MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c98a42f6e9e5f2e0e12f69c4ce7022265b7db271369ddb2ebff3348c0434d3cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c98a42f6e9e5f2e0e12f69c4ce7022265b7db271369ddb2ebff3348c0434d3cf
SHA3-384 hash: 072995efd22286f48213cfedef97457c83026826f276d7d27c41519a4e8e2209d352d5f364a36acfc7c4d8b407660711
SHA1 hash: 81277ec7948dc16ba32b782c63f5ea08f4325ad7
MD5 hash: fbae05d8fbfbb56b2a96afabfcaab501
humanhash: utah-tango-robin-table
File name:fbae05d8fbfbb56b2a96afabfcaab501.exe
Download: download sample
Signature Loki
Create hunting rule
File size:376'832 bytes
First seen:2021-08-26 06:16:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ef471c0edf1877cd5a881a6a8bf647b9 (74 x Formbook, 33 x Loki, 29 x Loda)
ssdeep 6144:j4XrK9PX7Fp6Gh2wWRGl0EDDf1PisZQ5rAGQwg1QtP1f4paaYlsdcaMJEdbI0PzZ:sXe9PPlowWX0t6mOQwg1Qd15CcYk0Wep
Threatray 5'345 similar samples on MalwareBazaar
TLSH T15384124548C4CCE6E71AB370D0B3CE9819757832CCD56B689758EA2EB870343B953E6B
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter abuse_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ.xlsx
Verdict:
Malicious activity
Analysis date:
2021-08-26 05:55:56 UTC
Tags:
encrypted trojan opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/07f1423d-0dfd-468b-bd80-544c644c69ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182490/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Sending a UDP request
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3461e7e2-d27d-42ac-91b9-10854b4e481c
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/839491
Signature
AutoIt script contains suspicious strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c98a42f6e9e5f2e0e12f69c4ce7022265b7db271369ddb2ebff3348c0434d3cf/
Threat name:
Win32.Trojan.Nymeria
Create hunting rule
Status:
Malicious
First seen:
2021-08-26 01:02:38 UTC
AV detection:
11 of 27 (40.74%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
25aaaf18e2bd8f09ed33157220bfbfbf02ba8387a0439eee6c908439a663ec48
Loki
27534ee3bfdbfc3b5bfb4b61237354d3d529822b0b64789528c1a8c2ae455318
Loki
28168c7a0fffc6787241b2c6e8c9fc1590e5715fbea2af58cb2e4f92e72374fa
Loki
2f53c96770351e95583b6c3d3bde7c4d44f0fc9e324517fd084a61000ed63dde
Loki
2fe3de3f9daf6f31cbf0ae83afe4c1d831c539ece241177dc69cf56fb47ee49f
Loki
71f0b9fb2f57cc170b742c61535c5c657609766c18b00ef1e08cf737954a7433
Loki
74fec3ab0741be490ea78a0e85543f56d84909d7e6c1a808fa3b1bb5b0cc2758
Loki
accfb8da98afdd5a90448bcdead0ce0913e7c1c505a0e4a4fe661fb4dae3da6f
Loki
acd12da4b4032af20f766c6a2e26b837bcfd543fd01031fb0a9e4812ef66d103
Loki
df74667577ba476da01977b4ef436663d5ae6dfca32eed7e3f307d3b0a4bda47
Loki
+ 5'335 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210826-qrzpvaay16/
Behaviour
Modifies system certificate store
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Unpacked files
SH256 hash:
de121676d06efd801a5b7e6bf70c26d62b2acd17ea38c645be90cd00f458b1b6
MD5 hash:
605c7c621c09825428a90071c99c668f
SHA1 hash:
fc00487d320af821a201fa6dee9f73675c0f76c3
Link:
https://www.unpac.me/results/c7c90cd6-7d37-4eca-b7c7-46b5cd337795/
SH256 hash:
c98a42f6e9e5f2e0e12f69c4ce7022265b7db271369ddb2ebff3348c0434d3cf
MD5 hash:
fbae05d8fbfbb56b2a96afabfcaab501
SHA1 hash:
81277ec7948dc16ba32b782c63f5ea08f4325ad7
Link:
https://www.unpac.me/results/c7c90cd6-7d37-4eca-b7c7-46b5cd337795/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c98a42f6e9e5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/c98a42f6e9e5f2e0e12f69c4ce7022265b7db271369ddb2ebff3348c0434d3cf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/182490/

Comments