063c77edd72795ce34db8fe4fdd054ce2a7b5018fb34adba4b

Loki

dd8a3353f1fc1446d5c32585a3b90fe0743187316e96ee3d8daf9e0059738478

Loki

+ 7'355 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/220204-z16tlsfcb9/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://filcoco.xyz/ro/dc/pos.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

73c080a710333eae1811d57bcb5509a61b76c964d01baceeebbeeaf3a8c185f0

MD5 hash:

a52057146f7db35ba720dff2eb31097b

SHA1 hash:

eda9c635116dd30db5e6f1f42bcf5639e66f9d4e

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/ebef284a-83bd-4f88-9530-a7dcb434257f/

SH256 hash:

325e20291b9e0e23320042f0a9a471f47cea250c363100a0a669bcfcb3a209cb

MD5 hash:

f0fd3938fa304808a05e823bead2466b

SHA1 hash:

a7310769de234f0fa8d8833867a7dd268c8c535c

Link:

https://www.unpac.me/results/ebef284a-83bd-4f88-9530-a7dcb434257f/

SH256 hash:

6f1b89bc3013177c101fe4448340c48c0dd08d19017a798bd11c2d0f76be1fbc

MD5 hash:

60a604887b3616e3ed86d81fab0a9ebb

SHA1 hash:

8db84f5f4c569c86c69aff464b2ffc4ce3dafa20

Link:

https://www.unpac.me/results/ebef284a-83bd-4f88-9530-a7dcb434257f/

SH256 hash:

842b584e7a7c683cb7beb6b166149c6a0dd6d4a189cd6cf951af924e0b6327b5

MD5 hash:

c55daada64b16d13eb9685187cc9da86

SHA1 hash:

7275e85721129884b7390b6f5407c7d1ffc746c8

Link:

https://www.unpac.me/results/ebef284a-83bd-4f88-9530-a7dcb434257f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/842b584e7a7c683cb7beb6b166149c6a0dd6d4a189cd6cf951af924e0b6327b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/233377/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample