MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a56b83419b879f415fcd6961f31ad0345305288cd67b61ce4a533f8c2ae12c25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a56b83419b879f415fcd6961f31ad0345305288cd67b61ce4a533f8c2ae12c25
SHA3-384 hash: 043f2e2711085906f1f87d41b1a952e2b7362520bd647af1ea920dc45344b4e8517fae2f15320dcebceb5cc13d2a3f97
SHA1 hash: 1530fa6f1f82cb38a120e8b9d56819c4f7e24d3b
MD5 hash: 5b155ef84b75f421486cd7557e5e7ac1
humanhash: solar-nebraska-virginia-item
File name:5b155ef8_by_Libranalysis
Download: download sample
Signature Loki
Create hunting rule
File size:437'248 bytes
First seen:2021-05-07 08:01:49 UTC
Last seen:2021-05-07 08:54:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:pIEATji2NEi6xp9Q8y5MLuwLPKlyyKrjzDA6SSTZs8p8nVJrjWrQpqaQO:pIEA62wx08Wauw7uvsjzDA6+SEraQS
Threatray 3'143 similar samples on MalwareBazaar
TLSH 529402413B84E946D56509331D8AD3B0133FBD75A9259A13B88C3BDF0BFA65EB42132E
Reporter Libranalysis
Tags:Loki


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Swift Copy.exe
Verdict:
No threats detected
Analysis date:
2021-05-07 07:20:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c47dee17-0ce5-48a4-9e52-3b37f8d13fa1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/152526/
Detection(s):
SecuriteInfo.com.Artemis5B155EF84B75.5636.24878.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a service
Deleting a recently created file
Creating a file
Reading critical registry keys
Changing a file
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/720193
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 409023 Sample: 5b155ef8_by_Libranalysis Startdate: 09/05/2021 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Multi AV Scanner detection for domain / URL 2->37 39 Found malware configuration 2->39 41 6 other signatures 2->41 7 5b155ef8_by_Libranalysis.exe 6 2->7         started        process3 file4 25 C:\Users\...\5b155ef8_by_Libranalysis.exe, PE32 7->25 dropped 27 5b155ef8_by_Libran...exe:Zone.Identifier, ASCII 7->27 dropped 29 C:\Users\...\5b155ef8_by_Libranalysis.exe.log, ASCII 7->29 dropped 31 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->31 dropped 43 Writes to foreign memory regions 7->43 45 Allocates memory in foreign processes 7->45 47 Injects a PE file into a foreign processes 7->47 11 5b155ef8_by_Libranalysis.exe 54 7->11         started        15 5b155ef8_by_Libranalysis.exe 7->15         started        17 AdvancedRun.exe 1 7->17         started        19 2 other processes 7->19 signatures5 process6 dnsIp7 33 parisyoungerfashion.com 148.66.138.116, 49728, 49729, 49730 AS-26496-GO-DADDY-COM-LLCUS Singapore 11->33 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->49 51 Tries to steal Mail credentials (via file access) 11->51 53 Tries to harvest and steal ftp login credentials 11->53 55 Tries to harvest and steal browser information (history, passwords, etc) 11->55 57 Multi AV Scanner detection for dropped file 15->57 59 Tries to steal Mail credentials (via file registry) 15->59 61 Machine Learning detection for dropped file 15->61 21 AdvancedRun.exe 17->21         started        23 AdvancedRun.exe 19->23         started        signatures8 process9
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a56b83419b879f415fcd6961f31ad0345305288cd67b61ce4a533f8c2ae12c25/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-07 05:14:36 UTC
AV detection:
8 of 47 (17.02%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uvvygqm3q6pucx6nnfq7ggwqgrjqkkem2z5wdtskkm7yykxbfqsq._file
Verdict:
malicious
Similar samples:
15e84355978fd585af794a5aa1b61144a9197d1410219a4e129aca0ce953904d
Loki
40e8910e48e5bfde7fd30bbc51a1d371a378dc4a306ed2145990219554f80a4a
Loki
5e7621b7f875f9e6c730454d916a2bc2acb7d8b1fbc1dbe7cdb1917d42f1590b
Loki
86d5516b71ddd68cf50273d5fa8a501c399be218b35dcfc09c29ef97f3afc111
Loki
916ba1be726e073d46ce02d5697723823362efc881a4d13aa803fd137fa63adf
Loki
b1c19db83bdddbc4d91689cf0c9f035bd7778492c164fa664f99552dedc1ee10
Loki
b64ddd178d652c5432004449edc53fea2abdba8633259b4d8b329e1c8484e98a
Loki
c015de0626ba91b194a47d0c8d76594e1bddadae9d9a6891b26ff7c2bc0fade3
Loki
f49835a41a28aa1ed0f0ee8807125c8f47c821f9868c71c53223412aa15a367f
Loki
fdbd4ac1322e5a2c5ef5b808da68f48ca1ff111cd649c86aa0123c3d5538c7f0
Loki
+ 3'133 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210507-dxlepwzk42/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Nirsoft
Lokibot
Malware Config
C2 Extraction:
https://parisyoungerfashion.com/.ok/need/work/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
c06dc7592b0088674ce6632b112df32cb04c2497763860f9475b536f77e82e4c
MD5 hash:
0a749dceea8085e1e6867f553fa99985
SHA1 hash:
1bccacd3adae666f5194e69a601892f3e4a509b9
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/bab13be6-5ea3-4227-a188-14374a7fe2dd/
Parent samples :
8abaa16d8c8878bea5bc52bd5f80500333df51ee8e3212899abafd9d299131fd
a56b83419b879f415fcd6961f31ad0345305288cd67b61ce4a533f8c2ae12c25
SH256 hash:
2047e2fb7ca22cdb72282706f70efe1480fe5c8980ab8ebfcdd6ff67f1e1f87f
MD5 hash:
2588e7d9b21df156333b337567cd6c05
SHA1 hash:
eb44813b3bfe6cbdf7e13d4b344d496bec043a3e
Link:
https://www.unpac.me/results/bab13be6-5ea3-4227-a188-14374a7fe2dd/
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/bab13be6-5ea3-4227-a188-14374a7fe2dd/
SH256 hash:
ebebb8ff06f92c4fd4a82ac223477a00bb5c435dd1044f3bad29686a6851561e
MD5 hash:
16a38cfeb7a9f6b005254ae426f234ee
SHA1 hash:
2735f5691809ea40900f45bcf5aba3e578b8465b
Link:
https://www.unpac.me/results/bab13be6-5ea3-4227-a188-14374a7fe2dd/
SH256 hash:
a56b83419b879f415fcd6961f31ad0345305288cd67b61ce4a533f8c2ae12c25
MD5 hash:
5b155ef84b75f421486cd7557e5e7ac1
SHA1 hash:
1530fa6f1f82cb38a120e8b9d56819c4f7e24d3b
Link:
https://www.unpac.me/results/bab13be6-5ea3-4227-a188-14374a7fe2dd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a56b83419b879f415fcd6961f31ad0345305288cd67b61ce4a533f8c2ae12c25

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/152526/

Comments