MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7a1a43d30f2cb7ee32934670de804b7a2c2961e2ef950339438eab91b1e438b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7a1a43d30f2cb7ee32934670de804b7a2c2961e2ef950339438eab91b1e438b
SHA3-384 hash: 9ad01904cfdb5c6cfbf4722a8173bc43232a98c4a6cf8fb7784dc867cde129375ed895ba946455b86a6d964c4cbaf86d
SHA1 hash: 76a26f59d5346847378859b25bc96b41a668e678
MD5 hash: 7c1876b8b71c72e8e9fb2fd494020c67
humanhash: uranus-south-helium-delta
File name:7c1876b8b71c72e8e9fb2fd494020c67
Download: download sample
Signature Loki
Create hunting rule
File size:376'832 bytes
First seen:2021-08-26 06:43:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ef471c0edf1877cd5a881a6a8bf647b9 (74 x Formbook, 33 x Loki, 29 x Loda)
ssdeep 6144:A4XrK9PX7Fp6Gh2wWRGl0EDDf1PisZQ5rAGQwg1QtP1f4paaYlsdcaMJEdbI0Pzj:vXe9PPlowWX0t6mOQwg1Qd15CcYk0WeT
Threatray 1'079 similar samples on MalwareBazaar
TLSH T1C384124548C5CCA6E71AB370D0B3CE9829657832CCD56B689754EA2EB870343B853E6F
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
80893_payslip.xlsx
Verdict:
Malicious activity
Analysis date:
2021-08-26 06:37:06 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/8a38e5b1-62cd-42ee-8e57-aecd4cf84268

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182524/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Sending a UDP request
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/00a88417-6fcd-43f7-ace8-09bf6f35d52b
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/839532
Signature
AutoIt script contains suspicious strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7a1a43d30f2cb7ee32934670de804b7a2c2961e2ef950339438eab91b1e438b/
Threat name:
Win32.Dropper.Apshee
Create hunting rule
Status:
Malicious
First seen:
2021-08-26 04:04:45 UTC
AV detection:
20 of 46 (43.48%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
17d901ea338cf7b487226ebd86f963023ce246d9f3aaa973f6d15c44cb01907d
Loki
27c7757a5432815c4867ebeeaa23152703af16520d73117a372e6371061fc1ee
Loki
28168c7a0fffc6787241b2c6e8c9fc1590e5715fbea2af58cb2e4f92e72374fa
Loki
29a8a708880ca187202112de47bed915bf9fd0e64cab0d08a839b7ede6c16506
Loki
3c60a213817ebd39736a7697167aa4c1acedb10d1a8656662b70b2f1fc327ad7
Loki
71335267a0a48bbcf678e354b421445d3db926ec5dd9b40c2a004cebb9b166f0
Loki
88ceee260ee9b4baa66e0aeb88821c2edbfebdb3f946cb8e1d3c4850ab0a0365
Loki
b1d23d23f4cb253299dde04c81c51a3e375fc60c45965af013aefe47524202d8
Loki
b5225e4f19b8f43d98a52808829087a9019cf247fb6a3f6acd6ae30eccb9e8b1
Loki
bb025003b58ee61c3d6805cd3974844ca21224c8fd64c0678b19864453137a58
Loki
+ 1'069 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan upx
Link:
https://tria.ge/reports/210826-vcns12z6v6/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://65.21.223.84/~t/i.html/XjjuWy0TVqjre
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
7639f65a441228eeebdc5f3328cacafd5e86153e7e3d28cdcf8c0575a97f61c7
MD5 hash:
01c8d4ff3557e3d79438d2906906448d
SHA1 hash:
143f830b364b895da728a98a1f423481380b78bb
Link:
https://www.unpac.me/results/6b2b9380-3c56-415b-a23d-f792c4bc8c68/
SH256 hash:
a7a1a43d30f2cb7ee32934670de804b7a2c2961e2ef950339438eab91b1e438b
MD5 hash:
7c1876b8b71c72e8e9fb2fd494020c67
SHA1 hash:
76a26f59d5346847378859b25bc96b41a668e678
Link:
https://www.unpac.me/results/6b2b9380-3c56-415b-a23d-f792c4bc8c68/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a7a1a43d30f2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/a7a1a43d30f2cb7ee32934670de804b7a2c2961e2ef950339438eab91b1e438b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe a7a1a43d30f2cb7ee32934670de804b7a2c2961e2ef950339438eab91b1e438b

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/182524/

Comments


Avatar
zbet commented on 2021-08-26 06:43:03 UTC

url : hxxp://198.23.212.137/axi/vbc.exe