MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a85674ae37ee05418c755e06ea117ae6538ef6ceac2d1f17e1c1cb98bdc52a46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 2 File information Comments

SHA256 hash:	a85674ae37ee05418c755e06ea117ae6538ef6ceac2d1f17e1c1cb98bdc52a46
SHA3-384 hash:	e679b71fd571f8f2841187f9f017781445244efecc3820852df01ed7e066ff1c2dfdee51e24868f471cdd12b57a82b28
SHA1 hash:	65754fd40e5c741698a2f05590af084fb3fdb0f0
MD5 hash:	177bf2c44f835f3d94d8119ee5d2cf1c
humanhash:	river-single-juliet-island
File name:	triage_dropped_file
Download:	download sample
Signature	Loki Create hunting rule
File size:	643'072 bytes
First seen:	2022-05-25 11:25:46 UTC
Last seen:	2022-05-25 11:58:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:xcoGZFFA98BEme8RLRdHhMCDwwaIFo20T12iSpl9sZ0NDyRnxXKFqK57W:xcUKBEwLN/nz+9XSpoZKFq
Threatray	9'641 similar samples on MalwareBazaar
TLSH	T1BFD4D09D3250B2EFC867C97699A41C64EAB1747B970BD607D11301AC9A0E6E7CF206F3
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	malwarelabnet
Tags:	exe Loki Lokibot

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://45.133.1.45/perez1/five/fre.php	https://threatfox.abuse.ch/ioc/632472/

Intelligence

File Origin

# of uploads :

# of downloads :

432

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

Payment-Advice.xlsx

Verdict:

Malicious activity

Analysis date:

2022-05-25 10:41:49 UTC

Tags:

encrypted opendir exploit CVE-2017-11882 loader trojan lokibot stealer

Link:

https://app.any.run/tasks/12c9b3ef-1a4a-42c4-9635-f2313c42e8b4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/274486/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/628e125f6eb3ff32632ba1d8/reports/23539080-e722-4357-b70d-aaa00b1706cf/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/759243b9-b551-4b6a-a645-d9fde7d50ef8

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1001517

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/a85674ae37ee05418c755e06ea117ae6538ef6ceac2d1f17e1c1cb98bdc52a46/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-05-25 09:56:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vblhjlrx5ycudddvlydouel24zjy55wovqwr6f7byhfzrpoffjda._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

3851e1c8c896ecae1035576a4b37d1fafa0690df428e255ed709c155cf77279c

Loki

4dd4e59368f5e310bdebc4f7ee60778446873c9b930f16366592b471a86f3718

Loki

50cb7b0b1d15d89428745bd508343b52d5f197b5f57cdf83a077973bae3d1ec1

Loki

7fe467ef6f392039c0ce5edaadf85c19a8406a0b0b7332131e2b2ddc9f074bb6

Loki

9740fa7b19f17e4c6df857ec1240c243a77ad689894ecaa92bd112709c242664

Loki

af8fd10b749ea99db1bb4a6a2d7ee79f6b03726b2866a652f8bade94d83440b8

Loki

bc4e9db6c6cc42bb03d7257abbf2105e1ed6c4fe24ccaabcd3db84fe8a935c1b

Loki

+ 9'631 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer suricata trojan

Link:

https://tria.ge/reports/220525-njt8pseabj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot Fake 404 Response

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://45.133.1.45/perez1/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

3aa7449a872b207789c418f767216070fec4101fd20de03ea81e0b3ba9cf3da7

MD5 hash:

64c726ef1c50baf6ca42c00a8225ea83

SHA1 hash:

ec8dde946a89a90567fd77d1bfaceef5ec21f4e1

Link:

https://www.unpac.me/results/02f3c9f6-544a-4ead-8762-c53c1e05c93c/

SH256 hash:

54b7455f856e9deb9516aae6fa245e1b4c765807423d4fbc6eff7d74dcbdaf85

MD5 hash:

2108ea6e3e1440837b2ac9d40d57c2e5

SHA1 hash:

cc6593b5d8edd1c849f814347794efbc35c163eb

Link:

https://www.unpac.me/results/02f3c9f6-544a-4ead-8762-c53c1e05c93c/

SH256 hash:

c720d8d87e5744ef459c160ae3ae85984519c5cee89d4acd3d4156f929ebcca2

MD5 hash:

86f922d84e1b89f646bc23cb3d878a9c

SHA1 hash:

b61f4401c1a144d704988cf4e55dd9a71f8d8263

Link:

https://www.unpac.me/results/02f3c9f6-544a-4ead-8762-c53c1e05c93c/

SH256 hash:

0283941f1f7ae72f88bb3044addc3f4274549c3fd771612ec3df95c80b708c9e

MD5 hash:

abcf7824b477074db7ac154a80d1e329

SHA1 hash:

9c6982829bff318776560846de7bcc39d3c16f7f

Link:

https://www.unpac.me/results/02f3c9f6-544a-4ead-8762-c53c1e05c93c/

SH256 hash:

f216a0d5b91d80188ec6f2c58fcddca3b235ffbc095ae5a17b7bb516a2e4733f

MD5 hash:

d888553765064c4be143ddae4778ae00

SHA1 hash:

883ab17515b2a56cc473fae61c09269f3db5569b

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/02f3c9f6-544a-4ead-8762-c53c1e05c93c/

Parent samples :

a85674ae37ee05418c755e06ea117ae6538ef6ceac2d1f17e1c1cb98bdc52a46
adb44c493e9757667fc01117b01aa585a5ab14b5c364d0760914f00bd13b0bfe
155ea73b42a3ab83f6d8cf2eb3372cf32fedc6df2c8c4158926306faa2f2fb01
6f7897864039db93ec4022e48ea0ad559bc89cffe04731390a03c77419e0dc0c
a3ceddbe89dba68b99d3fabd334114b1c914e47a67d0bec641fae33f49e74456
811ac7028bcaec556ad1289602b0e6aebf1adc88ca7ca3fe36563d42af10568a
d89f936f351c4ff552bd57fcb766d6cb66754a0a7675b9d2c9077756cd71e7e6
ffdef4c9876b2f3453a9524130ad0511d68fdf33fb6916a387cce663a5ae0225
1a6438ff103a82ca1dffb1f3b3a079e387dc75bd3ca6cda72670bd71edd7ea72
10c75255a4e152676995d6550b32f543850cfc974661201ce04e9c19d27b6618
f364800c07937fb2c41475a8a453df9b06c2297765ef1732f1904424021424f5
2f370d4201e18eec58daba5effb25836788d530f747ebaf7593b3457d3d0c743
b65fd047ca18025cd457b3b5725ac61de6a8893a47de0fbb8226d29e1e82e6e9

SH256 hash:

a85674ae37ee05418c755e06ea117ae6538ef6ceac2d1f17e1c1cb98bdc52a46

MD5 hash:

177bf2c44f835f3d94d8119ee5d2cf1c

SHA1 hash:

65754fd40e5c741698a2f05590af084fb3fdb0f0

Link:

https://www.unpac.me/results/02f3c9f6-544a-4ead-8762-c53c1e05c93c/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a85674ae37ee/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/a85674ae37ee05418c755e06ea117ae6538ef6ceac2d1f17e1c1cb98bdc52a46

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/274486/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample