MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 957ef05564cba68f526fe7d881b3957a933b14196205f2cf6d9e287c100ab85c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 957ef05564cba68f526fe7d881b3957a933b14196205f2cf6d9e287c100ab85c
SHA3-384 hash: 0bf98c30cb9b8b059f0fd2e8e9fd4caff6465b7a27b257f35275b0268c0f97f80a56522e5bf1f5d7be7114d2fd8e0a10
SHA1 hash: 1b40243a8e6a025eef866f09b7b4361b70777494
MD5 hash: 4047a1a03be9df604f06fdb28647891d
humanhash: six-three-zulu-happy
File name:SecuriteInfo.com.Trojan.DownLoader36.26314.8898.5357
Download: download sample
Signature Loki
Create hunting rule
File size:1'490'008 bytes
First seen:2020-12-04 23:42:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 044c00ba0877e7ce0b5e1c462f6e7c9a (1 x Loki, 1 x ModiLoader)
ssdeep 24576:UAcx/7kfcBfKnvXYX6pVJhPUv/DH3q3Is+Oiw2MioqoqoqoygCQCQCQC6060606w:Uxv0dVXPUv/DUddxCp
Threatray 10 similar samples on MalwareBazaar
TLSH 1365B3FE7DAD40EADC3E283E6F55A0C8646E8EF4351440D1076B78ABC6737A6EC94901
Reporter SecuriteInfoCom
Tags:Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
306
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106842/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader36.26314.8898.5357.UNOFFICIAL
Create hunting rule

PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Reading critical registry keys
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Moving of the original file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/556170
Signature
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/957ef05564cba68f526fe7d881b3957a933b14196205f2cf6d9e287c100ab85c/
Threat name:
Win32.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2020-12-04 19:57:32 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
04f271742dac058c042af388562d7678536a47273846d692649926bad5dce1a0
Loki
069f3de8e79399dcc2a0811f2b560b34339c31eed7a465b9c759bd25d5aea17f
Loki
0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1
Loki
1288ae44d28cad478afd6fae196164f297b8656977fd2ac34d08ab5877a5b795
Loki
3093a36c7e6517af79b2accb877b76346054847365df4f171c3b5ea1da4bfe45
Loki
6fe2c258a1b901252b18bd79958169566e889fe74af69b54afc53f5945184268
Loki
99cf04b4681e23be9445dd54668231f52276645f4c263e4d2c1c730e7d264303
Loki
bd95c8709b9a82ab2af9d1454996fbdbd3a7da4e8335bf8481bd567430130184
Loki
beda2e9772821c818f5abcd27711089ff4b6620800af752191624e7294456a25
Loki
dfa55212542ed697d1dba24d643315d5b3b3cbd659b68a11f9174a68fdaf4cf6
Loki
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/201204-qkpr8axeve/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://104.223.143.21/frilt/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
957ef05564cba68f526fe7d881b3957a933b14196205f2cf6d9e287c100ab85c
MD5 hash:
4047a1a03be9df604f06fdb28647891d
SHA1 hash:
1b40243a8e6a025eef866f09b7b4361b70777494
Link:
https://www.unpac.me/results/fc32d703-36e8-46a1-a0e4-04a2402255b1/
SH256 hash:
1e58bc6e82d1e37a505b985b457c6c93d7380f366f1353c1d8fd9d467928e2ba
MD5 hash:
5ff91b8e23ee6fd371091cac515d661e
SHA1 hash:
db35440b28804c2e30ab3d13b13c3da719145795
Link:
https://www.unpac.me/results/fc32d703-36e8-46a1-a0e4-04a2402255b1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/957ef05564cba68f526fe7d881b3957a933b14196205f2cf6d9e287c100ab85c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 957ef05564cba68f526fe7d881b3957a933b14196205f2cf6d9e287c100ab85c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/889393/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/889394/
Cape
Cape
https://www.capesandbox.com/analysis/106842/

Comments