MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b83f53f67a2b2fa4d2abf6a0ce7b75542685661deaac9aeb2159f5e25977e10e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b83f53f67a2b2fa4d2abf6a0ce7b75542685661deaac9aeb2159f5e25977e10e
SHA3-384 hash: d6561d3e9aacf6e7a8b1b0349bdf71282f4df283c0c42090d4597abd223e2ab8d5e178de8fdf29c464dea16d2d1cdf68
SHA1 hash: f4076bac7244876f5e9d460cc9f5644f94dd3439
MD5 hash: bb81a5ed59bce783033cbede91359eb9
humanhash: wisconsin-robin-violet-pennsylvania
File name:SecuriteInfo.com.W32.AIDetect.malware2.24790.9435
Download: download sample
Signature Loki
Create hunting rule
File size:347'648 bytes
First seen:2021-10-11 11:22:36 UTC
Last seen:2021-10-11 12:04:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61b48ca689a3ea2404ab8a6768ce938b (6 x RedLineStealer, 3 x Smoke Loader, 1 x DanaBot)
ssdeep 6144:HLyZ0C6CbAPGBHf2k/QVIRo6naoPINpOpIkqrppsX2:re0CW+BpYORoQaoPWOpjqrz
Threatray 5'008 similar samples on MalwareBazaar
TLSH T152747D00B7B0C035F3F316F949BA5AA9A53E79A16B6494CF22D15AEE46347D1EC30317
File icon (PE):PE icon
dhash icon 9824e7d0e4e72158 (3 x Smoke Loader, 2 x RedLineStealer, 1 x RaccoonStealer)
Reporter SecuriteInfoCom
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice- INV-121920.xlsx
Verdict:
Malicious activity
Analysis date:
2021-10-11 08:58:34 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan lokibot stealer
Link:
https://app.any.run/tasks/2b8a7c1b-671f-44cd-8451-bb345a48d152

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196594/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.24790.9435.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Reading critical registry keys
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Moving of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware stop
Link:
https://www.filescan.io/uploads/61641e97fd35fe780c37dcf6/reports/554c2927-f1f2-4530-91bc-b8f9f1827b32/overview
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867963
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b83f53f67a2b2fa4d2abf6a0ce7b75542685661deaac9aeb2159f5e25977e10e/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-10-11 11:23:06 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xa7vh5t2fmx2juvl62qm463vkqtikzq55kwjv2zblh26ewlx4eha._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
24198e6120171960649f2ea10d3a4d13291040c62f140fb33d5f527970788700
Loki
2eeff837091b7d78f534e717e171890b69d22317d39760b91292203901bfca68
Loki
4eb265e9a2a0b119bb5d4da0eb39c17d9b2a25aab1f14abd4b41f80087ac1556
Loki
573a2b0730e4da202bbd486ceaf7cf0b9cea7d2ca1a07448ec41e06e419bc104
Loki
94ce947ee07dc19d535d78551ba3a64ffc394fd3049b0719f43ec9f78be32c08
Loki
ca471f5b9cc2a2ea2e2d8b250f550e2a98c93cf322f7d7497dcd4cc1736f5448
Loki
ccb35b7420b1699e5d4896f5ac66445dc44f51b5f9311382eda1b501c3125fe8
Loki
dc92dc39a66515cd3422763d9dab9b0542f79c1be3a9b0b2add7a59f7ed0a182
Loki
e8ff02a0c3ef623bed6098ffee7befbd2595f1f7736971dc98954f88a40c087d
Loki
fb9dae4e80fa931e907f532772eb742e1a18cea81288f223ea8c7bd272657648
Loki
+ 4'998 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/211011-ng5awshab9/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://136.243.159.53/~element/page.php?id=119
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
e641af581e3e33501b2c63a4f9d82f4d6e9eb1df24e3fa7e30a6f8c60bd4a140
MD5 hash:
6d641b36e37a83166c34fc20a1a8eb55
SHA1 hash:
a597687163740a868fd6bbeba3286ed4fea04ce4
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/ca526c70-1307-48d6-8fcf-adc6ae959ab3/
Parent samples :
137db6baaee41625a255900d2e76eb3c42575398bf06b92e2a0ef50a40305cc1
2b0adb1ba45e7ea11b27618151f3a185ce653c81235ab523dce4292403f99ac0
24198e6120171960649f2ea10d3a4d13291040c62f140fb33d5f527970788700
b83f53f67a2b2fa4d2abf6a0ce7b75542685661deaac9aeb2159f5e25977e10e
c5e30ba7109f8c474152f1a64dabe02e801f5ddc8313390954e1bbb5e04ce772
SH256 hash:
b83f53f67a2b2fa4d2abf6a0ce7b75542685661deaac9aeb2159f5e25977e10e
MD5 hash:
bb81a5ed59bce783033cbede91359eb9
SHA1 hash:
f4076bac7244876f5e9d460cc9f5644f94dd3439
Link:
https://www.unpac.me/results/ca526c70-1307-48d6-8fcf-adc6ae959ab3/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b83f53f67a2b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b83f53f67a2b2fa4d2abf6a0ce7b75542685661deaac9aeb2159f5e25977e10e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe b83f53f67a2b2fa4d2abf6a0ce7b75542685661deaac9aeb2159f5e25977e10e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1666301/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196594/

Comments