MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 928d262c6531d61866ce87f23a2f67ce7e44071213275f697b7073e95c6e688c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Loki
Vendor detections: 10
| SHA256 hash: | 928d262c6531d61866ce87f23a2f67ce7e44071213275f697b7073e95c6e688c |
|---|---|
| SHA3-384 hash: | 58bf1432c354be8b7f976d6b1f4d6bca293a576a8343593f29ebca72b31d48c18da7786f2313ae507b2ccd159d33fe7e |
| SHA1 hash: | 626bb9889d9d71bd88531309d56dd1db492c3f18 |
| MD5 hash: | 417ee7a802cdd0ce37049184e7a88646 |
| humanhash: | mobile-idaho-crazy-five |
| File name: | Order- #PO29383.exe |
| Download: | download sample |
| Signature | Loki |
| File size: | 509'440 bytes |
| First seen: | 2020-11-01 14:40:57 UTC |
| Last seen: | 2020-11-07 17:26:27 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger) |
| ssdeep | 6144:wkWOGNMCg6R/KDRl1YXhxYnAaWIofTNmISf7MiIUbwLZwXsrj/QNMcNM0c37pUHd:wkkiDXufYnARqXyj/5cFcziskcTP8 |
| Threatray | 1'842 similar samples on MalwareBazaar |
| TLSH | 51B42AFAA241EA6BC80F047FF84B256193D5DF2D99F8C04683D9B11E127D7C952AC48B |
| Reporter |  GovCERT_CH |
| Tags: | Loki |
Intelligence
File Origin
# of uploads :
6
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
Lokibot
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.FormBook
Status:
Malicious
First seen:
2020-11-01 12:03:40 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Similar samples:
+ 1'832 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Score:
10/10
Tags:
family:lokibot evasion persistence spyware stealer trojan
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Lokibot
Malware Config
C2 Extraction:
http://qataracfridgerepaire.com/wp-admin/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
928d262c6531d61866ce87f23a2f67ce7e44071213275f697b7073e95c6e688c
MD5 hash:
417ee7a802cdd0ce37049184e7a88646
SHA1 hash:
626bb9889d9d71bd88531309d56dd1db492c3f18
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
SH256 hash:
6c6384e2d70575a9d91a107ed8732ab202c0b737a9b41b5cd19724553dc68a39
MD5 hash:
0d4a738e721753ef3e7a01853c8de437
SHA1 hash:
7f9d9e712839f6cc0eafe47818708fed3fe14d52
Detections:
win_lokipws_g0
win_lokipws_auto
Parent samples :
33d9421e4e71fbd21729972746d586517926e7c2338ae53185d9438266978cda
9e5f987ad43b66c469e9fed02999cfb62feff01049b5f1ef33804918bead665c
0bd5d64782a5e667b4bdff972591924d34e653e636c2f9c21b14e844c3cf9b74
4b9d6921c78211705daddc2842fd240d77a25a229980e2c2139ea34680a7f11b
911f22d0fdceeec6e8e6426b0111c1632e6b70f21940584aa05345ac470c4c4f
dc92a5d042a719af5689f99b6423e6ab0a63a6617ac33ccc10781605158ba138
928d262c6531d61866ce87f23a2f67ce7e44071213275f697b7073e95c6e688c
806fb889e0c86660bda36857336402d09ec8b4af9145c7ad00c2e1607b26b290
9e5f987ad43b66c469e9fed02999cfb62feff01049b5f1ef33804918bead665c
0bd5d64782a5e667b4bdff972591924d34e653e636c2f9c21b14e844c3cf9b74
4b9d6921c78211705daddc2842fd240d77a25a229980e2c2139ea34680a7f11b
911f22d0fdceeec6e8e6426b0111c1632e6b70f21940584aa05345ac470c4c4f
dc92a5d042a719af5689f99b6423e6ab0a63a6617ac33ccc10781605158ba138
928d262c6531d61866ce87f23a2f67ce7e44071213275f697b7073e95c6e688c
806fb889e0c86660bda36857336402d09ec8b4af9145c7ad00c2e1607b26b290
SH256 hash:
beb916690e14a625ba32b648f404a5466948ed6edbd3a10e780a4b90e3f3f337
MD5 hash:
2b9bfa37665a90cd381e634dca24b98f
SHA1 hash:
eb4a57d9a65ee60a1d60f7100074c8f2e5b78c03
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Email_stealer_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Email in files like avemaria |
| Rule name: | Lokibot |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Lokibot in memory |
| Reference: | internal research |
| Rule name: | STEALER_Lokibot |
|---|---|
| Author: | Marc Rivero | McAfee ATR Team |
| Description: | Rule to detect Lokibot stealer |
| Rule name: | win_lokipws_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | autogenerated rule brought to you by yara-signator |
| Rule name: | with_sqlite |
|---|---|
| Author: | Julian J. Gonzalez <info@seguridadparatodos.es> |
| Description: | Rule to detect the presence of SQLite data in raw image |
| Reference: | http://www.st2labs.com |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Dropped by
Loki
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.