MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a148f6912ad65a00621fd10bf86af7d79ea6c91d9e653649955956a7a23e3f2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a148f6912ad65a00621fd10bf86af7d79ea6c91d9e653649955956a7a23e3f2a
SHA3-384 hash: ce66bfef5678139a1519263828111973d28aec2f07a0bf6ffe443b221dc9aa6684a481fadf03df7109271d52991de441
SHA1 hash: e59dc1193a70823aa5209e512121854e02699d92
MD5 hash: 1663b9b84f3bf9ce32261da80c99f12d
humanhash: cola-beryllium-item-purple
File name:MT103 swift.exe
Download: download sample
Signature Loki
Create hunting rule
File size:247'502 bytes
First seen:2022-11-24 06:55:21 UTC
Last seen:2022-11-24 08:37:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ab6770b0a8635b9d92a5838920cfe770 (84 x Formbook, 30 x AgentTesla, 15 x Loki)
ssdeep 6144:QBn17ozS4TSj7aW+5iEat44Ovw4BDErs8w2aaY0nadbrlWZ17:g76SFvaW9EPLBwpNPY0nS8Z17
Threatray 9'526 similar samples on MalwareBazaar
TLSH T1F834229A36D3A7E7D5820A340C7B5B65C17FAB0817B663871BA20F6FB8782C4D944291
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://171.22.30.164/sarag/five/fre.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
MT103 swift.exe
Verdict:
Malicious activity
Analysis date:
2022-11-24 06:57:07 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/ee589cd1-0043-4e9b-9aff-157648357c06

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/337951/
Detection(s):
SecuriteInfo.com.Trojan.Garf.Gen.10.27985.14482.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for the window
Сreating synchronization primitives
Reading critical registry keys
Changing a file
DNS request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/637f158400c584752ee1af15/reports/d39027a2-9bf2-48de-aebe-f907579af00b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a2d711f-2ba4-405a-b5f4-e62df0dbc000
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1120325
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a148f6912ad65a00621fd10bf86af7d79ea6c91d9e653649955956a7a23e3f2a/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-11-24 00:51:03 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ufepnejk2znaayq72ef7q2xx26pknsi5tzstmsmvlflkpir6h4va._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
222b8b814a32347ab31d4a3174b67ee762ddfaae34e49ef21397ebfafa2328f5
Loki
381689aa52129bc94e5b821684bf9c00e91af0ef9a56b4490ee071e0cae08c58
Loki
5b51a7e451c70c0271f21acf38747c5af235c18394585c4470f127c343b6ff8c
Loki
a512d074556e9c5f7fe2fbb2ac63088adbaf8b4011a1629cc71cede78bdb2f19
Loki
a5d6e92e8d795d49e69b5f095b8cd864182ed00499985a0efa85d013edb966d7
Loki
b4fd188ef7836ae52efeb16712d088dd2cd21d09e37b19cc645b0f8b8762424c
Loki
e4680e26cc89886c7bcfcc9145902d92c5232f3572970d8d0b60ee3ff2e9d89a
Loki
+ 9'516 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/221124-hqcpcafd63/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
Malware Config
C2 Extraction:
http://171.22.30.164/sarag/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d6076b41-7021-467c-b649-a7674a4c59da
Unpacked files
SH256 hash:
9c0b3e4a49f939fd1f224df1c661446835212d3f1805269f41ce225898c56fad
MD5 hash:
71872e44e2de9b099ce746ad2ffb46f3
SHA1 hash:
721f3877d47fb6011a972c60373d2165dd7e55e5
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/ab90454f-3374-493e-af15-8a9e1a048c81/
SH256 hash:
1460df7d7092a1687b242d059fd5f590417a8f943406fac26f4c8ae1b16eb19f
MD5 hash:
c1dc087f07ae002e6ebf53ba3f3b3d28
SHA1 hash:
c1529f2c07368d397e8157ec0300fe2c27c59c20
Link:
https://www.unpac.me/results/ab90454f-3374-493e-af15-8a9e1a048c81/
SH256 hash:
a148f6912ad65a00621fd10bf86af7d79ea6c91d9e653649955956a7a23e3f2a
MD5 hash:
1663b9b84f3bf9ce32261da80c99f12d
SHA1 hash:
e59dc1193a70823aa5209e512121854e02699d92
Link:
https://www.unpac.me/results/ab90454f-3374-493e-af15-8a9e1a048c81/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a148f6912ad6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/a148f6912ad65a00621fd10bf86af7d79ea6c91d9e653649955956a7a23e3f2a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/337951/

Comments