MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd8d9286525b1c6df2d531a06620f5c39e388843a515f105ce6e13d7d7e275b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd8d9286525b1c6df2d531a06620f5c39e388843a515f105ce6e13d7d7e275b6
SHA3-384 hash: cc4f3cf9576cea9dc47f1343fd76c24cb5b2f16031bc804f8cf8b6bf2a55e87196fa79e663d63909cd63ce27b74ed915
SHA1 hash: b378ac6858cd3db5cc0f9bf3108f59de054bde58
MD5 hash: 4077a697f805b064748abee28b075efd
humanhash: helium-single-cold-montana
File name:CtpIYy9OZ6K8kY3.exe
Download: download sample
Signature Loki
Create hunting rule
File size:806'400 bytes
First seen:2021-05-11 07:20:36 UTC
Last seen:2021-05-11 08:02:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:tWWFULgPmw+pBSDvC63+ZWjbO8T1JLEscjjTmafDwSfZhgyi+iBYyi6:8P3pIPuZR8T1J4scj2afD/xriP
Threatray 3'612 similar samples on MalwareBazaar
TLSH E2051217A6D07B20E1BE17B7C4E2455086BBBE47AB13C95C68F438ED54B3BA90250BC7
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://albemalb.com/dumbo/dumbo2/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://albemalb.com/dumbo/dumbo2/fre.php https://threatfox.abuse.ch/ioc/35236/

Intelligence

File Origin
# of uploads :
2
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/154916/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Connection attempt
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/778336
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bd8d9286525b1c6df2d531a06620f5c39e388843a515f105ce6e13d7d7e275b6/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-11 07:21:14 UTC
AV detection:
13 of 47 (27.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xwgzfbsslmog34wvggqgmihvyopdrccduuk7cboonyj5pv7cow3a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
22f5494084ff004f52cf031f8dc00e72f764863e88b90be6e8fe0009af7178b9
Loki
2347a0e7713f626fa94f646b3a410e5262236f9af04219bb1263f4d9a054a3fe
Loki
445e1ae4fb515ce4fca81255fc4f569ba238d2a7b3ba0c093f4d55bc8fa5ae08
Loki
476d5d7615d297e6946a9c4926e0490e13db0cbce9fad9a97d3d4175fabff511
Loki
57884d6b5a9d254322b1b54b37de7f547507f74f276db25423a6c10c0bd81351
Loki
88150c5bb2e0ca4d256c610f241903363bfd813124499ab4b2e18ab9b8a5d3d8
Loki
a7fa0b9c523e32efbdefa0c04cc8229bbdea0cc820d3362289e8d2b0670281d4
Loki
ba8ea201e1c889d09667b3ce0fa12b62d0ed420cdcbf0c3bbc3a02f53763310e
Loki
d49e81b866a31f5ff08ad550f6e6cc7a2fadead9858abdbc289538d18825d87a
Loki
e9b8e797fa3c506edffd22f690a3951878fa9ab230255f9c658410545aaae505
Loki
+ 3'602 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210511-ec9vybzasa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://albemalb.com/dumbo/dumbo2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd8d9286525b1c6df2d531a06620f5c39e388843a515f105ce6e13d7d7e275b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/154916/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-11 08:01:28 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection