MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4d692bd2c6bc99530e231e63c93ee24629894b4f9391debdafcc0c161ec972d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4d692bd2c6bc99530e231e63c93ee24629894b4f9391debdafcc0c161ec972d
SHA3-384 hash: c94ce786fcd4d6aed2a27b2f373a554d234a7d975058f16dce0fceec1f44cd9f114f7d9c2cb644e10078148447c044fb
SHA1 hash: 7dfb9eb80222331394bb29de4b8d5bd5fbc8f707
MD5 hash: 441afd1c6eeb94fff021df301abc9022
humanhash: fish-hydrogen-vermont-bacon
File name:Awb# 8457108962.exe
Download: download sample
Signature Loki
Create hunting rule
File size:739'840 bytes
First seen:2023-03-28 12:13:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:PA5LB0OURwLj34dvxk8lk1tE44/8Td686j28JhZ:PA5VBLj34dvx8164j68JqD
Threatray 249 similar samples on MalwareBazaar
TLSH T19EF4F198F2D4A713E7B6B7F02AB19900D3BCB8DB5B52D94D4D8A20C780F57108D53A6B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6820f4ccd4d4e868 (11 x AgentTesla, 8 x SnakeKeylogger, 4 x Loki)
Reporter Anonymous
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
Awb# 8457108962.exe
Verdict:
Malicious activity
Analysis date:
2023-03-28 12:15:15 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/ea58eca7-fe14-48c6-941a-6bec6a1b4482

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/378156/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet lokibot packed
Link:
https://www.filescan.io/uploads/6422da0c9c109cf74b3050ea/reports/1aa1f7ab-e063-4634-89ad-8866dbe7410d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a4d692bd2c6bc99530e231e63c93ee24629894b4f9391debdafcc0c161ec972d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5a5042c3-e7eb-4e97-976f-d38244bf9af1
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1203404
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a4d692bd2c6bc99530e231e63c93ee24629894b4f9391debdafcc0c161ec972d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-27 02:28:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=utljfpjmnpezkmhcghtdze7oerrjrffu7e4r32627tamcypms4wq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0c69a178d45b450afee622418a4a5294599de3aba419cc8b92ab4b08c28ab493
Loki
2fbe8381a484cb4c52055f448ec0934e04230d60fe109b3982008c598714c8ae
Loki
6b9d3c74a203a271770eabdff54f9956cdf2337e8ac5ef14866fd9aaf167fa73
Loki
b46bad53e429d0e8448e3887355ae7b83c08f397ff30be8a8c6866ad2d9177db
Loki
c5881aae0402696993a36546d2fa1e44d6fb53c0b8528ea23cbb1c12e0e7c9b1
Loki
+ 239 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230328-pea5psah77/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://64.227.48.212/?page_id=6303
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
30780f2a50e90cd2774acd886918d8d92ea624a05b12d0e1faf7cec64a426edd
MD5 hash:
8d4982d22e42360c6097abdcf0ed79dd
SHA1 hash:
d7df2a1af071b636182c8f77affb9bcd9dc8c88e
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/3041beeb-c5a4-414f-ab31-f0687d0c0bd6/
Parent samples :
93c302b6c6f9186edb01c0192fccec2b77274a243e3eb049ae8c99679f57c9f1
8e8f0ef7fe5176d9ca580c127a9476ca505c4990c317ebd7b18b92129eac4bb2
c013ec7ffc307a96a83494d9c838f60be692507aede1a0b5d7288a3993ccc57b
d8bcf863b8af5d3a0622ab2fe468752219a1e80e85ccb1e7d29608cb49350f46
a4d692bd2c6bc99530e231e63c93ee24629894b4f9391debdafcc0c161ec972d
b3a40483ab494f036bce8494672fcabc9719ac985979446135ca2625de80056d
3a7511034e72aa8874f3763cb01604464c74571237bc08906578ed9dcf2c137f
453b2c84056cde325f4e314ecb272996714901ced897e8605658d25f1036aee6
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/3041beeb-c5a4-414f-ab31-f0687d0c0bd6/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
79742670ca55b4367bbfe50bc94dbc99b697d04eb4d8c82d55b3a7e503e33eaa
MD5 hash:
9d0d89c394ac492f99a520caf4099658
SHA1 hash:
81f92a0caa1459e06318c6bff336b93f6bd20cb4
Link:
https://www.unpac.me/results/3041beeb-c5a4-414f-ab31-f0687d0c0bd6/
SH256 hash:
6c10c4d03a1c0bd9b0d4cef3940b171edb619ffa6ca85b33f067914da042ef89
MD5 hash:
0d9022bd5fc7611570ac8970adc915f7
SHA1 hash:
145ecc1368f208c994051a55c0fe2f776d1fd0fd
Link:
https://www.unpac.me/results/3041beeb-c5a4-414f-ab31-f0687d0c0bd6/
SH256 hash:
6bf9d07d639521837124af321555cbcdc5997fead136195aed97e2744e4120b6
MD5 hash:
acfbc6c59006cabeaa982c5cf3b2975c
SHA1 hash:
03ef87ee97fb810723f8cf284c09755c08822eb0
Link:
https://www.unpac.me/results/3041beeb-c5a4-414f-ab31-f0687d0c0bd6/
SH256 hash:
a4d692bd2c6bc99530e231e63c93ee24629894b4f9391debdafcc0c161ec972d
MD5 hash:
441afd1c6eeb94fff021df301abc9022
SHA1 hash:
7dfb9eb80222331394bb29de4b8d5bd5fbc8f707
Link:
https://www.unpac.me/results/3041beeb-c5a4-414f-ab31-f0687d0c0bd6/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a4d692bd2c6b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/a4d692bd2c6bc99530e231e63c93ee24629894b4f9391debdafcc0c161ec972d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe a4d692bd2c6bc99530e231e63c93ee24629894b4f9391debdafcc0c161ec972d

(this sample)

  
Dropped by
loki
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/378156/

Comments