MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1f0bac90d9bf80413dc40ca555b44e13f9dd297780d7f6aab549143e3fa880c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1f0bac90d9bf80413dc40ca555b44e13f9dd297780d7f6aab549143e3fa880c
SHA3-384 hash: 823fcb32de713162997401cd3c06a947e363707c6d4a6a0be3ea605dd4200baaf9d5fd01c25d90f6b1a8f74719a8239b
SHA1 hash: 47bead5c3dd699a2f8c6b7b971a063b526d64735
MD5 hash: 1692a27ca78de8a184ff2ea17d96cf5c
humanhash: cola-video-may-pizza
File name:Booking70116574.exe
Download: download sample
Signature Loki
Create hunting rule
File size:527'872 bytes
First seen:2023-09-12 07:35:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:u6CPYyVF5D6MUc+hCAJl0jFHkDQkjHllBgjxNLY:uvg+F5DjB+h4jFHkDQkDlsbL
Threatray 3'977 similar samples on MalwareBazaar
TLSH T137B4F1237B01EFAAC53A87F57C55E1024772EE1E9C50934969D572B69C32B13803AF17
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://sirr.tiscali.buzz/_errorpages/sirR/five/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
348
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
Booking70116574.exe
Verdict:
Malicious activity
Analysis date:
2023-09-12 07:41:41 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/b7e4891a-eace-475c-9269-09a96f30ca2a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/448088/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Reading critical registry keys
Changing a file
DNS request
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for analyzed file
Stealing user critical data
Moving of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/650014e39bae8a3785538168/reports/c95d4df0-6abf-488c-8712-6abc87c19205/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/c1f0bac90d9bf80413dc40ca555b44e13f9dd297780d7f6aab549143e3fa880c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b00f0d03-2d82-400b-b785-118a66c1eb62
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c1f0bac90d9bf80413dc40ca555b44e13f9dd297780d7f6aab549143e3fa880c/
Threat name:
ByteCode-MSIL.Ransomware.Loki
Create hunting rule
Status:
Malicious
First seen:
2023-09-12 07:36:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yhylvsintp4aie64idffkw2e4e7z3uuxpagx62vlksiuhy72raga._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
04f557582bc8b4c4af843d0c837124da73f887ac5b997efdd78f96d45caced85
Loki
0bcb9bf4516773558cd8464a3b7795d3752f8eb27840e848db87a55df9393d25
Loki
0dc69e491c783527c6465e25b8b33447391ae9d7ace6e4c1c20db8047aa1918a
Loki
0f499eaeeba3237aedfb784cf65c67ef9aae645ab0d4153cb6af1289e37040d7
Loki
4e12ca0674f72503e00f35b8b27aa98da0855baa9e25264b357bb934e31a2217
Loki
79866667d5cd578a1c6eda54a748ff9d316fff39064eecd282bc2a9ad8a5ac7d
Loki
7f0fcb4f3651ec6a3b273322857afe8aa8373f77964afd0bb592378a4a97fe1a
Loki
def88fc364ed03678d528bfd6bc39f19ff1831b098aaf0705fa13063c4044a2a
Loki
+ 3'967 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230912-je9qdaeb3s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://sirr.tiscali.buzz/_errorpages/sirR/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
9a63b62a1296933300f9cda87fefbdfc9f55ee908575a2130c641c9fd0c4f830
MD5 hash:
651ffbf7723d66c959851ec6c450fba2
SHA1 hash:
f7cf3587def824a298ae36da8ce82c62e2245f48
Link:
https://www.unpac.me/results/dc83f8a3-e899-49f2-890a-d1d567ebf4e2/
SH256 hash:
25474838967bd081b2c7c8b77025785f7bfa879cbac3e8ef2ba60a94724bef55
MD5 hash:
2600738d37fd27a2d9634256e25eee4e
SHA1 hash:
d79153e40089221f1b32c97d516b94616d3c3284
Link:
https://www.unpac.me/results/dc83f8a3-e899-49f2-890a-d1d567ebf4e2/
SH256 hash:
0630b864e828fff2d66f33ab7d00fad231df4c00fc0bbad313ee0d12ca503198
MD5 hash:
f559a9abbd849eb977d262d597d6e4fd
SHA1 hash:
0a8769b40b026852690c89b913c2812817ef43c8
Link:
https://www.unpac.me/results/dc83f8a3-e899-49f2-890a-d1d567ebf4e2/
SH256 hash:
6604776b201f15f4f3af51ba4b274eceff738ee4098fb40f37855d508f89184a
MD5 hash:
0a48599f78c5042ee43c5e3316c0d1cf
SHA1 hash:
054763aafb4b3a8ba4144534299a6a3c6ee95b34
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/dc83f8a3-e899-49f2-890a-d1d567ebf4e2/
SH256 hash:
c1f0bac90d9bf80413dc40ca555b44e13f9dd297780d7f6aab549143e3fa880c
MD5 hash:
1692a27ca78de8a184ff2ea17d96cf5c
SHA1 hash:
47bead5c3dd699a2f8c6b7b971a063b526d64735
Link:
https://www.unpac.me/results/dc83f8a3-e899-49f2-890a-d1d567ebf4e2/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c1f0bac90d9b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/c1f0bac90d9bf80413dc40ca555b44e13f9dd297780d7f6aab549143e3fa880c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/448088/

Comments