MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 868e699e1197dd8964c12f89b973ecce755244515c3207063e6fc4218a321b6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	868e699e1197dd8964c12f89b973ecce755244515c3207063e6fc4218a321b6a
SHA3-384 hash:	7ece1c2dbe01960500e18b1376925004fb1055feb490396e56914561086ce5db4ffd6bee2349e5316740b2781093f663
SHA1 hash:	bbe6fa95ac838c0c2a9b10c92fccb657c5625992
MD5 hash:	bb89c522f6584ccfb9819b31a70767a1
humanhash:	crazy-venus-high-louisiana
File name:	bb89c522f6584ccfb9819b31a70767a1.exe
Download:	download sample
Signature	Loki Alert Create hunting rule
File size:	517'826 bytes
First seen:	2023-06-28 14:41:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e2a592076b17ef8bfb48b7e03965a3fc (385 x GuLoader, 58 x RemcosRAT, 40 x AgentTesla)
ssdeep	12288:9FKBG73lOUG2H7zS8zjDdSwrVPGoYuta7Xk:BrlMa7zbzPdSKYoTMU
Threatray	1'475 similar samples on MalwareBazaar
TLSH	T101B41240A3D12192CC6948BA5D5B01750EC0AC1794C95F93838D733EBE77A85FE9EABC
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	04bc8e96aa8e8ef2 (8 x Loki, 4 x GuLoader)
Reporter	abuse_ch
Tags:	exe Loki

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

310

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN Suspicious

Malware family:

n/a

ID:

1

File name:

bb89c522f6584ccfb9819b31a70767a1.exe

Verdict:

Suspicious activity

Analysis date:

2023-06-28 14:42:30 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a599a4ef-e30a-4db7-a559-49e013ff4654

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/403578/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.Loader.1568.3994.29406.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Clean

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %AppData% subdirectories

Creating a file in the %temp% subdirectories

Certego Dragonfly Suspicious

Result

Malware family:

n/a

Score:

  5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/93989/overview

Behaviour

MalwareBazaar

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

control lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/649c46bbe1b9083ea6db9de4/reports/6c34ce00-0b00-4d81-98c0-da396db4c4a7/overview

Hybrid Analysis Malicious

Verdict:

Malicious

Link:

https://www.hybrid-analysis.com/sample/868e699e1197dd8964c12f89b973ecce755244515c3207063e6fc4218a321b6a

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Unknown

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/a25d5df8-f4b1-476a-9f77-e687ef962b15

Joe Sandbox GuLoader, Lokibot

Result

Threat name:

GuLoader, Lokibot

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1262766

Signature

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected GuLoader

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/868e699e1197dd8964c12f89b973ecce755244515c3207063e6fc4218a321b6a/

ReversingLabs TitaniumCloud Win32.Trojan.LokiBot

Threat name:

Win32.Trojan.LokiBot

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-06-28 04:29:38 UTC

File Type:

PE (Exe)

Extracted files:

5

AV detection:

20 of 24 (83.33%)

Threat level:

  5/5

Spamhaus Hash Blocklist Malicious file

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=q2hgthqrs7oyszgbf6e3s47mzz2vercrlqzaobr6n7ccdcrsdnva._file

Threatray cloudeye

Verdict:

malicious

Label(s):

cloudeye

Alert

Create hunting rule

Similar samples:

2afb072fe81c319cbe4cee6d2c660a16a833b4243c8e5ea0aa041b2b974c3ef5

Loki

30c31a99eda4daca4085458968e8d09f450f1ed7170f76b95cf7694acb0c7f02

Loki

49f8ea644b5a69f7e8569c513168fa892922cc8e3e56617d7d225c9a85e3d520

Loki

79e1fc85396ae65e8431f8ceb92fefb5ec396381840d830c415ea2d81cb78a49

Loki

b3aef47ce44656fbea5139d6bd03d8847f633199b00462aefebe43ac6c91e352

Loki

b689885667b1f8a29bafedff5fc69526534732ebb7731d98bbc06f7005b245d5

Loki

e4a8a88bffaf744487df4bfd56f975542f59efb4aabe037f2ce5baea61875f98

Loki

ef66ea0bcee19ccd3d2771a170ff218a3e43b27f1b18f24e08685cb4d3fe053a

Loki

+ 1'465 additional samples on MalwareBazaar

Hatching Triage lokibot

Result

Malware family:

lokibot

Alert

Create hunting rule

Score:

  10/10

Tags:

family:guloader family:lokibot collection discovery downloader spyware stealer trojan

Link:

https://tria.ge/reports/230628-r2z4fsaa38/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks installed software on the system

Checks QEMU agent file

Loads dropped DLL

Reads user/profile data of web browsers

Guloader,Cloudeye

Lokibot

UnpacMe 2

Unpacked files

SH256 hash:

2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

MD5 hash:

a4dd044bcd94e9b3370ccf095b31f896

SHA1 hash:

17c78201323ab2095bc53184aa8267c9187d5173

Link:

https://www.unpac.me/results/c504f229-a521-4755-8b46-b7546252286c/

SH256 hash:

868e699e1197dd8964c12f89b973ecce755244515c3207063e6fc4218a321b6a

MD5 hash:

bb89c522f6584ccfb9819b31a70767a1

SHA1 hash:

bbe6fa95ac838c0c2a9b10c92fccb657c5625992

Link:

https://www.unpac.me/results/c504f229-a521-4755-8b46-b7546252286c/

VMRay GuLoader

Malware family:

GuLoader

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/868e699e1197/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Lokibot

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/868e699e1197dd8964c12f89b973ecce755244515c3207063e6fc4218a321b6a

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

exe 868e699e1197dd8964c12f89b973ecce755244515c3207063e6fc4218a321b6a

(this sample)

  

URLhaus

https://urlhaus.abuse.ch/url/2672636/

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/403578/