MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b9cfba2ff3b094cd28f4483e7520b07ea46d3e99f96f173835c81eaed289221. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 18

Intelligence 18 IOCs YARA 6 File information Comments

SHA256 hash:	9b9cfba2ff3b094cd28f4483e7520b07ea46d3e99f96f173835c81eaed289221
SHA3-384 hash:	17c5be52c26c922ef42ae7dfd47a93afcc47c68a09f6fb0b1661c04a4cf30c51c3ef82e49805604112b70418d099619a
SHA1 hash:	bfebae123679cf50b6a82d53e4557472dc036b95
MD5 hash:	04123d5520d6eff585c03e96b02c9446
humanhash:	three-cat-butter-seven
File name:	PO772986.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	672'256 bytes
First seen:	2025-02-26 04:24:49 UTC
Last seen:	2025-03-07 14:04:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:uau3IHhrLZqtmQgfiL0LP9fbvU+GkJsvZ1zrOOPj0If6oM:vu3S1kL8ZFGMiHQICl
Threatray	3'449 similar samples on MalwareBazaar
TLSH	T1C2E4E97F19BDA2278175C6F58BE78827F0108B6F3110696476D347264322A7AB4F336E
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	2huMarisa
Tags:	exe Loki Lokibot stealer trojan

Intelligence

File Origin

# of uploads :

# of downloads :

638

Origin country :

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

PO772986.exe

Verdict:

Malicious activity

Analysis date:

2025-02-26 04:30:02 UTC

Tags:

lokibot stealer trojan

Link:

https://app.any.run/tasks/bf259362-a94b-4dd0-82cf-2d7ecf3e3457

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Dropper.Nanocore-10017204-0

Win.Dropper.Nanocore-10023769-0

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67be97ff28ab76d43a5d2f80

Tags:

trojan spoof agent remo

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Changing a file

Stealing user critical data

Connection attempt to an infection source

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

crypt keylogger obfuscated obfuscated phishing snake threat vbnet

Link:

https://www.filescan.io/uploads/67be97ba6222db7f23dbcf47/reports/cd4568cd-7f70-4736-ba0d-5de3207652d6/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/9b9cfba2ff3b094cd28f4483e7520b07ea46d3e99f96f173835c81eaed289221

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9095fdef-244a-4343-891c-6c300499b94f

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1624277

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9b9cfba2ff3b094cd28f4483e7520b07ea46d3e99f96f173835c81eaed289221

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9b9cfba2ff3b094cd28f4483e7520b07ea46d3e99f96f173835c81eaed289221/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-08-31 12:05:44 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

30 of 38 (78.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=toopxix7hmeuzuupisb6ouqla7venu7jt6lpc44dlsa6v3jisiqq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection discovery spyware stealer trojan

Link:

https://tria.ge/reports/250226-e14c9syl17/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Lokibot family

Malware Config

C2 Extraction:

http://185.227.139.5/sxisodifntose.php/4LlT7SRZcUYvF
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Verdict:

Malicious

Tags:

Win.Dropper.Nanocore-10017204-0 lokibot

YARA:

n/a

Link:

https://app.threat.zone/submission/6dc0f88f-2c7e-499d-bc84-12e0b8fc80ee

Unpacked files

SH256 hash:

9b9cfba2ff3b094cd28f4483e7520b07ea46d3e99f96f173835c81eaed289221

MD5 hash:

04123d5520d6eff585c03e96b02c9446

SHA1 hash:

bfebae123679cf50b6a82d53e4557472dc036b95

Link:

https://www.unpac.me/results/21f646e2-d402-4e8b-ae05-dd52c5302768/

SH256 hash:

81f9eac76804c02f5baaa34c91b5775f965a34ad7811218d9c24e50cb6d9a90c

MD5 hash:

bae511742374b721136acaa03b0c1fa0

SHA1 hash:

215c50455b01a78ea173bbb034ddbe4b452ea734

Link:

https://www.unpac.me/results/21f646e2-d402-4e8b-ae05-dd52c5302768/

SH256 hash:

ec3f19f1e8852c319ff1c75c6efb940a2be3a9ba4baec8fcd8c9dd0fa785c4a2

MD5 hash:

30d8b0613cfa1da32f34bcca75afcd46

SHA1 hash:

7dfcde94896ca4057adc216c2a7929023d8981af

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

Link:

https://www.unpac.me/results/21f646e2-d402-4e8b-ae05-dd52c5302768/

SH256 hash:

847b0ab36fc57f3ca948afc2ae61f57ae0ed7156ea613b37c8ee64e65956c22b

MD5 hash:

5b7a211a63f8882c07b9089cd01495a9

SHA1 hash:

d308d73ebe32c5d52464e04705978c0df681b4f1

Detections:

win_lokipws_g0

win_lokipws_auto

lokibot

STEALER_Lokibot

SUSP_XORed_URL_In_EXE

Lokibot

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_GENInfoStealer

Link:

https://www.unpac.me/results/21f646e2-d402-4e8b-ae05-dd52c5302768/

Parent samples :

065e8a1cab1f2f5d1e672e67f89c309f36e047b1d50368f07c56fedb5ea6f92b
e71703a89fb65868f5daf7517bdd13d16ad09fc7f9a7b3bf4a65fa67844c4b1b
914a5312ecfb619d4ddd764668bf30e1ee1681ce770dca3f60bd2698a420b542
364967724106095e686196d58607e759382e7fe0946eda9bb843f290b8f96b43
9b9cfba2ff3b094cd28f4483e7520b07ea46d3e99f96f173835c81eaed289221

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9b9cfba2ff3b094cd28f4483e7520b07ea46d3e99f96f173835c81eaed289221

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/5bf50cbf-7ca4-42f8-a6c5-165a7bdbd5dd

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample