MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90affaa1d41e73a109fe40164789372356302f3a08dc54a1968ade45f63f2efa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90affaa1d41e73a109fe40164789372356302f3a08dc54a1968ade45f63f2efa
SHA3-384 hash: d6c42600650f8a99f0c0280b85fe791d852b03ce3920776c51140e1bf3e5f6e673ac8b776aa45a40a169efbd9a804cec
SHA1 hash: 2ab3bddcb7f2a51a94ab36f2d8eef1b1bbfb81e1
MD5 hash: 2ce98bda47dd952aba13f3dfa24f0720
humanhash: london-lithium-gee-nevada
File name:90affaa1d41e73a109fe40164789372356302f3a08dc54a1968ade45f63f2efa
Download: download sample
Signature Loki
Create hunting rule
File size:832'512 bytes
First seen:2020-11-14 18:25:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9bc579eb0d58ef7c936d7bf1ccbfe7f8 (3 x Loki)
ssdeep 12288:Tp1Jm8N2LRJqGQvaCYnnT7WRyScaCfotBMTA0ZpVxnJs2TWo3cx:FW86Rov+nT7R1foPMTA0TVlns
Threatray 251 similar samples on MalwareBazaar
TLSH E4059F62E2D04933F1A3153C8D9B5254BA75BD932A2BAA453FF15C0C4F3879538393AB
Reporter seifreed
Tags:Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Nanobot-7585429-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Reading critical registry keys
Changing a file
Replacing files
DNS request
Deleting a recently created file
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/535232
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Creates files in alternative data streams (ADS)
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 316715 Sample: nefy7IrRKm Startdate: 15/11/2020 Architecture: WINDOWS Score: 100 28 noveit.gq 2->28 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 4 other signatures 2->40 8 nefy7IrRKm.exe 4 2->8         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 22 C:\Users\user\AppData\Roaming\...\tyonis.exe, PE32 8->22 dropped 24 C:\Users\user\...\tyonis.exe:Zone.Identifier, ASCII 8->24 dropped 50 Creates files in alternative data streams (ADS) 8->50 52 Contains functionality to detect sleep reduction / modifications 8->52 14 tyonis.exe 1 8->14         started        signatures6 process7 file8 26 C:\Users\user\AppData\Roaming\...\yisis.vbs, ASCII 14->26 dropped 54 Antivirus detection for dropped file 14->54 56 Multi AV Scanner detection for dropped file 14->56 58 Tries to steal Mail credentials (via file registry) 14->58 60 4 other signatures 14->60 18 tyonis.exe 54 14->18         started        signatures9 process10 dnsIp11 30 noveit.gq 18->30 32 192.168.2.1 unknown unknown 18->32 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->42 44 Tries to steal Mail credentials (via file access) 18->44 46 Tries to harvest and steal ftp login credentials 18->46 48 Tries to harvest and steal browser information (history, passwords, etc) 18->48 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90affaa1d41e73a109fe40164789372356302f3a08dc54a1968ade45f63f2efa/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 18:29:37 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=scx7vioudzz2ccp6ialepcjxenldalz2bdofjimwrlpel5r7f35a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
025088f7c1db9c5f9472badb6d1c4f119868b922c52b6bed896e8e2ff746f955
Loki
1f1745eb2812b5c0cc6c26b69661ea1d8ab78a541271950e7b97d0cd2b502db1
Loki
2b419f986ea266fa5826fbb6858782f7c2acfda73aa5ec5cb21d64537d6a4ea1
Loki
2c64af2b995ad6b33bc90f4103e1ae990db77c9c341279c0ab0af1c38d414405
Loki
6b95bdd0d0a511eb1fb20709941e92eb049f4e246b5615554090520a9a509799
Loki
ad1922d859c3503dbd1a971cc42b5e949c9c7f2d85b7dcc3b2e4317cb776c9ce
Loki
ceeffdff4b0af45c77f3923e47c03a529c87dd4e0e92fdc88b0551857df53239
Loki
cf60dd8e927a419d76dfb060c649c888dacc338cc14b5e3abf5e388213fec520
Loki
d050b76ba909799dc235b62e32658b86294dbd5c8282df0c4c3f4a5581373603
Loki
ee6148aef85c2c43108bccc176a944851f971999eb0aff03cae72c57ecd50959
Loki
+ 241 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201114-tcfdwfms76/
Unpacked files
SH256 hash:
90affaa1d41e73a109fe40164789372356302f3a08dc54a1968ade45f63f2efa
MD5 hash:
2ce98bda47dd952aba13f3dfa24f0720
SHA1 hash:
2ab3bddcb7f2a51a94ab36f2d8eef1b1bbfb81e1
Link:
https://www.unpac.me/results/7ea61ee4-b4da-4271-819b-ad70800ef8b7/
SH256 hash:
228b7da993b21bbb24ad604b3532eefffb7c02e1eb3d83f6831aea7e139818a1
MD5 hash:
b9c3a496a6360bdcad1aab43dc62b3cf
SHA1 hash:
c04095ca8569fcea627ced1bec4ef9d9be270365
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/7ea61ee4-b4da-4271-819b-ad70800ef8b7/
Parent samples :
9235974f9e59e5c090bbc7dfa871c402e97cd276007b56383aaee7f2578368d9
90affaa1d41e73a109fe40164789372356302f3a08dc54a1968ade45f63f2efa
173e07cafb003acbaf3e0d977f7687c80e131bcb86856227c77b9af503939158
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90affaa1d41e73a109fe40164789372356302f3a08dc54a1968ade45f63f2efa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments