MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 c206dea522616bcc623ba4ce9913dd0cbc56d9c48e37f15e133ef28680b12497. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Loki
Vendor detections: 14
| SHA256 hash: | c206dea522616bcc623ba4ce9913dd0cbc56d9c48e37f15e133ef28680b12497 |
|---|---|
| SHA3-384 hash: | 3734dedfdfa2550ac80c9e3f09d5fe1d39ae729789492c54465a383c657289eb1d5942ffbac4c44ec508eaacbd48c3d3 |
| SHA1 hash: | 28e49fd039b26fc43843e038c717232f4aab09e2 |
| MD5 hash: | 74ba173928beb92974452d376208416a |
| humanhash: | hawaii-item-triple-tennessee |
| File name: | NEW QU~0.EXE |
| Download: | download sample |
| Signature | Loki |
| File size: | 398'336 bytes |
| First seen: | 2022-01-31 09:26:13 UTC |
| Last seen: | 2022-01-31 10:46:35 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger) |
| ssdeep | 6144:jF7fezqzPnxeDfUlJ2vZ91Hx+LD+XGd3Jz2jDooVum:jF7fyqzPnxeDiwvZ91MX+XSZ64o8m |
| TLSH | T11C84BB1CB6C166E2FD1D93F049050A24AB162B37B640ABB233CA95CEB74F7AF1D45D84 |
| File icon (PE): |  |
| dhash icon | ecf210f2c92c6239 (1 x Loki) |
| Reporter |  cocaman |
| Tags: | exe Loki |
Intelligence
File Origin
# of uploads :
2
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW QU~0.EXE
Verdict:
Malicious activity
Analysis date:
2022-01-31 09:28:51 UTC
Tags:
trojan lokibot stealer
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Running batch commands
Changing a file
Launching a process
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
anti-vm cmd.exe control.exe obfuscated packed replace.exe
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Result
Threat name:
Lokibot
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Behaviour
Behavior Graph:
n/a
Detection:
lokibot
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Status:
Malicious
First seen:
2022-01-31 09:27:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
20 of 28 (71.43%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Result
Malware family:
lokibot
Score:
10/10
Tags:
family:lokibot collection spyware stealer trojan
Behaviour
Creates scheduled task(s)
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
Malware Config
C2 Extraction:
http://178.128.244.245/search.php?key=804bbca69db34fdedd7e35b325f9dcac
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
18166a11163c80ae8dce278685ee00f3cc4ee0a421d36921bbecce0cd7c28cc8
MD5 hash:
5044a688f7b1a2af86f5822923dbba7b
SHA1 hash:
81589812daae70fdac1d0128abf8f9ffdd102d83
Detections:
win_lokipws_g0
win_lokipws_auto
Parent samples :
787792a3a33c029a0fbf12d1943e2fade10ed0131dae14ee3c53ef8079fe2a27
bde19e5d6dd3a25d4e9000047abd15c5cde7245d6e0f1a7da2c327395e94cf8a
cda4901e34db30dc7438f3e0a45715cc40b870ed0eb2f5f1e7b3dec7d0228a5e
bf444cdc0512fb1356e21d63e99e5b07a03cb8e8728364463f5739b57ef77088
c206dea522616bcc623ba4ce9913dd0cbc56d9c48e37f15e133ef28680b12497
24ffea1bbee8be69f8507d1dff177b7da804ee45a22e5980d51d795f7bd3c948
bde19e5d6dd3a25d4e9000047abd15c5cde7245d6e0f1a7da2c327395e94cf8a
cda4901e34db30dc7438f3e0a45715cc40b870ed0eb2f5f1e7b3dec7d0228a5e
bf444cdc0512fb1356e21d63e99e5b07a03cb8e8728364463f5739b57ef77088
c206dea522616bcc623ba4ce9913dd0cbc56d9c48e37f15e133ef28680b12497
24ffea1bbee8be69f8507d1dff177b7da804ee45a22e5980d51d795f7bd3c948
SH256 hash:
c206dea522616bcc623ba4ce9913dd0cbc56d9c48e37f15e133ef28680b12497
MD5 hash:
74ba173928beb92974452d376208416a
SHA1 hash:
28e49fd039b26fc43843e038c717232f4aab09e2
Malware family:
Lokibot
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | INDICATOR_EXE_Packed_Dotfuscator |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables packed with Dotfuscator |
| Rule name: | INDICATOR_EXE_Packed_dotNetProtector |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables packed with dotNetProtector |
| Rule name: | INDICATOR_EXE_Packed_SmartAssembly |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables packed with SmartAssembly |
| Rule name: | INDICATOR_SUSPICIOUS_Binary_References_Browsers |
|---|---|
| Author: | ditekSHen |
| Description: | Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables referencing many file transfer clients. Observed in information stealers |
| Rule name: | INDICATOR_SUSPICIOUS_GENInfoStealer |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables containing common artifcats observed in infostealers |
| Rule name: | infostealer_loki |
|---|
| Rule name: | infostealer_xor_patterns |
|---|---|
| Author: | jeFF0Falltrades |
| Description: | The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads. |
| Rule name: | Loki |
|---|---|
| Author: | kevoreilly |
| Description: | Loki Payload |
| Rule name: | malware_Lokibot_strings |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Lokibot in memory |
| Reference: | internal research |
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | STEALER_Lokibot |
|---|---|
| Author: | Marc Rivero | McAfee ATR Team |
| Description: | Rule to detect Lokibot stealer |
| Rule name: | win_lokipws_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.lokipws. |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Other
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.