MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5edaf3e781977e82b6d645cf52e3c8987a69f707f6d6ef2377d9f7546f744e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5edaf3e781977e82b6d645cf52e3c8987a69f707f6d6ef2377d9f7546f744e9
SHA3-384 hash: 697413872580f2e8a830990cb1c00fc76a12d041fb6b68a7cf718168cfcfb01451758f32b81e930bf8fa359c4c521f03
SHA1 hash: 4cae0929b715a34b5b7565ac243dd0505a633175
MD5 hash: 1ba29471321f0be5a3064e6c226fb80d
humanhash: coffee-bacon-equal-romeo
File name:1ba29471321f0be5a3064e6c226fb80d
Download: download sample
Signature Loki
Create hunting rule
File size:238'617 bytes
First seen:2021-08-19 09:02:47 UTC
Last seen:2021-08-19 10:29:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f86f9a1397ea2f648b8914df9ad78914 (4 x Formbook, 2 x Loki)
ssdeep 6144:4yvNSulGHlTYvF/Ot7HEg1qRjy/fF03px:4yvBQHjt7HEgYAne3px
Threatray 8 similar samples on MalwareBazaar
TLSH T16434F12F92E8034ED3A0C5B2157128A33D2DDF76958F40A7FF84B01A60B5AC95A37977
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ for dural221 to korea.xlsx
Verdict:
Malicious activity
Analysis date:
2021-08-19 06:54:21 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan lokibot stealer
Link:
https://app.any.run/tasks/5bde5da3-dabb-4b9e-818f-0fefe6ee2251

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180619/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.25264.13165.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/32c6e36d-1c95-4ae3-8cab-c6157b638c87
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/835661
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a5edaf3e781977e82b6d645cf52e3c8987a69f707f6d6ef2377d9f7546f744e9/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-08-19 08:11:05 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1736c3f3d740011ba6f6d8f18def38d20f0bcbf88c3f69821db18578bc00590a
Loki
179d1cf7266d0149e967f7e6829ed485e3bb73e75ffbce4883111f2595845c85
Loki
9f8faf1ca8d3262940620bcb00487188e8657336cc3cb498ba4ad90ae96a59af
Loki
a3b2dbaf4684b38ff966a244069a73505cb8137efe19b95afd63f7a6029060cb
Loki
d699748002a4cf4d6250e0aca08e4de6e687f39a9f946171a57f573410be3d25
Loki
e72dab4f75cd19899422ecf38de195bf487f0f9d2b0ccad98c13a48e9d782e97
Loki
e77133630fd1d9de3ee373ff4d04898a2b573ea0160b450b5629db347e41d123
Loki
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer suricata trojan
Link:
https://tria.ge/reports/210819-x322yly1g2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://185.227.139.5/sxisodifntose.php/XjjuWy0TVqjre
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
567171342569dbad0927fa700b751a4053cd6430b45ebbac486d7c0b4caa2619
MD5 hash:
f9d4019e69dd4279c370a93e123c49f9
SHA1 hash:
531e39372c1005868779db9dddfb47284c3f960b
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/fbe3603e-5af3-4d33-a9a0-841aea8f1885/
Parent samples :
404ef33e86cd5e9d6705041d1bdf7e39108cd87705a83f53b8abb77a036340db
9f66135d831d5ba4972ba5db9e0fd4515dfaecc92013a741679d6cddbe29ab25
d8bb1bb8587840321e74cf2ab2f3596344cbb5ffeb77060bd9aade848fed03fd
a5edaf3e781977e82b6d645cf52e3c8987a69f707f6d6ef2377d9f7546f744e9
SH256 hash:
a5edaf3e781977e82b6d645cf52e3c8987a69f707f6d6ef2377d9f7546f744e9
MD5 hash:
1ba29471321f0be5a3064e6c226fb80d
SHA1 hash:
4cae0929b715a34b5b7565ac243dd0505a633175
Link:
https://www.unpac.me/results/fbe3603e-5af3-4d33-a9a0-841aea8f1885/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/a5edaf3e781977e82b6d645cf52e3c8987a69f707f6d6ef2377d9f7546f744e9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe a5edaf3e781977e82b6d645cf52e3c8987a69f707f6d6ef2377d9f7546f744e9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1545033/
Cape
Cape
https://www.capesandbox.com/analysis/180619/

Comments


Avatar
zbet commented on 2021-08-19 09:02:48 UTC

url : hxxp://198.23.212.137/dth/vbc.exe