MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84402b111a9e126f52c2ddff7e8d4ac2730bb4ed39409a83ace0a1ded0b4e982. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84402b111a9e126f52c2ddff7e8d4ac2730bb4ed39409a83ace0a1ded0b4e982
SHA3-384 hash: fa1492760cfad8da80dfe34887da61c8d0a88bb937ee6cd12367dabbf2f3480f132b5bac0d486f3c87d3be7ad98a804c
SHA1 hash: c65c73ab34c75e9167392a5cb7d1766bb3479777
MD5 hash: b9bf35c62e8315af3a6441080444f048
humanhash: april-sixteen-failed-eighteen
File name:b9bf35c62e8315af3a6441080444f048.exe
Download: download sample
Signature Loki
Create hunting rule
File size:361'472 bytes
First seen:2020-10-20 12:04:03 UTC
Last seen:2020-10-26 09:33:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:yj9ZKh2WP9wzR3qXoILXGrtI1I4wP0Gn1Ih84mOfZX9sceSM0+Azfh5waQx3D:K9EJ9wt2L2C1Iz0i1h4L9Pw1
Threatray 326 similar samples on MalwareBazaar
TLSH A674D0B17D86596EC96E077250A981C1F6BA26C73F518F1D729B430C0E11B2BFB2325B
Reporter abuse_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/73474/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a window
Creating a file
Running batch commands
Launching a process
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/497622
Signature
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 301020 Sample: w43wMdeuII.exe Startdate: 20/10/2020 Architecture: WINDOWS Score: 100 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected Lokibot 2->39 41 3 other signatures 2->41 7 w43wMdeuII.exe 9 2->7         started        11 pcalua.exe 1 2->11         started        13 pcalua.exe 1 1 2->13         started        process3 file4 27 C:\Users\user\oshg.exe, PE32 7->27 dropped 29 C:\Users\user\oshg.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\...\w43wMdeuII.exe.log, ASCII 7->31 dropped 33 2 other files (none is malicious) 7->33 dropped 51 Drops PE files to the user root directory 7->51 53 Tries to detect virtualization through RDTSC time measurements 7->53 15 cmd.exe 1 7->15         started        17 oshg.exe 2 7->17         started        19 oshg.exe 3 11->19         started        signatures5 process6 signatures7 22 reg.exe 1 1 15->22         started        25 conhost.exe 15->25         started        43 Multi AV Scanner detection for dropped file 19->43 45 Machine Learning detection for dropped file 19->45 47 Tries to detect virtualization through RDTSC time measurements 19->47 process8 signatures9 49 Creates an autostart registry key pointing to binary in C:\Windows 22->49
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/84402b111a9e126f52c2ddff7e8d4ac2730bb4ed39409a83ace0a1ded0b4e982/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 09:08:08 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0edc105e9bc4e9b297487650e45b6ee0b0ca1e97e2194a2b455d657e428be977
Loki
268a8cd2e1be94fb5124930ed021ef9cda228d8366efef29884f7affc47f936d
Loki
3e740fea889c9009f592cd53d244363e2095601ed8b88aa5225b46643b955c5e
Loki
4323dbb489f82a5a4906fbc6e0dc37a6589dc7b073f2fa0a569b7d3409314e15
Loki
73f6286bd85316cb72796f461e1ad724b8434837f1a10a4a625862c3a7e3c173
Loki
8878c46875d3b0d420bd76508490e5c6df7a55359d1d039f0edb145e836addb1
Loki
c3c933e8d5ebaa421d67aaf4c26be3c0368992133c3105fdd935470128910f6c
Loki
cf68e1b1e8e89cf03b0d721957c794936947c8cf5f8c30401c20e075e4b37c6e
Loki
d9600ffc9406d71c60b7eb036248230510c3b971a1de563ca7b8b57e822f7879
Loki
f4e60792b136f02c28fd35322ee58bf723aeaa3611d286417d8b2b0707612cdc
Loki
+ 316 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot persistence
Link:
https://tria.ge/reports/201020-6wrkjpywes/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
Malware Config
C2 Extraction:
http://192.236.178.210/b/b3/cgi.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
84402b111a9e126f52c2ddff7e8d4ac2730bb4ed39409a83ace0a1ded0b4e982
MD5 hash:
b9bf35c62e8315af3a6441080444f048
SHA1 hash:
c65c73ab34c75e9167392a5cb7d1766bb3479777
Link:
https://www.unpac.me/results/051a66a8-4823-46cd-ae69-98d34a32205c/
SH256 hash:
4ec6100a1fb20f84d6d9a398bc6e3c5c8f5da66e33faca0e945616e80df1a31f
MD5 hash:
c0895c2e1dfa4dc8f4927020353c802f
SHA1 hash:
427a9d76252e98bc2ee51a54af0aedc1d2059489
Link:
https://www.unpac.me/results/051a66a8-4823-46cd-ae69-98d34a32205c/
SH256 hash:
28ff16c6dadfff86d4ece83e83afcf9e09a0dd37c20995194abd04f70d1abc2f
MD5 hash:
f1190ea016820e175c3c9347d8d70776
SHA1 hash:
7aeb0595cc0727be48e57f66e37a60c582a4b638
Link:
https://www.unpac.me/results/051a66a8-4823-46cd-ae69-98d34a32205c/
SH256 hash:
cf853361e5d547cc6945ce8d78fa376318a79eb8b659b089655ad6099b4dcc3a
MD5 hash:
6ba8565284b9f916b2d9df25c54c71b6
SHA1 hash:
c9efed53dea008c7219bce18ba3a8795300af161
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/051a66a8-4823-46cd-ae69-98d34a32205c/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/051a66a8-4823-46cd-ae69-98d34a32205c/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
fa9ef45e1fa4116f3ce8cb0cafe9d391116dc249f75b83fcab9a9036c029d725
MD5 hash:
3a423c2e6090f5f9551776e7357d67c6
SHA1 hash:
bdcfbf7548cb9a5f880a9639b035266ba309db69
Link:
https://www.unpac.me/results/051a66a8-4823-46cd-ae69-98d34a32205c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84402b111a9e126f52c2ddff7e8d4ac2730bb4ed39409a83ace0a1ded0b4e982

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 84402b111a9e126f52c2ddff7e8d4ac2730bb4ed39409a83ace0a1ded0b4e982

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/73474/
  
URLhaus
https://urlhaus.abuse.ch/url/722566/
  
Delivery method
Distributed via web download

Comments