MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aeb27e1efaca54eeb061a1d72e2df1513bf849e34b777c32d5b5201845f5de15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aeb27e1efaca54eeb061a1d72e2df1513bf849e34b777c32d5b5201845f5de15
SHA3-384 hash: b4d3c598be45546a43fe5c113b6666ced9b97d9934cc2616d6f064d9d62c8486d67e4c04ebb2e7a0a864ad7d4d3ce03d
SHA1 hash: 9f7015f9578798b155733869c09ac2a577bc769d
MD5 hash: 431707700bf268fc6ed93fe9a305a9c2
humanhash: winner-alpha-bulldog-cat
File name:wMldxEJA2lhgxRw.exe
Download: download sample
Signature Loki
Create hunting rule
File size:559'104 bytes
First seen:2023-05-17 08:15:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:P2CkCbEIjYnzdfx2iRTDbn27XmqcG7/R5oBpY:vZbE1zdJXx273SBpY
Threatray 4'369 similar samples on MalwareBazaar
TLSH T195C4E03417E9C71AD0278739C0D1C7F0A73A9C95E4A6CB970FCDBD8BB29B1AA6710191
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://171.22.30.147/zino/five/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
270
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
wMldxEJA2lhgxRw.exe
Verdict:
Malicious activity
Analysis date:
2023-05-17 08:16:21 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/11726b37-27c0-4d9a-85a3-a9658206f127

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/390608/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.26701.17936.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook lokibot packed
Link:
https://www.filescan.io/uploads/64648d43f1dbf8a7cc9d2439/reports/7ae8940f-94c9-49fe-b0e9-5ddf8f163198/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/aeb27e1efaca54eeb061a1d72e2df1513bf849e34b777c32d5b5201845f5de15
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/613ecd5d-cd3d-4fe5-863c-367a963f49c9
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1235368
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aeb27e1efaca54eeb061a1d72e2df1513bf849e34b777c32d5b5201845f5de15/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-17 02:27:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v2zh4hx2zjko5mdbuhls4lprke57qspdjn3xymwvwuqbqrpv3ykq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
1098c30f8d02c4acabc58ffabc34f30e2a234c702851e1c6c88a072d795a2ef1
Loki
3de41e010beb4ede03eb2ef87e943b3a75402a3c13ca2033e1032ac160363768
Loki
4920cdf96db967e0df5414de0d8318d018be7af985158dddd3a4cf77af565bf9
Loki
683ab6fac70b21445c49dee8ce6cd8fef51c56896a24dfabe73b61fb0c12e83f
Loki
8394c05abbdce32e1b10f47a6d73dfa8faaa3b35da3ead54c9182216dfe795a8
Loki
e4887fdbdf3a4de9f3a9a244620a9a4f54de7e9a4be8b942df7c46c4cd93d366
Loki
e4a9cb185c46bf812bf29890c14a2f20f6dbddfc1e34abe5e15af668077b33f6
Loki
f60dfec6143b9281322904f2adb3787919478cce77e4f44c216f0b204f5a3fc9
Loki
f8725762bcc5a3d83234fd7a55cba1a002af80ecfe0eca2972899f49fa12934d
Loki
+ 4'359 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230517-j548ksdc71/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://171.22.30.147/zino/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
cf78e1f1138369778cca341c6f69402ec51f5baace1686a2772805e5fa40921e
MD5 hash:
331f6544c150e449a8dff1fe9219809d
SHA1 hash:
59fa081b0bf506b59164374806011f0b61134262
Link:
https://www.unpac.me/results/a4fd3b41-a9c6-4b70-9e21-331c40321537/
SH256 hash:
cae27450b662b12e2adbca87eb6ad54612f22cfd7d9cf2ab37d794f31521827a
MD5 hash:
ba285a91ab9c653a9ee757af95376297
SHA1 hash:
59e7df753854175fbf667c2f4f20f3f10ce8589a
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/a4fd3b41-a9c6-4b70-9e21-331c40321537/
Parent samples :
9cedcc423c89f58cdef6386a96d9d57237cc0ce9b84622651691ec7e40d1e128
8394c05abbdce32e1b10f47a6d73dfa8faaa3b35da3ead54c9182216dfe795a8
aeb27e1efaca54eeb061a1d72e2df1513bf849e34b777c32d5b5201845f5de15
b3303273446384f72e2a0f90c455f69598f341164c2bcfded2cf95b30e3a9295
94a92d06d9fac7101cb5c15f1afe2bce92b2186085cadc1ea2c72b2f6e154912
10018c42effd32f85253fccf9e6de9e7afc97a7a9369af5ebc6bee351fb52e20
SH256 hash:
6ba792e206fd6aa94e6d0b393c99c54276be223ad1209929c1ea880fb520f2ee
MD5 hash:
9a1fe306bd47dcb46e33789812f34a75
SHA1 hash:
db90cef5104c666bda450734d0ec22f65663fc4e
Link:
https://www.unpac.me/results/a4fd3b41-a9c6-4b70-9e21-331c40321537/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/a4fd3b41-a9c6-4b70-9e21-331c40321537/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
fdd16fd7985b88c12d0b09945466c23b79e1fbe75bca3c5b338cc1598d258fd1
MD5 hash:
8d526800d626d833e4928ed67471e7da
SHA1 hash:
1ab651459150c93f77438507406d158e70ee7c4a
Link:
https://www.unpac.me/results/a4fd3b41-a9c6-4b70-9e21-331c40321537/
SH256 hash:
aeb27e1efaca54eeb061a1d72e2df1513bf849e34b777c32d5b5201845f5de15
MD5 hash:
431707700bf268fc6ed93fe9a305a9c2
SHA1 hash:
9f7015f9578798b155733869c09ac2a577bc769d
Link:
https://www.unpac.me/results/a4fd3b41-a9c6-4b70-9e21-331c40321537/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aeb27e1efaca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/390608/

Comments