MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91e3a5a72c848c5fdadef7dcb78767caf56a0d9ec266fc5fac46ed0885e55845. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91e3a5a72c848c5fdadef7dcb78767caf56a0d9ec266fc5fac46ed0885e55845
SHA3-384 hash: 3865eac6fdeffa7af46f4ee635503635f38f629eb189d53d7d59b4896a89f58ef98b09f30db580f542055a0806a39655
SHA1 hash: 4d3e1f0f904fc388489f184c4543e5e7d8dc4405
MD5 hash: c2ba734844ad95b6e65a0e48b592afcd
humanhash: asparagus-potato-asparagus-king
File name:c2ba734844ad95b6e65a0e48b592afcd.exe
Download: download sample
Signature Loki
Create hunting rule
File size:647'168 bytes
First seen:2020-10-26 16:19:43 UTC
Last seen:2020-10-26 17:51:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:nBGMYagC/pLpBUWZEJpHizcTs4gOlRpCTWqkOc1/WjS7iB7A:BNmCBLpB9oTPvAOKS8
Threatray 48 similar samples on MalwareBazaar
TLSH 56D4DE3C6E8426E36177E276A0F60587FEE8618673785D4B02C32B486D4AF163D9734E
Reporter abuse_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
62
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/79405/
Detection(s):
SecuriteInfo.com.Variant.Bulz.154503.15993.1120.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/512393
Signature
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 305412 Sample: 2oIKjXaT30.exe Startdate: 26/10/2020 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Multi AV Scanner detection for domain / URL 2->40 42 Found malware configuration 2->42 44 11 other signatures 2->44 6 2oIKjXaT30.exe 16 6 2->6         started        10 vlc.exe 2->10         started        12 vlc.exe 14 2 2->12         started        process3 file4 34 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 6->34 dropped 46 Tries to steal Mail credentials (via file registry) 6->46 48 Injects a PE file into a foreign processes 6->48 14 2oIKjXaT30.exe 54 6->14         started        18 WerFault.exe 23 9 6->18         started        20 2oIKjXaT30.exe 6->20         started        22 WerFault.exe 10->22         started        24 vlc.exe 10->24         started        26 vlc.exe 10->26         started        32 2 other processes 10->32 28 WerFault.exe 19 9 12->28         started        30 WerFault.exe 12->30         started        signatures5 process6 dnsIp7 36 mecharnise.ir 104.237.252.41, 49741, 49742, 49743 DEDICATED-FIBER-COMMUNICATIONSUS United States 14->36 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->50 52 Tries to steal Mail credentials (via file access) 14->52 54 Tries to harvest and steal ftp login credentials 14->54 56 Tries to harvest and steal browser information (history, passwords, etc) 14->56 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91e3a5a72c848c5fdadef7dcb78767caf56a0d9ec266fc5fac46ed0885e55845/
Threat name:
ByteCode-MSIL.Trojan.Variadic
Create hunting rule
Status:
Malicious
First seen:
2020-10-26 16:22:06 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
1278ca788a1bc30ac76bc2729281faa071817e9d980ab05c9bacf68eba06dd05
Loki
2b0e2a9e4f83a721d5d5305be3a7a3e075d2827af90562bf41c1a73a7dead657
Loki
334ab59399997e54878083e726a2dbc5d41f844025742b4ea35921a93bf24d68
Loki
40e91b54dfb08b396759074f6018c28433f771a9c6c66ff5b1789d786c591c87
Loki
59dd99ee3cd55d10de5aeca35b0f1c7f4288970d9ccd8ff624e049aca3cea5f1
Loki
610ed2ab81dda401cd838073f80b2d217c2a5bb8f6b35b32c6d71ed67ea4483b
Loki
7229eda7f70cf4048d377a97e470953853458f1635e9c426c042290fef14d979
Loki
b22d33b348ba648c5f39061bb4e743ed6a52dd57720de34902c093a2f2ac97ab
Loki
bb13a7a8fdc0b1a0c91de3c6dade1fd0e5b29cf74cc842d809c73a2a88c26854
Loki
f089cbd6d20afda4f1e00ed09abd44c9f271c8db61bbb1ce07048fadda34b1ec
Loki
+ 38 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/201026-dgcvvdcfwa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 91e3a5a72c848c5fdadef7dcb78767caf56a0d9ec266fc5fac46ed0885e55845

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/740518/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/79405/

Comments