MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9044753703fe23426eb2394a186baeaf1de4793549b5680db25556a9ee7c3877. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9044753703fe23426eb2394a186baeaf1de4793549b5680db25556a9ee7c3877
SHA3-384 hash: 972a69d6bf082b828f3fccd21d1d7eb4680493e0f38a647dd1fc47257e8cd2305da9c63ecd44f5c1b6ff978bb1c3983d
SHA1 hash: 724a0967109a9e3475df14680d9d9e40bafddc61
MD5 hash: cb7a8793cf8970072ac7c8e3abc75f0e
humanhash: artist-texas-connecticut-sierra
File name:cb7a8793cf8970072ac7c8e3abc75f0e.exe
Download: download sample
Signature Loki
Create hunting rule
File size:295'351 bytes
First seen:2021-11-30 07:25:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:rGi5zOOh/9t/BgHWF726k6B6rMgNKyFnENS54CnR:BhjAWJ26kYmKy/PR
Threatray 5'665 similar samples on MalwareBazaar
TLSH T1565412467EC22EFBD0EA46713AB5B25CEBF791DB0201695787745FAE4D802820E35633
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cb7a8793cf8970072ac7c8e3abc75f0e.exe
Verdict:
Malicious activity
Analysis date:
2021-11-30 07:34:11 UTC
Tags:
installer trojan lokibot stealer
Link:
https://app.any.run/tasks/419d2946-f6fa-4d23-8983-4aa305e84564

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/209840/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Creating a file
DNS request
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/315/overview
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61a5d20ebbfd2af97cbbfbe9/reports/1af3500b-b8f8-400b-9d92-450f49d48ab2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/78b06155-8c0e-450e-a22f-9b7c599bae0a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/898486
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9044753703fe23426eb2394a186baeaf1de4793549b5680db25556a9ee7c3877/
Threat name:
Win32.Dropper.Nuldrop
Create hunting rule
Status:
Malicious
First seen:
2021-11-30 07:26:12 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 28 (78.57%)
Threat level:
  3/5
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
05679e77d92c8be217fb1e34cfaa8dc0254a98c9cd35ce0b0bbab31426daff1f
Loki
3dd38daa4ca8630ccda829c5d97e744ed278ddbf9c79161450cdb9517c74e027
Loki
7b12e253b0bf89ef0535a8dc539361954c67511bcdbc709060c0b1e6ed539cb6
Loki
895a3f8a366ed73ca1cab8ef49582ada6382880654ab28e95b2902cde46e3726
Loki
a358f9eb5bcd5300fa83d2080d4ec9f1996b5fedbc5b6f63a4d95738c8d99704
Loki
b65b34a54593add5ada0cc781f370a27c19af92ff0f2621b1539efd90a001cde
Loki
c1d9b04bca7264c76a2eae6357f6a2fc931237f374db992a926db9dd714b85c5
Loki
f228ebe1b6d660825c71c76528486d30fe68858362b0bab96a203b4eba670c35
Loki
fed21233449898cf24af01a24a9e552fa1c3f3684a4cc1411ae9240d1af5991b
Loki
+ 5'655 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/211130-h9jl1ahdc2/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://74f26d34ffff049368a6cff8812f86ee.gq/BN111/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
9044753703fe23426eb2394a186baeaf1de4793549b5680db25556a9ee7c3877
MD5 hash:
cb7a8793cf8970072ac7c8e3abc75f0e
SHA1 hash:
724a0967109a9e3475df14680d9d9e40bafddc61
Link:
https://www.unpac.me/results/25928b2c-d1b8-436c-8df2-5d03fc0df729/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9044753703fe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/9044753703fe23426eb2394a186baeaf1de4793549b5680db25556a9ee7c3877

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 9044753703fe23426eb2394a186baeaf1de4793549b5680db25556a9ee7c3877

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1833315/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/209840/

Comments