MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a88211f7dc2c10cdbdc9b2c024c7ab7584f4a87594861b0c701549e3129314d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a88211f7dc2c10cdbdc9b2c024c7ab7584f4a87594861b0c701549e3129314d
SHA3-384 hash: 9bdbc68ac6adb5eb4d4421a3ba547d0bf09b8080f681ddb7f47da0e7319b95ef44f6759070f22f205f258c9c414326fd
SHA1 hash: 5f13dc4cf2f48f50b3e99072c9b5158a8e538025
MD5 hash: 77e0597ea42ce5173b4b9d2ae1aa8f14
humanhash: foxtrot-diet-bravo-item
File name:77e0597ea42ce5173b4b9d2ae1aa8f14.exe
Download: download sample
Signature Loki
Create hunting rule
File size:427'829 bytes
First seen:2021-09-20 07:01:31 UTC
Last seen:2021-09-20 08:03:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:Y8LxB2Uk/MKjE0dN3IkTzocqQRWd3Ie8HAcyR8oyhuXqKfrc:WUk/1h/3Ik4pd3FsAcyR8oKWqKA
Threatray 4'710 similar samples on MalwareBazaar
TLSH T12F943C296F70D874F38632351C077E24BD256E78D6F8228D2923F66A98736DDDC39248
File icon (PE):PE icon
dhash icon f0e8baba2a96e831 (1 x Loki)
Reporter abuse_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ_final version.xlsx
Verdict:
Malicious activity
Analysis date:
2021-09-20 06:11:53 UTC
Tags:
encrypted opendir trojan exploit CVE-2017-11882 loader lokibot stealer
Link:
https://app.any.run/tasks/47bb564b-79fa-4c3a-81fa-80f177b3a752

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lokibot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189229/
Detection(s):
SecuriteInfo.com.Zum.Androm.1.12526.3223.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a window
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/04f57e1c-9944-49f4-a720-85ffda13f89a
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853777
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a88211f7dc2c10cdbdc9b2c024c7ab7584f4a87594861b0c701549e3129314d/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 06:07:26 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rkecch35ylaqzw64tmwaetd2w5me6suhlfegdmghafkj4mjjgfgq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
03cb95fdd2bb94ff411d1737206768638ad47e1a0a52a31f8b697dc6a827fc48
Loki
1675fb76302c10aa0fe1f2f538357e39aeaba6c7162921c3e6c9a4cd3ebedd60
Loki
17db799afaa16c64015eda3d7ea62098daef3c769306854acc29f2c757b9d6a4
Loki
238eed13e028fd7316db1306510ac4aba9159fad5095caf124893aef89f7cbb3
Loki
563818872af4977ebccd2bc8f97e968edeb6cce444c7a380b3c69e53fd317c2e
Loki
750733fd4c90de2a0003bd6bbc410f61bfc88f1a2b70e6d8846a937b8372807a
Loki
ae3ba262ffc14ea78944dee9331e9336f508b0b283481262ab2ee81b90023bd1
Loki
bbbe39716fc34ce2fc73e72a86669a1948ed5fb6a83ab0ce7f939409ac5d5474
Loki
f8efdc806be878faaf8c96d42603f505f207f034106779d8a1a356d1eab253d6
Loki
+ 4'700 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210920-hts6hadbf9/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://136.243.159.53/~element/page.php?id=488
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
6458da48fde8b48546251db352af4afa8d12a47e45188e3fd2d576613f691709
MD5 hash:
7f8740b58177f1ddc0679c1117469b51
SHA1 hash:
febc9f41d6731b5540d2f756310a85f656f68f4c
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/3eb86570-7517-4232-b86d-edcc71ac25c8/
Parent samples :
8a88211f7dc2c10cdbdc9b2c024c7ab7584f4a87594861b0c701549e3129314d
d8d1ebdb241277b39607ea8d4c63853c25b6523a3a88d720373a0f9efd03a686
4e5daccda1624bc3412f03c4876f1254f57fe07fcbfe730e5a25b4c50a29c34f
SH256 hash:
370662b9f9895981148f2567f8364de8209088fa506a408546a2beedf78692c4
MD5 hash:
1941f139247b44215719500be23dcaf7
SHA1 hash:
8f806e1f5684d353a2d0625a3853353d66459df1
Link:
https://www.unpac.me/results/3eb86570-7517-4232-b86d-edcc71ac25c8/
SH256 hash:
8a88211f7dc2c10cdbdc9b2c024c7ab7584f4a87594861b0c701549e3129314d
MD5 hash:
77e0597ea42ce5173b4b9d2ae1aa8f14
SHA1 hash:
5f13dc4cf2f48f50b3e99072c9b5158a8e538025
Link:
https://www.unpac.me/results/3eb86570-7517-4232-b86d-edcc71ac25c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/8a88211f7dc2c10cdbdc9b2c024c7ab7584f4a87594861b0c701549e3129314d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 8a88211f7dc2c10cdbdc9b2c024c7ab7584f4a87594861b0c701549e3129314d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1562680/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/189229/

Comments