MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97a88b854d8ae81143d9c083ba95565e357a0472c0f4f701f73c8d5f961bb40e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97a88b854d8ae81143d9c083ba95565e357a0472c0f4f701f73c8d5f961bb40e
SHA3-384 hash: 0f322e599a77cccb8171eb1efc703152d455ecec8f75cc447c15ff831a75e7458696c45fd27d3ea068a7aee284969193
SHA1 hash: 39cff550ee92cc03f57e4c440199592b492961d5
MD5 hash: a15da204e418801995aeeafd61aadaf4
humanhash: avocado-zebra-xray-cup
File name:P_O INV 01262021.exe
Download: download sample
Signature Loki
Create hunting rule
File size:663'552 bytes
First seen:2021-01-26 14:28:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:7uApH5RzW4zXf908T9Cu5YV62VbSaAtVM8fqoKhmIQqEm/RUQ6JApfynxUOVtL7o:NzvCAd5YU2DuVVfqHgSzD5pfAVZU
Threatray 2'380 similar samples on MalwareBazaar
TLSH 2BE412117318494BCDE962F690E6808043705E6B2D92E3C86CCB35FE66FB3F99642797
Reporter James_inthe_box
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
P_O INV 01262021.exe
Verdict:
Malicious activity
Analysis date:
2021-01-26 15:28:17 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/9559ad63-f3a7-4c8e-bd9e-95cf5b02ddc5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113922/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Reading critical registry keys
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Moving of the original file
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/590790
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/97a88b854d8ae81143d9c083ba95565e357a0472c0f4f701f73c8d5f961bb40e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-26 10:31:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6uixbknrlubcq6zycb3vfkwly2xubdsyd2poapxhsgv7fq3wqha._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
5292e67eef4608fef9fbd9df4909fdb814b964c0c44970328bc632f30e52f1eb
Loki
55b4be92fb1e6cf2d51b1598bea503929ef8f3166b19bffefd3320bf7eba4613
Loki
5f3bcede844e8174892b51124aa52ebd39f98514afc9773120adf4b4735d09d6
Loki
76e0ef504371de843a6197e948a1a1dfe3f8e87e25ff8e2ee5f6648daff0e0c6
Loki
9d78978a90924215994a1fc247c71d55f8480c19aacc76fed9c62cf27b3eb985
Loki
9dfd11163e1b4b9fb8f4e30d59596095d75ae42234fbd9a90580260dd21f58a8
Loki
a70bba83ae2d498368562988a73c7a24018d6e81235b7282146607f0e20a89c3
Loki
c43b0c99da438892e85837872b4588b7ac6aeaaca2e1169c7136a439033ab762
Loki
df1f012094e4d7601eecac850af54eb268691a8dd95f79fae052e6b7588780f5
Loki
f450de216509d54d57606d71016ad6749f124b789a35ceffbbc5f768d62bdf4d
Loki
+ 2'370 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210126-sndq6lhya2/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://51.195.53.221/p.php/6b5ak96Mu3bCz
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
1a077833a61f96288140840d7e59245d1dd57291135b05e429fb55ed3d2c51eb
MD5 hash:
535a190a42b593a842e3e9f1649a90bd
SHA1 hash:
e278e57f482a141b7a14961a61b5012687a12ea7
Link:
https://www.unpac.me/results/eebac109-0594-485b-833c-0a3b02602aef/
SH256 hash:
3616e7da36d6f187d679df3b201b50fd51a0d893f51473288b666a97e65babd0
MD5 hash:
9e6283b5de4b90df42bb3b48a24d1aea
SHA1 hash:
6919df46ada0e32a3a381a9e6f5ff9797f4d2279
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/eebac109-0594-485b-833c-0a3b02602aef/
SH256 hash:
827b1567aed83bb64c2f80fbc4a993897013a3ee7b0d3ebe6793e3403db4d140
MD5 hash:
9a057132c5036180525f94054c71a6eb
SHA1 hash:
4f8cae092d6447c25d55adb7efe7d275044273c2
Link:
https://www.unpac.me/results/eebac109-0594-485b-833c-0a3b02602aef/
Parent samples :
2f7e4765fc3bff8324b7353df04b086292c5a70f788d8193c95d1fc00f43f18a
3f8807728cce4b1e55293cd3577fdd36457c1568a23594d4cbfaeab45a10c574
9d4758703ed1e3968a75f93405df6202a6b1b749f7806965560c23237fdfe2b4
SH256 hash:
1a077833a61f96288140840d7e59245d1dd57291135b05e429fb55ed3d2c51eb
MD5 hash:
535a190a42b593a842e3e9f1649a90bd
SHA1 hash:
e278e57f482a141b7a14961a61b5012687a12ea7
Link:
https://www.unpac.me/results/eebac109-0594-485b-833c-0a3b02602aef/
SH256 hash:
3616e7da36d6f187d679df3b201b50fd51a0d893f51473288b666a97e65babd0
MD5 hash:
9e6283b5de4b90df42bb3b48a24d1aea
SHA1 hash:
6919df46ada0e32a3a381a9e6f5ff9797f4d2279
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/eebac109-0594-485b-833c-0a3b02602aef/
SH256 hash:
827b1567aed83bb64c2f80fbc4a993897013a3ee7b0d3ebe6793e3403db4d140
MD5 hash:
9a057132c5036180525f94054c71a6eb
SHA1 hash:
4f8cae092d6447c25d55adb7efe7d275044273c2
Link:
https://www.unpac.me/results/eebac109-0594-485b-833c-0a3b02602aef/
Parent samples :
2f7e4765fc3bff8324b7353df04b086292c5a70f788d8193c95d1fc00f43f18a
3f8807728cce4b1e55293cd3577fdd36457c1568a23594d4cbfaeab45a10c574
9d4758703ed1e3968a75f93405df6202a6b1b749f7806965560c23237fdfe2b4
SH256 hash:
481cd4014e5b4df7b650b8cc49d2574c69a2942d6b440e9bd5856e6d112462ae
MD5 hash:
07ab9259457d3ad9d5f3e588121c943c
SHA1 hash:
bc3a8c3de7b98aac08b347e1571a50a4e64417c8
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/eebac109-0594-485b-833c-0a3b02602aef/
SH256 hash:
487d461c25ab71d37706d5f79b6db5ed31c927de5e16ce3964a116144cfddd3b
MD5 hash:
74e9f4ac2f2b48af379c2dc576fe6cc8
SHA1 hash:
a7ba49e76b6693daf69c59defaf76558eda779b6
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/eebac109-0594-485b-833c-0a3b02602aef/
SH256 hash:
69893ecd8c2fd2c22217607e8a29a022b46df7dd2574cad48fcbd1e81bd67f65
MD5 hash:
eefa1d127b8da225168efc7a7551cc7a
SHA1 hash:
c37ac7ac67f2260d3912db436ade9658c7ad32b0
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/eebac109-0594-485b-833c-0a3b02602aef/
SH256 hash:
487d461c25ab71d37706d5f79b6db5ed31c927de5e16ce3964a116144cfddd3b
MD5 hash:
74e9f4ac2f2b48af379c2dc576fe6cc8
SHA1 hash:
a7ba49e76b6693daf69c59defaf76558eda779b6
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/eebac109-0594-485b-833c-0a3b02602aef/
SH256 hash:
1a077833a61f96288140840d7e59245d1dd57291135b05e429fb55ed3d2c51eb
MD5 hash:
535a190a42b593a842e3e9f1649a90bd
SHA1 hash:
e278e57f482a141b7a14961a61b5012687a12ea7
Link:
https://www.unpac.me/results/eebac109-0594-485b-833c-0a3b02602aef/
SH256 hash:
3616e7da36d6f187d679df3b201b50fd51a0d893f51473288b666a97e65babd0
MD5 hash:
9e6283b5de4b90df42bb3b48a24d1aea
SHA1 hash:
6919df46ada0e32a3a381a9e6f5ff9797f4d2279
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/eebac109-0594-485b-833c-0a3b02602aef/
SH256 hash:
827b1567aed83bb64c2f80fbc4a993897013a3ee7b0d3ebe6793e3403db4d140
MD5 hash:
9a057132c5036180525f94054c71a6eb
SHA1 hash:
4f8cae092d6447c25d55adb7efe7d275044273c2
Link:
https://www.unpac.me/results/eebac109-0594-485b-833c-0a3b02602aef/
Parent samples :
2f7e4765fc3bff8324b7353df04b086292c5a70f788d8193c95d1fc00f43f18a
3f8807728cce4b1e55293cd3577fdd36457c1568a23594d4cbfaeab45a10c574
9d4758703ed1e3968a75f93405df6202a6b1b749f7806965560c23237fdfe2b4
SH256 hash:
1a077833a61f96288140840d7e59245d1dd57291135b05e429fb55ed3d2c51eb
MD5 hash:
535a190a42b593a842e3e9f1649a90bd
SHA1 hash:
e278e57f482a141b7a14961a61b5012687a12ea7
Link:
https://www.unpac.me/results/eebac109-0594-485b-833c-0a3b02602aef/
SH256 hash:
3616e7da36d6f187d679df3b201b50fd51a0d893f51473288b666a97e65babd0
MD5 hash:
9e6283b5de4b90df42bb3b48a24d1aea
SHA1 hash:
6919df46ada0e32a3a381a9e6f5ff9797f4d2279
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/eebac109-0594-485b-833c-0a3b02602aef/
SH256 hash:
827b1567aed83bb64c2f80fbc4a993897013a3ee7b0d3ebe6793e3403db4d140
MD5 hash:
9a057132c5036180525f94054c71a6eb
SHA1 hash:
4f8cae092d6447c25d55adb7efe7d275044273c2
Link:
https://www.unpac.me/results/eebac109-0594-485b-833c-0a3b02602aef/
Parent samples :
2f7e4765fc3bff8324b7353df04b086292c5a70f788d8193c95d1fc00f43f18a
3f8807728cce4b1e55293cd3577fdd36457c1568a23594d4cbfaeab45a10c574
9d4758703ed1e3968a75f93405df6202a6b1b749f7806965560c23237fdfe2b4
SH256 hash:
481cd4014e5b4df7b650b8cc49d2574c69a2942d6b440e9bd5856e6d112462ae
MD5 hash:
07ab9259457d3ad9d5f3e588121c943c
SHA1 hash:
bc3a8c3de7b98aac08b347e1571a50a4e64417c8
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/eebac109-0594-485b-833c-0a3b02602aef/
SH256 hash:
487d461c25ab71d37706d5f79b6db5ed31c927de5e16ce3964a116144cfddd3b
MD5 hash:
74e9f4ac2f2b48af379c2dc576fe6cc8
SHA1 hash:
a7ba49e76b6693daf69c59defaf76558eda779b6
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/eebac109-0594-485b-833c-0a3b02602aef/
SH256 hash:
69893ecd8c2fd2c22217607e8a29a022b46df7dd2574cad48fcbd1e81bd67f65
MD5 hash:
eefa1d127b8da225168efc7a7551cc7a
SHA1 hash:
c37ac7ac67f2260d3912db436ade9658c7ad32b0
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/eebac109-0594-485b-833c-0a3b02602aef/
SH256 hash:
487d461c25ab71d37706d5f79b6db5ed31c927de5e16ce3964a116144cfddd3b
MD5 hash:
74e9f4ac2f2b48af379c2dc576fe6cc8
SHA1 hash:
a7ba49e76b6693daf69c59defaf76558eda779b6
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/eebac109-0594-485b-833c-0a3b02602aef/
SH256 hash:
97a88b854d8ae81143d9c083ba95565e357a0472c0f4f701f73c8d5f961bb40e
MD5 hash:
a15da204e418801995aeeafd61aadaf4
SHA1 hash:
39cff550ee92cc03f57e4c440199592b492961d5
Link:
https://www.unpac.me/results/eebac109-0594-485b-833c-0a3b02602aef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/97a88b854d8ae81143d9c083ba95565e357a0472c0f4f701f73c8d5f961bb40e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_lokipws_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/113922/

Comments