MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a7c54986bac7121d07ea6fdd29e17deea035b9382527f090c182aafbdc049ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a7c54986bac7121d07ea6fdd29e17deea035b9382527f090c182aafbdc049ae
SHA3-384 hash: ab5ce6400ee1985be26f1f2c2a0d9fa125e59ec64a30e822f30bf7cf15fa060439dfa37642fff1b1cfe55ee1be7e3ac8
SHA1 hash: 8f3637de6867f4dc8d1404c24f39326c725b0ba2
MD5 hash: 78c0eed4251dabd81bdb833fa518efd2
humanhash: pasta-kentucky-may-asparagus
File name:GFCmQMox5MpE7RD.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'044'992 bytes
First seen:2022-10-24 07:21:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:ixxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNussUousdJ19:bdHdlFdj
Threatray 11'171 similar samples on MalwareBazaar
TLSH T15C2517BA22C0229FD426B1758193E9B326F77D626116D1C750D30F6FBC482BBDA12397
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 1031ccc4ccccaa10 (14 x Loki, 12 x SnakeKeylogger, 11 x Formbook)
Reporter adrian__luca
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
GFCmQMox5MpE7RD.exe
Verdict:
Malicious activity
Analysis date:
2022-10-24 07:37:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e8abd689-ce46-4c38-8aea-6d1e5120afee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/323260/
Detection(s):
Win.Dropper.LokiBot-9975396-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Enabling the 'hidden' option for analyzed file
Moving of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0819baec-d72c-48b6-a8eb-17a6ce83ad5a
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1096377
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a7c54986bac7121d07ea6fdd29e17deea035b9382527f090c182aafbdc049ae/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-18 08:10:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rj6fjgdlvrysdud6u365fhqx33vagw4tqjjh6cimdavk7poajgxa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
04f557582bc8b4c4af843d0c837124da73f887ac5b997efdd78f96d45caced85
Loki
4e12ca0674f72503e00f35b8b27aa98da0855baa9e25264b357bb934e31a2217
Loki
7f0fcb4f3651ec6a3b273322857afe8aa8373f77964afd0bb592378a4a97fe1a
Loki
def88fc364ed03678d528bfd6bc39f19ff1831b098aaf0705fa13063c4044a2a
Loki
ec2a93f1858ba7e0de894944d57fb4b2f3021e5574d1b3594bfd8ffe32f7b029
Loki
f998a60cb95f390ca201950cf41b1764646f2f8ca91f13c05fbf78282518e741
Loki
fa4058c30f37d1cdb72e5bbcc467ff8f9b584b090bfdf723ac1f04817980096a
Loki
+ 11'161 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/221024-h68rqafbe6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://sempersim.su/gk22/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
8b9d184c6e29abe0ade3d02089a2365be3d0b4d6a818962ed1bd1086af1bc20c
MD5 hash:
837cdb7cd43f202450026e50ce7fe6f0
SHA1 hash:
ec805af46d0c6c213eb100fb2dd97d557460afa1
Link:
https://www.unpac.me/results/2f6fb751-9481-4f9a-ab6d-ff28e6cb323c/
SH256 hash:
17a84e2f8378d59444df20ba6c6c65feeb8a3d1145ec1156c318ff2d3f0b0160
MD5 hash:
fb2669de2ceba076eb7bdeb2d11c155f
SHA1 hash:
bf797c3ff736eb65cdb24a34da449171c1e10196
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/2f6fb751-9481-4f9a-ab6d-ff28e6cb323c/
Parent samples :
16bafc095597c2a0de4683bf79e757cf460a6a783acab20c97efa71b323c0100
c48c54a2b2b453e86b248a1ea9dbfe0d5b533db99e431dc8635c2763420c1afd
c9b6ceb32eb5c770ca7881b2d041398eae764383b36b309b518c4d9999885118
6fd2a235ba4cdc4d28095cafa845dbd9f4b66046034d3b2193edc1e4ff368af4
8a7c54986bac7121d07ea6fdd29e17deea035b9382527f090c182aafbdc049ae
20288ad40a731c2f57ab6b8fe2feb300635639d197e923c59837e0dbc724e33d
88f2b5426060120f9c5bbb40724b89b4a15253746f136704461e9a116f3cf842
4bd28ee01773d5d6e41608ce4a355f0958e93ce1c849ed58aaa64492be795066
381689aa52129bc94e5b821684bf9c00e91af0ef9a56b4490ee071e0cae08c58
SH256 hash:
678d527fc01a0eaa1be366ca97b0ad5a3fe890b1ef8267d2fc981ff43c4d08e5
MD5 hash:
2da433d67db4775d8f02a8fed4b31bf3
SHA1 hash:
235fe8f2076f3b5cfffacc574825550cee8e61e9
Link:
https://www.unpac.me/results/2f6fb751-9481-4f9a-ab6d-ff28e6cb323c/
SH256 hash:
1089c7fdbc29799b6b83894fa432412268a80be63029c7c89358a896d01977c6
MD5 hash:
1c9a1f5957dd49e31634d7430513e4b9
SHA1 hash:
11660e532f00e4749ba076f89cd9dfdd23179069
Link:
https://www.unpac.me/results/2f6fb751-9481-4f9a-ab6d-ff28e6cb323c/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/2f6fb751-9481-4f9a-ab6d-ff28e6cb323c/
SH256 hash:
8a7c54986bac7121d07ea6fdd29e17deea035b9382527f090c182aafbdc049ae
MD5 hash:
78c0eed4251dabd81bdb833fa518efd2
SHA1 hash:
8f3637de6867f4dc8d1404c24f39326c725b0ba2
Link:
https://www.unpac.me/results/2f6fb751-9481-4f9a-ab6d-ff28e6cb323c/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8a7c54986bac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/8a7c54986bac7121d07ea6fdd29e17deea035b9382527f090c182aafbdc049ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 8a7c54986bac7121d07ea6fdd29e17deea035b9382527f090c182aafbdc049ae

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/323260/

Comments