MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 a3db0c28cd89e1ad60476432509947d6bb2d30415582ae7f0784ffbedb5a0b9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Loki
Vendor detections: 11
| SHA256 hash: | a3db0c28cd89e1ad60476432509947d6bb2d30415582ae7f0784ffbedb5a0b9d |
|---|---|
| SHA3-384 hash: | 2b5047db9648eb521226ffe63b61b94bc1278771a0025a90954102685c3d38002929952b3ff35a159853b6c4701d98fb |
| SHA1 hash: | f93a8d3e17563203fdf5d15a678c08579cc54451 |
| MD5 hash: | b5f7d65b946de5b3aba05e6438cb1e8f |
| humanhash: | glucose-cold-triple-stream |
| File name: | SecuriteInfo.com.W32.AIDetectNet.01.655.18953 |
| Download: | download sample |
| Signature | Loki |
| File size: | 567'808 bytes |
| First seen: | 2022-07-04 04:33:36 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger) |
| ssdeep | 12288:rQMkVenghTq/WFAFGzV17VdiJD4xQ2ao8/6rM2:keB/WgGZ1viF4nKirM2 |
| Threatray | 10'063 similar samples on MalwareBazaar |
| TLSH | T102C4E12DFFADCE02C6685237D4D2552843719D8BA222D79B368D12A50E037B7DCCA74B |
| TrID | 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1) |
| Reporter |  SecuriteInfoCom |
| Tags: | exe Loki |
Intelligence
File Origin
# of uploads :
1
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Verdict:
Malicious
Result
Threat name:
Lokibot
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Status:
Malicious
First seen:
2022-07-04 02:14:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 40 (50.00%)
Threat level:
2/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Similar samples:
+ 10'053 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Score:
10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://198.187.30.47/p.php?id=22289002125658625
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
95d5cdcaf2916fa16c3c336d2a3a557019996502066fe948c4ae4cf8c26c7941
MD5 hash:
c49904593ce08bd0990476cba8614dc1
SHA1 hash:
c4906beff83f4de92bfba8649900ca77f8130300
SH256 hash:
70bb4f8aa7d0a33f8206f78c845fa2bd686c2a0f2b3bd50cd0b6b887a45398ca
MD5 hash:
30d61a3a3e26c2bca2eb766990132d7c
SHA1 hash:
94f9742d5f21b13f7d8d194fe938193cbb6a0d4d
SH256 hash:
3b59fe180dd50e3f3d4fdcbdd4e7a2d4e3e1c85ae43cb4f3716c4be41e9ec2ae
MD5 hash:
9ea556e333e216a65aa09c102f36004f
SHA1 hash:
814c07f1dc68bd61840384aac3aa8346d9f8148f
SH256 hash:
022cfbc342e4ceae5579bee0e51357019339eeb161ea2255b4941d85579858dd
MD5 hash:
eb9b46a6c313d294d9ec7c54e8f40a8f
SHA1 hash:
75dc7384c70fe38afe0e23940796f8728623da5c
Detections:
win_lokipws_g0
win_lokipws_auto
lokibot
Parent samples :
56a9829d3a588c2a1f2a8e82f358214387d36cdf1a28afef973bfbae53ff888b
b212572732a5245c0c9b6230914a732a14d18880ee39983097cfdf9e4a1fdafb
2a07302e6f73cdb98477d642dff2e9679b41ed110865fbf6202aa594fed0e88e
3464f31088630d2c06ff50b2454ddfb6556fdbcfdcc1c5692b903ea13dde809e
a3db0c28cd89e1ad60476432509947d6bb2d30415582ae7f0784ffbedb5a0b9d
a6d5c3429653e7201de00c45ac0f350ac7878227511a4c33ad8128767cf696a5
b212572732a5245c0c9b6230914a732a14d18880ee39983097cfdf9e4a1fdafb
2a07302e6f73cdb98477d642dff2e9679b41ed110865fbf6202aa594fed0e88e
3464f31088630d2c06ff50b2454ddfb6556fdbcfdcc1c5692b903ea13dde809e
a3db0c28cd89e1ad60476432509947d6bb2d30415582ae7f0784ffbedb5a0b9d
a6d5c3429653e7201de00c45ac0f350ac7878227511a4c33ad8128767cf696a5
SH256 hash:
50366310c9ffbc247b444af0afb93f33a6b7cab3d425d35bc1ff089538a73d06
MD5 hash:
6a57a661c4d857e9144368872b8e3b86
SHA1 hash:
726903e9200a11df3da31ae6da25d4a555a6b908
SH256 hash:
de5c1fce86dd5beb87fc430984dd8ec88e1e4728af483364f34fc46d84e6f4fc
MD5 hash:
ce0b125cb8a12bbfa28118f79ff27004
SHA1 hash:
0e8f4301a1024547fe68f74a35aa7074d9b1e938
SH256 hash:
a3db0c28cd89e1ad60476432509947d6bb2d30415582ae7f0784ffbedb5a0b9d
MD5 hash:
b5f7d65b946de5b3aba05e6438cb1e8f
SHA1 hash:
f93a8d3e17563203fdf5d15a678c08579cc54451
Malware family:
Lokibot
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
No further information available
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.