MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 ae90d22f9ce84c653c4f89222ca85ac819c11a93ca3a720f4968666b8d14d488. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Loki
Vendor detections: 13
| SHA256 hash: | ae90d22f9ce84c653c4f89222ca85ac819c11a93ca3a720f4968666b8d14d488 |
|---|---|
| SHA3-384 hash: | a44def9194678ba23a971353057158fc0bed028daa8d77483194fa286e9aecaa0b6a7c629af32ad918b699312099c0f2 |
| SHA1 hash: | d4880b6316cce56bda61040d11c51f242ec215f5 |
| MD5 hash: | 7c83c2fac1fda57a7bccf27738cb14c6 |
| humanhash: | north-solar-tennis-utah |
| File name: | 7c83c2fac1fda57a7bccf27738cb14c6 |
| Download: | download sample |
| Signature | Loki |
| File size: | 237'167 bytes |
| First seen: | 2022-03-31 10:07:26 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki) |
| ssdeep | 6144:HNeZmKkkSpA9alXLnxHZuHPevxxTF9UY2tKWYIPXNnfjiM8X1:HNlKkkSpA9albnBZYPeJZFf2tKOtjinF |
| TLSH | T14E3412B471F4D023E8B325709FBD96B907EB560748611A2713902F8C7E3A9A32D5F395 |
| File icon (PE): |  |
| dhash icon | b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla) |
| Reporter |  zbetcheckin |
| Tags: | 32 exe Loki |
Intelligence
File Origin
# of uploads :
1
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Malware family:
n/a
Score:
5/10
Tags:
n/a
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Verdict:
Malicious
Result
Threat name:
Lokibot
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Behaviour
Behavior Graph:
n/a
Threat name:
Win32.Trojan.FormBook
Status:
Malicious
First seen:
2022-03-31 10:08:07 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
22 of 26 (84.62%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Result
Malware family:
lokibot
Score:
10/10
Tags:
family:lokibot collection spyware stealer trojan
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
Malware Config
C2 Extraction:
http://62.197.136.176/userbob/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
c204be9f9959ee8897cff135e8f7b2f209c21f413d834ae09583b2ebec23f298
MD5 hash:
e339f7012338060267b577e2eacf83c1
SHA1 hash:
076ad7ee300e3adc273b5ead400f0e1cc4661e95
SH256 hash:
d3c493c96512cdc6857f5a8a10a637bee4e48a68ab94a2068068edfd6179928f
MD5 hash:
4723d0ce1b77e5db573ea440958f7052
SHA1 hash:
4a7073fbe3327e00dd5642bd2e9bc7366e7615a4
SH256 hash:
173015bc9608f48545ec78e0189913ad1687b8b3890f7216e2caa3bb01b131ef
MD5 hash:
11aa8c01c852c5cf65dac3842764b632
SHA1 hash:
e9613151d209ee96532df2b5d71c0f8fd81df1d9
Detections:
win_lokipws_g0
win_lokipws_auto
Parent samples :
f56b737580b2d9b2a379cb016217827323a8290d9a3af96b643897c7de92bf77
e85188612aa3a2ae2cdedcf14fc707bd4730351f4d5e0895b68f6f74c401f92c
ae90d22f9ce84c653c4f89222ca85ac819c11a93ca3a720f4968666b8d14d488
283011e02f08ea4c1dfbf76d7322d2034ad3cbe6f0a839267adcfe2a56fcb2a3
b07a833d67de436ef2f5f9de15d3dcce8abd1c3cdd440282297dedb68529a22e
84279034085e5bc35a73aa8cffffcbaa49f560944125eb547524733a806cfd8f
b231f8e6f660efe916459e41e353449e4840edc57b15a308d1fcad833cedafc7
43c7f5fc7cfab29fae6e20f34e252bafc625d1498864cccf0450a2bb279f1df4
378f9b092b0ef255bfc83189a18d1fa6caf5245bddaf4bfb98236cdbc66fc277
e85188612aa3a2ae2cdedcf14fc707bd4730351f4d5e0895b68f6f74c401f92c
ae90d22f9ce84c653c4f89222ca85ac819c11a93ca3a720f4968666b8d14d488
283011e02f08ea4c1dfbf76d7322d2034ad3cbe6f0a839267adcfe2a56fcb2a3
b07a833d67de436ef2f5f9de15d3dcce8abd1c3cdd440282297dedb68529a22e
84279034085e5bc35a73aa8cffffcbaa49f560944125eb547524733a806cfd8f
b231f8e6f660efe916459e41e353449e4840edc57b15a308d1fcad833cedafc7
43c7f5fc7cfab29fae6e20f34e252bafc625d1498864cccf0450a2bb279f1df4
378f9b092b0ef255bfc83189a18d1fa6caf5245bddaf4bfb98236cdbc66fc277
SH256 hash:
ae90d22f9ce84c653c4f89222ca85ac819c11a93ca3a720f4968666b8d14d488
MD5 hash:
7c83c2fac1fda57a7bccf27738cb14c6
SHA1 hash:
d4880b6316cce56bda61040d11c51f242ec215f5
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | INDICATOR_SUSPICIOUS_Binary_References_Browsers |
|---|---|
| Author: | ditekSHen |
| Description: | Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many file transfer clients. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_GENInfoStealer |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables containing common artifcats observed in infostealers |
| Rule name: | infostealer_loki |
|---|
| Rule name: | infostealer_xor_patterns |
|---|---|
| Author: | jeFF0Falltrades |
| Description: | The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads. |
| Rule name: | Loki |
|---|---|
| Author: | kevoreilly |
| Description: | Loki Payload |
| Rule name: | LokiBot |
|---|---|
| Author: | kevoreilly |
| Description: | LokiBot Payload |
| Rule name: | malware_Lokibot_strings |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Lokibot in memory |
| Reference: | internal research |
| Rule name: | MAL_Lokibot_Stealer |
|---|---|
| Description: | Detects Lokibot Stealer Variants |
| Rule name: | STEALER_Lokibot |
|---|---|
| Author: | Marc Rivero | McAfee ATR Team |
| Description: | Rule to detect Lokibot stealer |
| Rule name: | win_lokipws_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.lokipws. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.url : hxxp://192.3.247.131/400/vbc.exe