MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c655cc215970dec5d45327944a3766c92b4bc3d9bb7151f945b9e33d681ab147. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	c655cc215970dec5d45327944a3766c92b4bc3d9bb7151f945b9e33d681ab147
SHA3-384 hash:	e4e2a120cb2cc5772ff7b4cebcc82f69b82fcaac949c8fe21fabbdeb9d71e7b7bc57c1f74d8bbd9308a5d5818bee01fb
SHA1 hash:	873f2c10cfea8cf82dae670b839a8f98d4e2e6d2
MD5 hash:	b4e65ed28277c81bc487a30b282b88a1
humanhash:	four-undress-blue-oranges
File name:	b4e65ed28277c81bc487a30b282b88a1
Download:	download sample
Signature	Loki Create hunting rule
File size:	1'283'584 bytes
First seen:	2021-07-30 08:34:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:SYiS/d3uYdk9Jt6UWHpT//I+NmwRGPoN7vdiTbnFM:xUJcU0T//Iem/PoiM
Threatray	3'915 similar samples on MalwareBazaar
TLSH	T138550135858DDBEACC9807750F8C03B43EF2949AB1B0E5B93E4A47B0EAC4D25E579742
Reporter	zbetcheckin
Tags:	32 exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

583

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b4e65ed28277c81bc487a30b282b88a1

Verdict:

Malicious activity

Analysis date:

2021-07-30 08:38:30 UTC

Tags:

trojan lokibot stealer

Link:

https://app.any.run/tasks/ba553494-0586-4fb8-8418-af149cc45fd0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Loki

Link:

https://www.capesandbox.com/analysis/175244/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.967-1.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/82433770-94ab-4be5-9b63-847b9df80184

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/824425

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/c655cc215970dec5d45327944a3766c92b4bc3d9bb7151f945b9e33d681ab147/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-30 07:40:45 UTC

AV detection:

15 of 46 (32.61%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yzk4yikzodpmlvcte6keun3gzevuxq6zxnyvd6kfxhrt22a2wfdq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot spyware stealer suricata trojan

Link:

https://tria.ge/reports/210730-h7f3ll5qhn/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

CustAttr .NET packer

Lokibot

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://manvim.co/fd5/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438

MD5 hash:

68463851c0e6fe7a254c99fae763d454

SHA1 hash:

4587a5371d88c296a0184fe47ee0c5245b187127

Link:

https://www.unpac.me/results/1bcc91da-b101-4bb0-a3e9-25f7676d0331/

SH256 hash:

bfd15cc2a18eb65fe3d75e68a92b73509277bad7d65dfd503722f4c09c2f00e7

MD5 hash:

c7d4f4a65deaecd5f2f89013e8b4e7f5

SHA1 hash:

34235904d4f9d2cbb0a666d339d99771dd2f38cd

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/1bcc91da-b101-4bb0-a3e9-25f7676d0331/

Parent samples :

a6aaddec76836b2a28fc166f5d61c494fb7646bf39accdd5302fd1d780b629f7
f65830401cf628b23ffb0de217cb465b985797ca7ff4129753511f3f93862590
822c7b5b3b56f0826494e8d4490f141f5dfd34dad0201699acc797d93efe577e
260787b8265c23f5bd922d6345f14a7f6242e336375544e96fe325e31af8a5d0
7746d06b49835e0b431daaa65c560b936ba1598e886a1749496966da2918ce87
1ea40cca77e0d4e409a0a2364b57d43b05ee46736b2b656744054790e0c8608d
58aa35af01b43dc0e414a64d596cb2416384e0b0085d0a6137676fc56dbc3c07
61fc463e85fb2fa581c8d7ba3321992bfe69d28dc8ca06660875d8b9e9701ecc
06c7f215dc0c66b7c65d344dd461bdc9f13f948d53a4d36914594dee780d9ac2
7213e683d974ed27c90dea93b40caa5c497ca4ab9834e159adb69f7be5d2081e
0b69967e2521d32bbe7e73b50d7458aaf1ef1d61e4ba3ecd3fcbe4efde30a37a
c655cc215970dec5d45327944a3766c92b4bc3d9bb7151f945b9e33d681ab147
3f4e7765b271ea4766c05cb4a29e14b22ec22d4ad42da74372fc3b475b0f0566
e3c270600328928f0c6576743fd759ca88b86abb024ae180549c3a5be0e7e41e
276df8a116116425e538bfea657c789006d45a6e9f2802f396154574aa0085e3
c4b7287b0bb9ecfc2f4d2fb4dcb39452bb13714398dcff0cddc3ae4a673dae0b
f72043a7f6269e23272d97de16df7f3cd04a0c7463f6f16175b66332fe336083

SH256 hash:

a595cc8175dfbcdd4d5222f6c36e12680fd545abee60b76f3b9830b767a314d5

MD5 hash:

2e156a0f29ea625be66e7ece2ebf9edd

SHA1 hash:

19d7c08b75b115589b2edb4a7c87cf2e9a4ebe94

Link:

https://www.unpac.me/results/1bcc91da-b101-4bb0-a3e9-25f7676d0331/

SH256 hash:

c655cc215970dec5d45327944a3766c92b4bc3d9bb7151f945b9e33d681ab147

MD5 hash:

b4e65ed28277c81bc487a30b282b88a1

SHA1 hash:

873f2c10cfea8cf82dae670b839a8f98d4e2e6d2

Link:

https://www.unpac.me/results/1bcc91da-b101-4bb0-a3e9-25f7676d0331/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/c655cc215970/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/c655cc215970dec5d45327944a3766c92b4bc3d9bb7151f945b9e33d681ab147

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

exe c655cc215970dec5d45327944a3766c92b4bc3d9bb7151f945b9e33d681ab147

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/175244/

URLhaus

https://urlhaus.abuse.ch/url/1491563/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample