MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e166eb3487a243e21ddcfa8a88173a7f1b2b37de18a55f4517003027547fef6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e166eb3487a243e21ddcfa8a88173a7f1b2b37de18a55f4517003027547fef6
SHA3-384 hash: a0218f69814df5131444a69f19564c57b8c1ef6ac70a46f0d00f36cd6abe9cf39ae77ee7e2b30cd4cca708edb2b77670
SHA1 hash: 7d5a78867737c91bb9cfbd88a3aa20c89900fdb3
MD5 hash: 252cae0537d8c3aa42d8e69ad802b966
humanhash: july-iowa-five-bravo
File name:triage_dropped_file
Download: download sample
Signature Loki
Create hunting rule
File size:230'363 bytes
First seen:2021-08-24 02:05:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 76cb49957629b5fe0d40d13588a8762e (4 x Loki, 3 x Formbook, 2 x NanoCore)
ssdeep 6144:cxB+lzu0FKw3wIZ6ifYfFPxhypIahW9LYJvtKs5xi:cb+Zu0FKw0ZhOIm7GUi
Threatray 4'413 similar samples on MalwareBazaar
TLSH T12E340268A20FC1D8D37EADF229B8047DA161AF713DCDF1C67125F96D1A37A290433985
Reporter malwarelabnet
Tags:exe Loki Lokibot

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://65.21.223.84/~t/i.html/XjjuWy0TVqjre https://threatfox.abuse.ch/ioc/193529/

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'404
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
triage_dropped_file
Verdict:
Malicious activity
Analysis date:
2021-08-24 02:06:29 UTC
Tags:
trojan lokibot stealer opendir
Link:
https://app.any.run/tasks/b46e070f-33cf-430d-807e-1b1cab9ffd23

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181683/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.18541.28440.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Reading critical registry keys
DNS request
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Sending a UDP request
Stealing user critical data
Moving of the original file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1796f956-9b00-4505-b167-061503806d0d
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/837910
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e166eb3487a243e21ddcfa8a88173a7f1b2b37de18a55f4517003027547fef6/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-08-24 02:06:12 UTC
AV detection:
22 of 46 (47.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rylg5m2ipisd4io5z6ukraltu7y3fm354gffl5croabqe5kh733a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
17db799afaa16c64015eda3d7ea62098daef3c769306854acc29f2c757b9d6a4
Loki
324d549fb7b9999aa0e6fb8a6824f7a05fe5f1f21d76fb2d360cb34c56eb1995
Loki
3fb730890c8c04eb09d8b2acff9c376d8054d5d3748898a907099055ec54f2ac
Loki
44df96504ff0a727740da2a67982e2d214849ecf98a64de1ffcbf92bb46331a1
Loki
6438095080694e51e7802ba419e9854234dccdd3cc818eee26cea88f6391177f
Loki
82e12573052c2f4088b79873bc969a0b0262d2beced743b68282248c3dc42ff7
Loki
871fa4ba1f0c569a5e3eecc4580b37039a5ba0ea1b07435b881e021ec7532785
Loki
c56bc83a9e77b9ee422f659aaebab96027d0e5c57dce023a0f5939a96964d620
Loki
+ 4'403 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210824-dysq4hj832/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://65.21.223.84/~t/i.html/XjjuWy0TVqjre
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
3958588f4a6005befac5f756c08439b76f4cf7f58b887de204914d61c2b2d8ec
MD5 hash:
b06a4608c5a896ee235195d00085f2ac
SHA1 hash:
39a367aed694a244343c57d75fe6b20ee9d31f49
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/170abb8f-8c6e-4e02-8bcc-4bea0ffc059d/
Parent samples :
8e166eb3487a243e21ddcfa8a88173a7f1b2b37de18a55f4517003027547fef6
37fc32834534585e428b56470b36be2b234b9813bf6d82cea9c1446fd72bc50c
SH256 hash:
3ca15f0c23b0e5cc47c5b64d0d8c7e353b4fdeb84494e5089d7a48ed72efab25
MD5 hash:
cb79d23e71d50fa2df862cfecbb1ba34
SHA1 hash:
7638b2e2e952442d7a5851b5964577cc64ffd267
Link:
https://www.unpac.me/results/170abb8f-8c6e-4e02-8bcc-4bea0ffc059d/
SH256 hash:
8e166eb3487a243e21ddcfa8a88173a7f1b2b37de18a55f4517003027547fef6
MD5 hash:
252cae0537d8c3aa42d8e69ad802b966
SHA1 hash:
7d5a78867737c91bb9cfbd88a3aa20c89900fdb3
Link:
https://www.unpac.me/results/170abb8f-8c6e-4e02-8bcc-4bea0ffc059d/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8e166eb3487a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/8e166eb3487a243e21ddcfa8a88173a7f1b2b37de18a55f4517003027547fef6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 8e166eb3487a243e21ddcfa8a88173a7f1b2b37de18a55f4517003027547fef6

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/181683/
  
URLhaus
https://urlhaus.abuse.ch/url/1559366/
  
Delivery method
Distributed via web download

Comments