MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b153c32e397a1c5a47b67cd4306a8d946607fecba641ac2986b8e330af5193d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b153c32e397a1c5a47b67cd4306a8d946607fecba641ac2986b8e330af5193d
SHA3-384 hash: a27035db3da3f7208886c60bafc0f7f2a59fadc5a27c3506786c6d73d1529215164985848402d11ba163f5e2c5472fa7
SHA1 hash: 260594c98e715129f01b56436c8e4080f50ca9a7
MD5 hash: 5b635028abf4b8f711376c894077e4d2
humanhash: magnesium-failed-princess-muppet
File name:po.exe
Download: download sample
Signature Loki
Create hunting rule
File size:483'840 bytes
First seen:2020-10-12 05:51:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:o19duuq4rgq+FDf535W8R4GQhM0xjobns6FvucG:eEuGxDf5phR4FMCj8/ucG
Threatray 1'579 similar samples on MalwareBazaar
TLSH 57A4017623464E5BE3BE18F94002108613F6DA275293F7EC6DF5505C02A23A5AB6B3F7
Reporter abuse_ch
Tags:exe geo KOR Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: mail-smail-vm29.hanmail.net
Sending IP: 203.133.180.213
From: 이채원 차장 / KHE <yuho2417@daum.net>
Subject: 견적 만
Attachment: 견적 만.cab (contains "po.exe")

Loki C2:
http://79.124.8.8/plesk-site-preview/coautomaquinaria.com/http/79.124.8.8/white/Panel/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69903/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Reading critical registry keys
Creating a file
Changing a file
Replacing files
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Connection attempt to an infection source
Moving of the original file
Sending an HTTP POST request to an infection source
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487910
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8b153c32e397a1c5a47b67cd4306a8d946607fecba641ac2986b8e330af5193d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 01:56:49 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rmktymxds6q4ljd3m7gugbvi3fdga77mxjsbvquynohdgcxvde6q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
3d611ca54f64546327d9bc6993662d5058a7f07fa8e16b81fc7ee6ff60d952f2
Loki
53edc68ef8a890aac3c8f6fe8c72e1a8cf5057c600a3f85d12b99b59b05e47be
Loki
814b0968761c0dbd4a43208cd82d150aa6608538abb845561257687ed9cd0524
Loki
8867e72aaf3985ed148d3049c628d73ba0024e3129e466c17bd6a665be9e84f0
Loki
8e46fce2bda79da5d4d8a9b5f3dc6c8295eee0968a9114e0559977f22dd71812
Loki
95aa19eb5f26f4bc344f51d934138cb3f9a435fccb29a1d53277b06ecbb926cd
Loki
be06b8eb9fc296493c0f6838ad4b55993e2076c53383565cbfa03715af7cc2cd
Loki
c03621f1252606a61ffbccdbf821c68aea9c491df1968a49e21ce74258f0a5f2
Loki
db7f29881f46de2c7dad595a574bccd452f5c42594266b1465c3f57326010e69
Loki
eec64be092d3bd6ac2f32cbbc1bb4f50b373200d8431ae7f62a02834afbe7aef
Loki
+ 1'569 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/201012-az97trq6jn/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://79.124.8.8/plesk-site-preview/coautomaquinaria.com/http/79.124.8.8/white/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
8b153c32e397a1c5a47b67cd4306a8d946607fecba641ac2986b8e330af5193d
MD5 hash:
5b635028abf4b8f711376c894077e4d2
SHA1 hash:
260594c98e715129f01b56436c8e4080f50ca9a7
Link:
https://www.unpac.me/results/1e3e4660-322c-48d1-977b-aa0dbea8d969/
SH256 hash:
fdcbff76f7641cb9535d1f7d5d9de454c726c710a393ba1fa8c468c5dd9fd326
MD5 hash:
fed3e258d8334b65c88c642d3430e008
SHA1 hash:
f1297f45099534f62c44affc50216241ab345663
Link:
https://www.unpac.me/results/1e3e4660-322c-48d1-977b-aa0dbea8d969/
SH256 hash:
0428be7b8e1630a8e9ffcc2c1ec2b0f850830c27f643a37d7cda86fd09bb17fd
MD5 hash:
87ca9d0aba912b247e2d2c6b00058b85
SHA1 hash:
19ce24eb14f2610e2b89d7c6504ed17a5aa4b79b
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/1e3e4660-322c-48d1-977b-aa0dbea8d969/
Parent samples :
503cec3d1e7545f610736aa3ee4473b3e0f28ee2bd80b682e8d8f687c2410008
f79cacba0a21dcaf056a47d6bcd4082ed19c4267568ee46f75b16448e1d98945
8b153c32e397a1c5a47b67cd4306a8d946607fecba641ac2986b8e330af5193d
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/1e3e4660-322c-48d1-977b-aa0dbea8d969/
SH256 hash:
29e6351c35525b598d177ebc361fc6ac36a444088b6b9bd91816704b48fed6b2
MD5 hash:
8ed531dd375800981c228d1c2398ddd2
SHA1 hash:
712a89a9091db884dffaccee91bffa39d9b36a1c
Link:
https://www.unpac.me/results/1e3e4660-322c-48d1-977b-aa0dbea8d969/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b153c32e397a1c5a47b67cd4306a8d946607fecba641ac2986b8e330af5193d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

cab b18753f13ccde34ed4a1a4ae5afe4e58b70bc624e3179d7fdc1e15f895d4770f

Loki

Executable exe 8b153c32e397a1c5a47b67cd4306a8d946607fecba641ac2986b8e330af5193d

(this sample)

  
Dropped by
MD5 69fb7d704552ca0a869a469d6280ca49
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69903/
  
Dropped by
SHA256 b18753f13ccde34ed4a1a4ae5afe4e58b70bc624e3179d7fdc1e15f895d4770f

Comments