MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2f517902067cb80e4115511d3c530a39fece06060e0569af7d197eaa7ea6ef5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2f517902067cb80e4115511d3c530a39fece06060e0569af7d197eaa7ea6ef5
SHA3-384 hash: 68d028fe476c221c1fbb1bd33a38abe11806a5fba4a7922dde461952727773b20551df09576d48ce37a9af4cfefef3b5
SHA1 hash: 6f48f3e6d4d1c3d49a2f6a70fa707315ec9fcebc
MD5 hash: 75af2c38b49bb7a98e001725edf88559
humanhash: tennis-don-salami-mississippi
File name:PRJ No. PG6432 KHE SHELL-RFQ-Project Documents & specs.exe
Download: download sample
Signature Loki
Create hunting rule
File size:454'656 bytes
First seen:2021-04-26 05:48:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:9mQIK7dX1ROLZPE4l5/x4mvU4ux9duHa:d7j65/x4mvKYa
Threatray 2'829 similar samples on MalwareBazaar
TLSH 38A49E3A2AC40790E6BDCF75E334008803F1F52BDB12E75FAD6442DA9F51A8B9273652
Reporter abuse_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PRJ No. PG6432 KHE SHELL-RFQ-Project Documents & specs.exe
Verdict:
Malicious activity
Analysis date:
2021-04-26 05:49:13 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/df9656c9-5dd0-4ad4-bc5d-03349e677032

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144180/
Detection(s):
SecuriteInfo.com.Artemis75AF2C38B49B.11531.19674.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/697304
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a2f517902067cb80e4115511d3c530a39fece06060e0569af7d197eaa7ea6ef5/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-04-26 05:49:07 UTC
AV detection:
10 of 47 (21.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ul2rpebam7fybzarkui5hrjquop6zydamdqfngxx2gl6vj7kn32q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
20b3c1c5495ed7389cb63dfe6f990c7acd72edd8a6e385cbe698702647d44649
Loki
2c151e8a462558e66b1cfd1a84fc7348d145bc4d5e0456bacc423743a30a7390
Loki
483d6ae983874e7a225f99747d490194256ace1b9ca6e0457dd871c70b4f83d1
Loki
59f5a74779f56d64fa82f2632a50ad92e7d66571a6f06ab56af33bccd86f500b
Loki
5cd263243369cc7338a221f416328bf7c1be1d648ddf3485eaf6e7cbb0016149
Loki
616b49735927d0f2a78649237770fe83d86db4c50731ac38b8395b85a67ac2e2
Loki
8f2fb0c54f7b6c6ccc3bc70cfa83165a4b8905b89744dd98a01ad7f632c82f95
Loki
92e74208ffa87db6cd20a7f206479b302b837c9611e9cbe88ee6c67a1454c575
Loki
bea57552e1978630f3038e4df06ea8fe0d34c9c1656c971f2bb01a894b0f67eb
Loki
e01f7d5f5a34bc9fde408c3f3fb441b76b6a2c3e2915cbf98ac5ca84e61e2b5d
Loki
+ 2'819 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot agilenet spyware stealer trojan
Link:
https://tria.ge/reports/210426-eqcy955j36/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Lokibot
Malware Config
C2 Extraction:
http://104.168.140.79/ghost/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
a2f517902067cb80e4115511d3c530a39fece06060e0569af7d197eaa7ea6ef5
MD5 hash:
75af2c38b49bb7a98e001725edf88559
SHA1 hash:
6f48f3e6d4d1c3d49a2f6a70fa707315ec9fcebc
Link:
https://www.unpac.me/results/36799cf8-fe7e-4959-bf96-152629b26127/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a2f517902067cb80e4115511d3c530a39fece06060e0569af7d197eaa7ea6ef5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144180/

Comments