MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba8ea201e1c889d09667b3ce0fa12b62d0ed420cdcbf0c3bbc3a02f53763310e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba8ea201e1c889d09667b3ce0fa12b62d0ed420cdcbf0c3bbc3a02f53763310e
SHA3-384 hash: 968e36278378b9e287f174228e441ac69a33b9e533acb6cfd127e7d25fecd1fa50b071169aa8e244daf9c64c77383654
SHA1 hash: 8d53682c8a98dcaad9ea3fe89a0d9868f01770ee
MD5 hash: 17dd6b0a68a2c153f63d78a8b3d34a28
humanhash: uniform-johnny-coffee-bravo
File name:gunzipped.exe
Download: download sample
Signature Loki
Create hunting rule
File size:662'016 bytes
First seen:2021-05-06 02:25:32 UTC
Last seen:2021-05-06 03:11:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:JooLLoS60/K7yh0suHHeUoTnv0tFOO+G+xen:JooLADKZ/G
Threatray 2'952 similar samples on MalwareBazaar
TLSH 6EE44AAC755469F0D35B5D22A3CF0C0683651274A93BEA0A8F6013FA1A57F173E39D8E
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://tepevizyon.com.tr/xx/Panel/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://tepevizyon.com.tr/xx/Panel/fre.php https://threatfox.abuse.ch/ioc/29951/

Intelligence

File Origin
# of uploads :
3
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/151175/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.405.4759.3548.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Reading critical registry keys
Changing a file
Replacing files
DNS request
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Moving of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/712925
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ba8ea201e1c889d09667b3ce0fa12b62d0ed420cdcbf0c3bbc3a02f53763310e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-06 02:26:12 UTC
AV detection:
16 of 47 (34.04%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xkhkeapbzce5bfthwpha7ijlmlio2qqm3s7qyo54hibpkn3dgeha._file
Verdict:
unknown
Similar samples:
130a875f36a8c9c6b7f9cf7ef2d863837af130538770c76d92b6016b8a00a6c0
Loki
28b88aa9eb8a0c26b778b76cf91f5ad2b05c013fcbee258c5df0f9d23200bbf9
Loki
476d5d7615d297e6946a9c4926e0490e13db0cbce9fad9a97d3d4175fabff511
Loki
4ae09441287bb601114041d8eec7857f10882dfcb48639c155d9a6969da9c5f0
Loki
88150c5bb2e0ca4d256c610f241903363bfd813124499ab4b2e18ab9b8a5d3d8
Loki
9662d1e4c72efe73a1f203ebead6069990342a4da6314737e3a02b08e2d68075
Loki
b79575224117cddb4e62b8aad2f2b508ec66ba70b2f86f1d52bdfb7003564fcd
Loki
d49e81b866a31f5ff08ad550f6e6cc7a2fadead9858abdbc289538d18825d87a
Loki
f61aad237c0506a3b86a566467ed40fa61e3891af970490004ab0354b63fd22f
Loki
fa19f07b5cdf08055f110390e930f284f91222fa4c1341c6b9b9d85b21e30837
Loki
+ 2'942 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210506-an8mz6mdta/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
https://tepevizyon.com.tr/xx/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
74b2935b9dfe4ba397fd0507ae3c36abb77193041f2e7c43c55dc4e7b33de61c
MD5 hash:
b5c218f30fecc9cb8513ff6a46737b01
SHA1 hash:
f0416867c2b114789620b318051f1fa390b07eae
Link:
https://www.unpac.me/results/d4a69045-3422-4846-ac7a-aa7a3403d812/
SH256 hash:
9414206966b148e82ce1224b0be172078a43c6263424fe7c77e444873c25c752
MD5 hash:
f30909292457ec200843f27539e93eb4
SHA1 hash:
d67bc51ecb42c8787547f0f119f49fd82d4c8009
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/d4a69045-3422-4846-ac7a-aa7a3403d812/
Parent samples :
ba8ea201e1c889d09667b3ce0fa12b62d0ed420cdcbf0c3bbc3a02f53763310e
b0db621ad6900070e3b0702ba1a8f76af06f4acc52e172c4cd50a11cc3d786ec
SH256 hash:
d7cd846e9a1597c7f5a1dc4c747c33701e2197fb14838135819962684e572a23
MD5 hash:
50964e15f31588d5751f7a448e7d93ab
SHA1 hash:
88705418bb1acc85ddec77ffe73ea3612b3817f4
Link:
https://www.unpac.me/results/d4a69045-3422-4846-ac7a-aa7a3403d812/
SH256 hash:
ba8ea201e1c889d09667b3ce0fa12b62d0ed420cdcbf0c3bbc3a02f53763310e
MD5 hash:
17dd6b0a68a2c153f63d78a8b3d34a28
SHA1 hash:
8d53682c8a98dcaad9ea3fe89a0d9868f01770ee
Link:
https://www.unpac.me/results/d4a69045-3422-4846-ac7a-aa7a3403d812/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba8ea201e1c889d09667b3ce0fa12b62d0ed420cdcbf0c3bbc3a02f53763310e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/151175/

Comments