MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad9510ceea49f6f5b37d1310869d7d1d09ce0366833197c55fa83bbfa95d52ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad9510ceea49f6f5b37d1310869d7d1d09ce0366833197c55fa83bbfa95d52ee
SHA3-384 hash: ac9739d96716a46ee667e5cdfb744b545dee27d49bb56f4e15b31e786d1a3aaefc00bac3972f9e2b99423f1055784e53
SHA1 hash: 3c261614633b0f6e5ff5e7ff4e046edabd544ef6
MD5 hash: 54ff5aec947510cc8ee54af34bbfa3e6
humanhash: fish-queen-fanta-eight
File name:RFQ4132023.exe
Download: download sample
Signature Loki
Create hunting rule
File size:510'976 bytes
First seen:2023-04-13 13:01:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:JKSLQG5DSdPyZPbRKTMP2D/RnHChWDIFN:JQUPbQHtSswN
Threatray 4'190 similar samples on MalwareBazaar
TLSH T1ECB412177366912AD2AE87BB81D1840803799512A123D59E2CC930EE9F5EFE707D1FE3
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000c4c4e4c47000 (17 x AgentTesla, 7 x SnakeKeylogger, 6 x Loki)
Reporter lowmal3
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
RFQ4132023.exe
Verdict:
Malicious activity
Analysis date:
2023-04-13 13:03:24 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/42752b0e-6e35-41cb-987e-9781725d7a44

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382001/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed
Link:
https://www.filescan.io/uploads/6437fd4bb4ec50bace5ffae4/reports/8b87f0c5-8c0b-497d-b5c8-9ffea74f85c3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ad9510ceea49f6f5b37d1310869d7d1d09ce0366833197c55fa83bbfa95d52ee
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e3d6169b-c3f6-496b-ba35-7a3de663fcc6
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213187
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad9510ceea49f6f5b37d1310869d7d1d09ce0366833197c55fa83bbfa95d52ee/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vwkrbtxkjh3plm35cmiinhl5due44a3gqmyzprk7va537kk5klxa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
07191de70521a8e76624cfafc6eba3edd19d7784c4c4c683b55f3fd16e377b38
Loki
099dfc4278cbcfc8c1e84bd46bde0b5ddbdc86b20d95b8ba6b98b66b4436a345
Loki
22966ba42f0a0adda0c87caa3aa1b8b9fcc8537081b2a6c2791df3b37a4ca5cf
Loki
5509e143021f95074f9cde2dac4d79960710adb794bb1cdf57582be08681c3bf
Loki
82faa2430877999d6998765647feeb8a474a5672736637d8278efa9e2425ca83
Loki
935a2843dc01d80582184dd6aa77fc2f4c99aaeb48b9dfef6a1e1df2e927feda
Loki
a1e44dff73b4a8616ae1b39f3ecf82b457859f3aed8b208ae41e79d7d79c5ef2
Loki
ee734d6d93d42624ffd7f363f3252ee46cfbc5b6adef174447232605bda7d607
Loki
f36afdc4b01e349a83cd54619dcc3864d800c328c784c79ccce271ff48742523
Loki
f762c98b251097d1cbc8bb09b9deb573132689d83996d6884984d3f334fd2f18
Loki
+ 4'180 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230413-p9r2psbe57/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://64.227.48.212/?page_id=4983000593629
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
760b66bdddfb88fb9a2a5f2a838a09d9f9c56304247efb9ed18c6dd78f70ad33
MD5 hash:
c601e11dd43ba33cd1a2ac27e7d4f8a9
SHA1 hash:
c47f618792fa4583ddfb9c667bd0c1449e249b58
Link:
https://www.unpac.me/results/182eac01-c61b-45cd-bb0f-b513ed70c180/
SH256 hash:
1f1e5318a951f5d7bc87cec9f25125d52b2db4871610d24c545e39ea43327b72
MD5 hash:
5668d0878a88fd4dd002cb50af65cec8
SHA1 hash:
ab0f7d0b6e80c17c8cc579f4c0dd19abab0e717f
Link:
https://www.unpac.me/results/182eac01-c61b-45cd-bb0f-b513ed70c180/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/182eac01-c61b-45cd-bb0f-b513ed70c180/
SH256 hash:
65aef34c0cfcbf9764a3829589317775aec042e674f20d33241b6024fb55f569
MD5 hash:
fb3ba7830d4b4c216a68c973114f9a27
SHA1 hash:
947c84e5feae0192c8363206e0a35bc5e61c6ed3
Link:
https://www.unpac.me/results/182eac01-c61b-45cd-bb0f-b513ed70c180/
SH256 hash:
69193d4ec928b60a32ed5ee6e8fdab3da230436b8c50062992a7dba0761b4928
MD5 hash:
cf3b94170e79640c8e4f4ff0cf1e11a2
SHA1 hash:
553907b7789a0763e300be6758e47dd1feecce7c
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/182eac01-c61b-45cd-bb0f-b513ed70c180/
Parent samples :
9379c08a611d759dd3dd8532c51baf927373581ec4ed728e7fe9e418aa297ed2
d79b67e9e7380e870103acd7b29951d0a4cb5f6da18c28a21070463aad65be45
099dfc4278cbcfc8c1e84bd46bde0b5ddbdc86b20d95b8ba6b98b66b4436a345
ad9510ceea49f6f5b37d1310869d7d1d09ce0366833197c55fa83bbfa95d52ee
fe5c1951ae2974e208a94346ba859a9ed7a30393880d4041315f35a3dd90bf38
SH256 hash:
ad9510ceea49f6f5b37d1310869d7d1d09ce0366833197c55fa83bbfa95d52ee
MD5 hash:
54ff5aec947510cc8ee54af34bbfa3e6
SHA1 hash:
3c261614633b0f6e5ff5e7ff4e046edabd544ef6
Link:
https://www.unpac.me/results/182eac01-c61b-45cd-bb0f-b513ed70c180/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ad9510ceea49/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad9510ceea49f6f5b37d1310869d7d1d09ce0366833197c55fa83bbfa95d52ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Reverse_DOS_header
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects an reversed DOS header

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe ad9510ceea49f6f5b37d1310869d7d1d09ce0366833197c55fa83bbfa95d52ee

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382001/

Comments