MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a53876f3a36c594ee0139070684b6ae55f7f1c21b3888cdaa30ae88f9e313958. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a53876f3a36c594ee0139070684b6ae55f7f1c21b3888cdaa30ae88f9e313958
SHA3-384 hash: 58c2bdb610841118d9310f947359011bb4bd90cc3fbe34d52594381318450c66bd160732d969e9ddc7ce38473c193a3b
SHA1 hash: 43daf50244c3828015c7476ca119f83a4e1f5d73
MD5 hash: b3e9231a1de2b75a4fa0c0d2fc7f21c0
humanhash: saturn-salami-kentucky-ack
File name:uijsppy_Signed_lk.bin
Download: download sample
Signature Loki
Create hunting rule
File size:1'013'416 bytes
First seen:2020-07-20 10:58:08 UTC
Last seen:2020-08-02 07:34:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3a53a72dea4f25a6a6c0f0fbab7e5ef2 (2 x Formbook, 2 x RemcosRAT, 1 x AveMariaRAT)
ssdeep 24576:IgtGHnojbHsr80kwyjUcszLuVU0dEuXXJ+CYGz3iXc8kWSmnaF:IggHHYe4UcszLuVU0dEgXJ+CYGzKRS86
Threatray 308 similar samples on MalwareBazaar
TLSH 1F25AD23AF9D8432C2A2653C9D4BD6FE5431BC553A18C857A7E83C3CDE3A395342A197
Reporter JAMESWT_WT
Tags:Loki

Code Signing Certificate

Organisation:Microsoft Time-Stamp Service
Issuer:Microsoft Time-Stamp PCA
Algorithm:sha1WithRSAEncryption
Valid from:Sep 7 17:58:56 2016 GMT
Valid to:Sep 7 17:58:56 2018 GMT
Serial number: 33000000CCCBB813EB5D722D450000000000CC
Intelligence: 15 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0C043752471269029D69B98BD42DFAD2656F1BCFDEC9A291039F4EF69B496C70
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28968/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/391382
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 248081 Sample: uijsppy_Signed_lk.bin Startdate: 21/07/2020 Architecture: WINDOWS Score: 64 39 Multi AV Scanner detection for submitted file 2->39 41 Machine Learning detection for sample 2->41 7 mshta.exe 19 2->7         started        9 uijsppy_Signed_lk.exe 1 3 2->9         started        13 mshta.exe 19 2->13         started        process3 dnsIp4 15 dbrdfck.exe 7->15         started        29 speedfinance-cloud.gleeze.com 185.241.194.58, 49735, 49737, 49739 NETALISFR Russian Federation 9->29 27 C:\Users\user\AppData\Local\...\dbrdfck.exe, PE32 9->27 dropped 19 ieinstal.exe 9->19         started        21 dbrdfck.exe 13->21         started        file5 process6 dnsIp7 31 speedfinance-cloud.gleeze.com 15->31 35 Multi AV Scanner detection for dropped file 15->35 37 Machine Learning detection for dropped file 15->37 23 ieinstal.exe 15->23         started        33 speedfinance-cloud.gleeze.com 21->33 25 ieinstal.exe 21->25         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a53876f3a36c594ee0139070684b6ae55f7f1c21b3888cdaa30ae88f9e313958/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 10:59:03 UTC
File Type:
PE (Exe)
Extracted files:
68
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2e1b3dec1609efaee181ea5c2865ace9ac7be4b5ee8420a71ef9fff500440377
Loki
5336d0fb346782de19c1a549e7ced6ca5c73fbcf897ac78d645219ec2033bdb5
Loki
566dfcc4ee6de9b9963de7d92276a5db51e6e40e4040ceb5fc25872673fec234
Loki
6895305f9210132874ed3a348dbf1ee637994533f5bb8cff2eaae83da810e4dd
Loki
8043fce8f83dc87396532c20107397ebf5889f802cb588d26bbf0822b39ed27a
Loki
9b0c9a319edc4125718d277616b119d194ca222a90546b14b4b7e39625a900ea
Loki
bf9e953c433f1108878018fba685844d8cd89171a40b9387386e4dc89c1ca981
Loki
c2109f44d6d608cb821ea28489e75dbf7c7c18731918f8171bab7445db6e8599
Loki
d5b1dfa52d7b7e4a025f3c2c9084005e6e41eb48b81711ae58ab1b641ef99e64
Loki
dbdfc4a9100fa08d0bb6ca2879febbc5e0db4eca85168dfefb526b584976efaf
Loki
+ 298 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
persistence trojan spyware stealer family:lokibot
Link:
https://tria.ge/reports/200720-6zf9rmd7za/
Behaviour
Script User-Agent
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Lokibot
Malware Config
C2 Extraction:
http://madibalohilalamb.duckdns.org/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a53876f3a36c594ee0139070684b6ae55f7f1c21b3888cdaa30ae88f9e313958

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe a53876f3a36c594ee0139070684b6ae55f7f1c21b3888cdaa30ae88f9e313958

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/415177/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/28968/

Comments