MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b31322fd05fbcbc2f7f66a99695adab27180ee89e574946827f97648bdd30a78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b31322fd05fbcbc2f7f66a99695adab27180ee89e574946827f97648bdd30a78
SHA3-384 hash: 1e415fb57a0e080239402674825eee9f09c24e3cf061c956feb42b2ec9a1c3d6fea36af3d70e527ab74f7aaea939e365
SHA1 hash: 6ddee8dc3a2fd1de921239445f54c783942b7887
MD5 hash: 72e16e10fedcf11ab7071c6542ce05a6
humanhash: mexico-oven-xray-yankee
File name:Quotaion formGYU21-SP-E030.exe
Download: download sample
Signature Loki
Create hunting rule
File size:847'872 bytes
First seen:2022-08-27 14:25:35 UTC
Last seen:2022-08-27 14:39:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'658 x Formbook, 12'249 x SnakeKeylogger)
ssdeep 12288:+q2RBYknwHSHe+IYPMQcfBxCdBwclHIxh00dGKqwiBYc+whftFpa0Mt:kRna8SMBflHIt5qwWfltFpa0
Threatray 9'104 similar samples on MalwareBazaar
TLSH T15005DF7136F91F11C6BC4BF11560248017F53A6A296BF72D2CD678EB26B2F0187A2D27
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 7964c60925626967 (1 x Loki)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://162.213.249.190/?google

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://162.213.249.190/?google https://threatfox.abuse.ch/ioc/845712/

Intelligence

File Origin
# of uploads :
2
# of downloads :
352
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
Quotaion formGYU21-SP-E030.exe
Verdict:
Malicious activity
Analysis date:
2022-08-27 14:26:53 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/f8c790cc-d329-447f-bcf6-7a549281a7f3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/301619/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.2733.17135.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/630a29f8b6f2a6ec1d67df1d/reports/63d81506-93a8-483f-853b-6c71c6365256/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e2b18686-9447-4266-821e-15b32e6600f7
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1058921
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b31322fd05fbcbc2f7f66a99695adab27180ee89e574946827f97648bdd30a78/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-08-27 13:58:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
76
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wmjsf7if7pf4f57wnkmwsww2wjyyb3uj4v2ji2bh7f3erpotbj4a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0627647ce2d12185c2e2f16c21497c3f232132c55d7ebcaba6f440448ff065c7
Loki
06af98f5f328aabcffc8f302f664604b77c1929aa555650edf2eddb9922c50be
Loki
1ca7cdf43e6db8fbeb7bd699b191bc593e85909b51a380a8b02f394165f3ec4e
Loki
1ecbe12894a4e76f7b609f70718c1175906a8f975d12311bfe0bf3ef26864205
Loki
295927884601f60aab3760c0d2bfd3e54dae499d1f06784f6dfdc2e2e9a60528
Loki
2a8466c5792d06ae787c6486ca8ba58e97f0d60138e024949a3d3c0663ccdf4e
Loki
9c69722860cf9df9b7eda8ab91abe34682055cb221d069589924c329184993a1
Loki
ba180ae6674d9daa2cbd08847130b5c39e82249838b3d7da09b3b2f67be526dc
Loki
f30fd3eac2f68db757aa698a3438c007c52e7959a92d16015289621e5c538d4f
Loki
f93686132fafb1e353e89de05c54e91b6b799da7001bdb5feba81c0cfeb0ce36
Loki
+ 9'094 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/220827-rrv2rachg5/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://162.213.249.190/?google
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
a6d5363ebb90637bce5ca9e79739b02b64b36729848c0f1501a98bab68c6f0a4
MD5 hash:
96a6695328aa186f8bad5aefb8eae414
SHA1 hash:
ca6c26c0814dc37f430f65bf8d72d4c6e1b17134
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
lokibot
Create hunting rule
Link:
https://www.unpac.me/results/6f4b4b53-1b35-4009-bceb-8429faedf73e/
Parent samples :
b31322fd05fbcbc2f7f66a99695adab27180ee89e574946827f97648bdd30a78
62b2fa02612f1ab0b48ac745c2374e2e07a195221f4e1692f7815978a6322d6a
SH256 hash:
9c4451c50ccfad2f43e42bea9290a5145cf86640bbb36d6d637f621dd9a3fb76
MD5 hash:
09f311cd9957e8afc6dae9dff77e532a
SHA1 hash:
6de8eed618347040c0c42ddc1ebf269c22633a93
Link:
https://www.unpac.me/results/6f4b4b53-1b35-4009-bceb-8429faedf73e/
SH256 hash:
1fae6b156117446d2b1d85b1cc0405700e1def9ecbdef39a99a337cc4c7c216d
MD5 hash:
4de7d668c4859074a5bd65b631c3b070
SHA1 hash:
6203f991178fc715ad4917105caf0eafa7b87862
Link:
https://www.unpac.me/results/6f4b4b53-1b35-4009-bceb-8429faedf73e/
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/6f4b4b53-1b35-4009-bceb-8429faedf73e/
SH256 hash:
3368ff4289e8df0df48a4731edd5121aae96060c6fadb9c58bd04097c65bd09d
MD5 hash:
b2696ecb3edc93bf3978c47209369c5e
SHA1 hash:
077d745b25b20d22983d08e7bc36d0ed9f03f09a
Link:
https://www.unpac.me/results/6f4b4b53-1b35-4009-bceb-8429faedf73e/
SH256 hash:
b31322fd05fbcbc2f7f66a99695adab27180ee89e574946827f97648bdd30a78
MD5 hash:
72e16e10fedcf11ab7071c6542ce05a6
SHA1 hash:
6ddee8dc3a2fd1de921239445f54c783942b7887
Link:
https://www.unpac.me/results/6f4b4b53-1b35-4009-bceb-8429faedf73e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/b31322fd05fbcbc2f7f66a99695adab27180ee89e574946827f97648bdd30a78

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/301619/

Comments