MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac66eeb17fb8028ffeb839cfa6815679b06ec2bbd6e43e8c3bba052d057ff6be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac66eeb17fb8028ffeb839cfa6815679b06ec2bbd6e43e8c3bba052d057ff6be
SHA3-384 hash: 907429d46118706222bb5e890d941cfd41f27ede4aa9e275499a3e38c6db42ccb131a7ec9760abd612102f196b9a6ab0
SHA1 hash: 3cca428ec7ca92b980baf5631beb9904a2201e33
MD5 hash: 547a29ada36b9fc565d73b5ba8695565
humanhash: three-red-coffee-nine
File name:547a29ada36b9fc565d73b5ba8695565
Download: download sample
Signature Loki
Create hunting rule
File size:886'272 bytes
First seen:2022-07-14 07:36:41 UTC
Last seen:2022-07-15 03:18:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:SFi8/u9e+3zoSqnkClBOu2deXit+mGQOs:SFi8H+ESr4qeyUmG
TLSH T1EC15332436799F98EF9B95360FF4844F11B6F250A42BBB0E2258813467C372790E5BF6
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
547a29ada36b9fc565d73b5ba8695565
Verdict:
Malicious activity
Analysis date:
2022-07-15 00:22:42 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/ffc707dd-cf45-4495-8a46-44ec73c8c848

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/288876/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1448.12134.6676.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62cfc7e78dab2096b99811a0/reports/e1286b9a-2a68-4743-b3d7-609bfe5f80a0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1031356
Behaviour
Behavior Graph:
n/a
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ac66eeb17fb8028ffeb839cfa6815679b06ec2bbd6e43e8c3bba052d057ff6be/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-14 04:44:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vrto5ml7xabi77vyhhh2nakwpgyg5qv323sd5db3xics2bl7627a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220714-jfza2affd5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://185.102.170.20/demo/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
ea801ddd1ea57f52ae69533038861744365d8d9c05c3a9c1190dba32d07dc6b6
MD5 hash:
4d0e9bfe94004ceb16e9b63c7c03067d
SHA1 hash:
05e3fb4119f85cc6b6543d8624191a7000d856cd
Link:
https://www.unpac.me/results/2ca0ce89-8b64-497a-8bfe-6f4ccee9d88b/
SH256 hash:
9994acc8d7a8bccdfc858188699531508e3350416f271fbc8968479939246830
MD5 hash:
afe9071a1d93026608be41268d3534a6
SHA1 hash:
1ae1c37e9e2d46a06245eb272781ba263c15b90c
Link:
https://www.unpac.me/results/2ca0ce89-8b64-497a-8bfe-6f4ccee9d88b/
SH256 hash:
883b63ef84c6b1cc09687962beca56e4f4b7960df7c5459e29998befaa3ccf15
MD5 hash:
ecb3f27eb8279c51608c8ea8f8050655
SHA1 hash:
82385d75444ab5fccacf37e2746c7dce73faa7f3
Link:
https://www.unpac.me/results/2ca0ce89-8b64-497a-8bfe-6f4ccee9d88b/
SH256 hash:
b3e5cbb80a19e5bbd5ca27b7e8a9c05b4fd70309b73b54b458e82db2ffc8b865
MD5 hash:
bb1e8bf018379b3f96f122372dcd22f1
SHA1 hash:
93c4543963997415350dda38815ab2e47f6c5693
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
lokibot
Create hunting rule
Link:
https://www.unpac.me/results/2ca0ce89-8b64-497a-8bfe-6f4ccee9d88b/
Parent samples :
b66327c53adb06f067e45a7763f760aa5a240ec7a8436a0240246ff858c81f5c
1065589a9340762824a0d03fff314f61e65083bf59cbc457e7ebb4986d871611
ebf17062065528a741f635ddbfa773618c23060a96609ce130bddffce137693a
762e0b4b5ac10ebdfa880cdca1989f607cb623a0a58292bd2424314378b04e81
1a63f65bcede3af088e7418ab0ba5a8be2fe254875571e73b32187bb84e4f701
ac6244801e7bc28902f33c0c292da8616933677c58d190ca662f1afc731af60c
ac66eeb17fb8028ffeb839cfa6815679b06ec2bbd6e43e8c3bba052d057ff6be
339977335a0e4a0029c4484e7067b2e1a18f29bcbc27a90b639d6c24daa88803
SH256 hash:
7e7fa0a261214d53c2a5194464884c80e8b9f118d9b60dda7a07dd5327d8684f
MD5 hash:
130295dbb236817a42f19fd6602f219c
SHA1 hash:
dec505720bc10d37d85128ae95dd4a1362f553ce
Link:
https://www.unpac.me/results/2ca0ce89-8b64-497a-8bfe-6f4ccee9d88b/
SH256 hash:
ac66eeb17fb8028ffeb839cfa6815679b06ec2bbd6e43e8c3bba052d057ff6be
MD5 hash:
547a29ada36b9fc565d73b5ba8695565
SHA1 hash:
3cca428ec7ca92b980baf5631beb9904a2201e33
Link:
https://www.unpac.me/results/2ca0ce89-8b64-497a-8bfe-6f4ccee9d88b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac66eeb17fb8028ffeb839cfa6815679b06ec2bbd6e43e8c3bba052d057ff6be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe ac66eeb17fb8028ffeb839cfa6815679b06ec2bbd6e43e8c3bba052d057ff6be

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2257220/
Cape
Cape
https://www.capesandbox.com/analysis/288876/

Comments


Avatar
zbet commented on 2022-07-14 07:36:43 UTC

url : hxxp://198.12.89.161/500/vbc.exe