MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b03bc075502514e1c5d65c599f0910d7ddc1c20f9b304d8421667013b68a6cf7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b03bc075502514e1c5d65c599f0910d7ddc1c20f9b304d8421667013b68a6cf7
SHA3-384 hash: 2a0e06be7bf293ed0e599d2cb294638a2e255f184c5b5047e6973d36c09ed9cc56a0b0e757044ee349579f2eba95f582
SHA1 hash: 38a62fb7b3961c9a864c2151c951462eda9fbef0
MD5 hash: 9fe197156cdff3fabed047c3d9cb40c5
humanhash: sad-five-princess-march
File name:Arajenlat keres Szam366·347·pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:826'880 bytes
First seen:2021-09-21 06:28:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:kcNeSsmtiK5oyZ/wD8C+C/VjUCGcCX4pURnuhmrC92Y0PX7CiKFIwUWVl8USkrKJ:kcNep+Fob3+YdUkpKuhmonK
Threatray 4'716 similar samples on MalwareBazaar
TLSH T1D2057DC43943A8DFF4DF99B3885E8C2065106DAE4216C33E2143762B99FF343795B99A
File icon (PE):PE icon
dhash icon eac6a6cc96b28acc (16 x Loki)
Reporter abuse_ch
Tags:exe geo HUN Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Arajenlat keres Szam366·347·pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-09-21 06:28:54 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/4ba6d8f5-f66e-490b-824e-a96b22bb781b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/86127da6-4402-4158-82c7-e08922cbab79
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854588
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b03bc075502514e1c5d65c599f0910d7ddc1c20f9b304d8421667013b68a6cf7/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 06:29:09 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wa54a5kqeukodrowlrmz6ciq27o4dqqptmye3bbbmzybhnuknt3q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
08377819d79016a838d738bb146ee24b852e3405c9247dc97dd808ab94cf56c9
Loki
213263b19fc6d0fb989665f518de523dcc8021be36f94b880056523a4a4f4566
Loki
2d0e2e19f2d3e2faf0ca86ed07ecba6c8b6573ba00247b78fbb73e72c0a56311
Loki
4173cae36a80ef15ee084a9714c11589a6bc54bcc2b8fdb66e829b246ebf643f
Loki
716febe5997423d5119cf34fac0bc06ba25709982fb291c8d8ae57c47b923646
Loki
8487616e993913211f1c1d1888b24697f40132eed17e4f5ca2bf44b0edf036b7
Loki
8a91e2138a9a4052ae32d94ea0a88a0fab4028ed233bdcb6ff8d079882ad6e62
Loki
bb0a1c36697ce7271b0e78d81a2b0b66a635bd31c51bc30e2497344bd79fdebb
Loki
d2489ca180a16314fa8aad79b7bfff402c3f62f497a237786a5b4c9f770b380d
Loki
dac4bcba8c26214458b1acf0eee8696df8e070027d1688013482bd3352cb2b55
Loki
+ 4'706 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot evasion spyware stealer suricata trojan
Link:
https://tria.ge/reports/210921-g8dhxsbcbq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://136.243.159.53/~element/page.php?id=472
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
cac8b347040a359c02ae5e658d3d76230c7dd7eb33505605ed0b9bc49ff268c7
MD5 hash:
71a894ff252c767b80d65ab1e54fda2b
SHA1 hash:
bcc4ff628585ca28b8b0f2c30e63049b910d4d49
Link:
https://www.unpac.me/results/95dee611-795c-4d84-80f9-a98f6b2b879f/
SH256 hash:
8906fd5f325af2325562bef23516de4b4ea5c1151489b3035f1464d36374bd6b
MD5 hash:
3c8a6a418d9897c5ef21db7c57055db7
SHA1 hash:
777b67d4ab77ceba61cd674d7f6ba6fe5d010544
Link:
https://www.unpac.me/results/95dee611-795c-4d84-80f9-a98f6b2b879f/
SH256 hash:
0eae9c3e515098483a197a7b1d6da23726520f6fd8526db5a1f06ff8af611093
MD5 hash:
2fb26b3bd6430b256b3d1cc85c10075e
SHA1 hash:
485bbce1679c5f80e3ebbdce7785de14e3c0dd2f
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/95dee611-795c-4d84-80f9-a98f6b2b879f/
Parent samples :
b03bc075502514e1c5d65c599f0910d7ddc1c20f9b304d8421667013b68a6cf7
929cf24f9b6ba0c9a1eac923be18c9de7fef3f7de33d79829ea6fa98b0344822
SH256 hash:
80b7cc7266a31b886177f56353b79fa4e344a8499156f49303331279a0a1b434
MD5 hash:
da9f3cd56ffaed7e4974e0d9c8019227
SHA1 hash:
0ac1b7264b48211f9b757fdeaf99d1d0ba246357
Link:
https://www.unpac.me/results/95dee611-795c-4d84-80f9-a98f6b2b879f/
SH256 hash:
b03bc075502514e1c5d65c599f0910d7ddc1c20f9b304d8421667013b68a6cf7
MD5 hash:
9fe197156cdff3fabed047c3d9cb40c5
SHA1 hash:
38a62fb7b3961c9a864c2151c951462eda9fbef0
Link:
https://www.unpac.me/results/95dee611-795c-4d84-80f9-a98f6b2b879f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b03bc075502514e1c5d65c599f0910d7ddc1c20f9b304d8421667013b68a6cf7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments