MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b48c2ac8f72c116687094de6d2b1fc1b1c2c5192ef6c9ca0df947a6e4066ac16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 15


Intelligence 15 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b48c2ac8f72c116687094de6d2b1fc1b1c2c5192ef6c9ca0df947a6e4066ac16
SHA3-384 hash: dffac7404b50089f703cf81bf0ae85fe363cf5ab8ccac22a5d5a62d4435db1ff93d8fa91cbf495963b037ee2a883d068
SHA1 hash: 5d946c5565085123dd2c35e44842df92540752b9
MD5 hash: c2bd160e08dec3da08a4af740f3c6d15
humanhash: lamp-october-four-seventeen
File name:c2bd160e08dec3da08a4af740f3c6d15
Download: download sample
Signature Loki
Create hunting rule
File size:541'072 bytes
First seen:2021-08-04 04:07:52 UTC
Last seen:2021-08-04 05:12:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 97750a00050e37c7b56da7bc3864f0f1 (7 x Formbook, 2 x Loki, 1 x RedLineStealer)
ssdeep 12288:mhQVh9a17gNm5YnXDdx2OjKhNHySntn/j987vWrIneDH6any:mhQVh9FDdx2GKzSStrKWrIneDHtny
Threatray 3'935 similar samples on MalwareBazaar
TLSH T1A0B4B011B9818032C2B338710779E2B65CBDB4606E205E9F97D80A795F744D1BB3AB6F
Reporter zbetcheckin
Tags:32 exe Loki

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.227.139.18/dsaicosaicasdi.php/XjjuWy0TVqjre https://threatfox.abuse.ch/ioc/165548/

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c2bd160e08dec3da08a4af740f3c6d15
Verdict:
Malicious activity
Analysis date:
2021-08-04 04:11:42 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/a653aad0-4516-405b-84d1-14d7a94ae5eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/176207/
Detection(s):
SecuriteInfo.com.Generic.Cryptor.X.C25762D1.9229.30708.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Reading critical registry keys
Changing a file
Replacing files
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Sending a UDP request
Stealing user critical data
Connection attempt to an infection source
Moving of the original file
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/36fe1f20-14e5-4825-93f2-cf3aac4d7e52
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/826610
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b48c2ac8f72c116687094de6d2b1fc1b1c2c5192ef6c9ca0df947a6e4066ac16/
Threat name:
Win32.Ransomware.Cryptor
Create hunting rule
Status:
Malicious
First seen:
2021-08-04 02:02:25 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wsgcvshxfqiwnbyjjxtnfmp4dmocyums55wjzig7sr5g4qdgvqla._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0fb699b995c7844be905bde197f7ba9da846861a5030b1bbf15bf5a5cc9c460b
Loki
24f818a962ee0e10764924354cb05a357503eb325c71dc3074091d917014b63c
Loki
89b691f7c5016920b20535dc985904842bdf04ab6a8dd34f1716883083b3f47c
Loki
b43f61f0ce7cc012f811460ae0c1483e90c6f5936a6c9033bdb9a14212879e42
Loki
b7780e3be29286fab7cf6ca17d1fc3f4acdde8329915d19e506719e553d81e7b
Loki
d8fd483add70039091773d90366a84d118ad2df72fd7ae927c5791fe0327bec0
Loki
e9e36bd1b8aa447659150278e83976797ed8a5d73e580ca745e246b474a7539d
Loki
+ 3'925 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer suricata trojan
Link:
https://tria.ge/reports/210804-r88388ecxs/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://185.227.139.18/dsaicosaicasdi.php/XjjuWy0TVqjre
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
58ee83e559968615f1158a80068db0b445179bda82ec44773bf31c6488823213
MD5 hash:
54b08ebff71d9dd2174b6b8c4cb2b7c9
SHA1 hash:
4df8e3b24eeda1c51952f255308e9ff48712eebf
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/21347b1d-e754-4b3d-a7bc-b51f894a2ea6/
Parent samples :
dbadb8a0f9e9085409ebaf01c9a2af057597b2bbf5b8ecdef2f1c5601cdfedc1
e9e36bd1b8aa447659150278e83976797ed8a5d73e580ca745e246b474a7539d
b48c2ac8f72c116687094de6d2b1fc1b1c2c5192ef6c9ca0df947a6e4066ac16
f751e7c6878e6b3165a3dc815468501cb14355222e75cb2f18afc3cd4565cbdc
d586560a58ad44be9be80b819685a714d228d98596f1b44c4b08bdebc1c108db
c2a568e116a85d6085f78797c6906be3986236bdebc72c8e50638798aed60503
SH256 hash:
b48c2ac8f72c116687094de6d2b1fc1b1c2c5192ef6c9ca0df947a6e4066ac16
MD5 hash:
c2bd160e08dec3da08a4af740f3c6d15
SHA1 hash:
5d946c5565085123dd2c35e44842df92540752b9
Link:
https://www.unpac.me/results/21347b1d-e754-4b3d-a7bc-b51f894a2ea6/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b48c2ac8f72c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/b48c2ac8f72c116687094de6d2b1fc1b1c2c5192ef6c9ca0df947a6e4066ac16

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe b48c2ac8f72c116687094de6d2b1fc1b1c2c5192ef6c9ca0df947a6e4066ac16

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1504215/
Cape
Cape
https://www.capesandbox.com/analysis/176207/

Comments


Avatar
zbet commented on 2021-08-04 04:07:53 UTC

url : hxxp://198.23.212.137/geo/vbc.exe