MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5e30ba7109f8c474152f1a64dabe02e801f5ddc8313390954e1bbb5e04ce772. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5e30ba7109f8c474152f1a64dabe02e801f5ddc8313390954e1bbb5e04ce772
SHA3-384 hash: d433af2bfa5ce63af9666f8218bb5e9d9a7ce09d9d6edc118a450dbf6b9f3e91ab1992430c9aa6ea323aa90e2f8f0c41
SHA1 hash: f857cbb31706dd139c157b97fdbce968845d3f7b
MD5 hash: 0c699aa8699b1bccd7c223aaa47ffd0e
humanhash: solar-juliet-sad-mango
File name:0c699aa8699b1bccd7c223aaa47ffd0e.exe
Download: download sample
Signature Loki
Create hunting rule
File size:348'160 bytes
First seen:2021-10-11 13:56:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 788721417ad6ed4eefc1faa143c04d8a (3 x Smoke Loader, 2 x Loki, 1 x DanaBot)
ssdeep 6144:uNOclyN4LZ+XgNCQxpepC/jwUMhHQ4Pt3EzO:FVyNAgNCGepC/qVQ4FmO
Threatray 5'020 similar samples on MalwareBazaar
TLSH T19D746D0076A0C035F1B217F8C97952A9A53E7DE1ABA490CB32D566EE56F46E0EC33317
File icon (PE):PE icon
dhash icon 9824e7d0c4e72158 (35 x RedLineStealer, 23 x Smoke Loader, 14 x ArkeiStealer)
Reporter abuse_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0c699aa8699b1bccd7c223aaa47ffd0e.exe
Verdict:
Malicious activity
Analysis date:
2021-10-11 16:56:17 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/e45f4b60-26fa-462b-820c-9ee1ab300b02

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196639/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.27493.25272.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Reading critical registry keys
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Moving of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/616442b1fd35fe780c3820bb/reports/5d33e4b0-0e00-4e9d-a9c5-4d125d2bc275/overview
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/086fff86-bc24-4d97-8c43-14a390851524
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867885
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c5e30ba7109f8c474152f1a64dabe02e801f5ddc8313390954e1bbb5e04ce772/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-10-11 12:42:39 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yxrqxjyqt6geoqks6gte3k7af2ab6xo4qmjtscku4g53lycm45za._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
24198e6120171960649f2ea10d3a4d13291040c62f140fb33d5f527970788700
Loki
2eeff837091b7d78f534e717e171890b69d22317d39760b91292203901bfca68
Loki
4eb265e9a2a0b119bb5d4da0eb39c17d9b2a25aab1f14abd4b41f80087ac1556
Loki
573a2b0730e4da202bbd486ceaf7cf0b9cea7d2ca1a07448ec41e06e419bc104
Loki
94ce947ee07dc19d535d78551ba3a64ffc394fd3049b0719f43ec9f78be32c08
Loki
b83f53f67a2b2fa4d2abf6a0ce7b75542685661deaac9aeb2159f5e25977e10e
Loki
ccb35b7420b1699e5d4896f5ac66445dc44f51b5f9311382eda1b501c3125fe8
Loki
dc92dc39a66515cd3422763d9dab9b0542f79c1be3a9b0b2add7a59f7ed0a182
Loki
e8ff02a0c3ef623bed6098ffee7befbd2595f1f7736971dc98954f88a40c087d
Loki
fb9dae4e80fa931e907f532772eb742e1a18cea81288f223ea8c7bd272657648
Loki
+ 5'010 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/211011-q892kahdc2/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Lokibot
Malware Config
C2 Extraction:
http://136.243.159.53/~element/page.php?id=119
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
e641af581e3e33501b2c63a4f9d82f4d6e9eb1df24e3fa7e30a6f8c60bd4a140
MD5 hash:
6d641b36e37a83166c34fc20a1a8eb55
SHA1 hash:
a597687163740a868fd6bbeba3286ed4fea04ce4
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/a77b4a63-200f-472d-b032-5f35685b74f0/
Parent samples :
137db6baaee41625a255900d2e76eb3c42575398bf06b92e2a0ef50a40305cc1
2b0adb1ba45e7ea11b27618151f3a185ce653c81235ab523dce4292403f99ac0
24198e6120171960649f2ea10d3a4d13291040c62f140fb33d5f527970788700
b83f53f67a2b2fa4d2abf6a0ce7b75542685661deaac9aeb2159f5e25977e10e
c5e30ba7109f8c474152f1a64dabe02e801f5ddc8313390954e1bbb5e04ce772
SH256 hash:
c5e30ba7109f8c474152f1a64dabe02e801f5ddc8313390954e1bbb5e04ce772
MD5 hash:
0c699aa8699b1bccd7c223aaa47ffd0e
SHA1 hash:
f857cbb31706dd139c157b97fdbce968845d3f7b
Link:
https://www.unpac.me/results/a77b4a63-200f-472d-b032-5f35685b74f0/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c5e30ba7109f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5e30ba7109f8c474152f1a64dabe02e801f5ddc8313390954e1bbb5e04ce772

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe c5e30ba7109f8c474152f1a64dabe02e801f5ddc8313390954e1bbb5e04ce772

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1666301/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196639/

Comments