MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cacfb6c27497dc8b096a670eb26497d7af1ebb698f2b34514c18f75aa60c0745. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cacfb6c27497dc8b096a670eb26497d7af1ebb698f2b34514c18f75aa60c0745
SHA3-384 hash: 84b92d6918ffa8f9095561b30732a195dcacb968ae82888cb29d15e9a22762113ab830cc323647f3123d7e77f9ab621f
SHA1 hash: 653dea05786e3dbacc91e7f4fbf482bc9bac80be
MD5 hash: 5ff7d4ccd01930d49fafd5b519d01490
humanhash: sierra-nineteen-ohio-bakerloo
File name:hXZq4g8VnHbOrND.exe
Download: download sample
Signature Loki
Create hunting rule
File size:862'720 bytes
First seen:2021-05-06 11:51:38 UTC
Last seen:2021-05-06 12:58:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:F9l8hT0fUoLLoS60/K7yh0F7EHgRbNxviNWInn7TbZz29IosveKa100WXM546EBk:F9M4fUoLAF7EH6VXUnzh2ae1r
Threatray 2'943 similar samples on MalwareBazaar
TLSH 3405F6EC711075EEC6178C22DBCE1C25E6202176972B9607972303BD9E0EE57AF385E6
Reporter James_inthe_box
Tags:exe Loki

Intelligence

File Origin
# of uploads :
3
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/151559/
Detection(s):
SecuriteInfo.com.Artemis5FF7D4CCD019.30540.19675.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/714025
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cacfb6c27497dc8b096a670eb26497d7af1ebb698f2b34514c18f75aa60c0745/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-06 11:51:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zlh3nqtus7oiwclkm4hlezex26xr5o3jr4vtiukmdd3vvjqma5cq._file
Verdict:
unknown
Similar samples:
20c96b7d59f0c3cfaf7d4d712a8b7defb21d901dd53c910e27fdef15e85b0836
Loki
63020b39b5227a6d191e3f59639181c46aa915b28ef97fc45a8b8e1a6a239999
Loki
634a2cd851b0ae22d1ba8775341f2fc9b00ed207d7b25d6f1ed88d8ee72ba053
Loki
63f8140e7e37fa045e36df9e5cd9858ad270161732d570735ee82bcef73f17b6
Loki
93df7f1de03ce9fe65fb9acaef08adb8b12e4fca1c6ae3333cdf2563d161268a
Loki
c9f077e9f070979416f8d2b1e8d263eda9897dfb2390865ea4c2162c0780e1ba
Loki
d40ba6722ae1f278d8c73552c4b18c50808264ead08a491002de7519e984e60d
Loki
e2e4e50d3c44c62b73cd123727de4f99eba62182a89008c374709bfdeb0eabb5
Loki
e371264367bd07e03b5ccb18c60859ded59c7ec201adc8d3eecc07f6afa0eb0c
Loki
ed5b35389cdc15f792ffef0bac637b0758a566d59945429d6e7e56965bd26b31
Loki
+ 2'933 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot evasion spyware stealer trojan
Link:
https://tria.ge/reports/210506-aylrhtvzt6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Lokibot
Malware Config
C2 Extraction:
http://173.208.204.37/k.php/7MPTLmOD4nAsj
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
74b2935b9dfe4ba397fd0507ae3c36abb77193041f2e7c43c55dc4e7b33de61c
MD5 hash:
b5c218f30fecc9cb8513ff6a46737b01
SHA1 hash:
f0416867c2b114789620b318051f1fa390b07eae
Link:
https://www.unpac.me/results/d682d4b3-39b5-41c6-8f5b-da15fcdd8a3c/
SH256 hash:
a4d72c79965a816692695d4afef32a65adc5be4259c7cdb724e45b6859a261c0
MD5 hash:
c10e5197c0cbf006332edf24712dcfda
SHA1 hash:
eced031aba71b7e9894287a61c908e6886418c00
Link:
https://www.unpac.me/results/d682d4b3-39b5-41c6-8f5b-da15fcdd8a3c/
SH256 hash:
c24b9e890490eb6a3035834194e8518c8dd37e1d468fb67360cad268a92b219a
MD5 hash:
9da918b38b2de92b2626e0149ef04bca
SHA1 hash:
b3da36e1984b4929d56ba1a4ce54a58a1c2f618f
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/d682d4b3-39b5-41c6-8f5b-da15fcdd8a3c/
Parent samples :
ca02eed888cb82c327694a08bfd6083e2ce17266828ac02a55229f9dec2f0a63
1175f6cfd450932c6257e581e6eea18afb20b77845cdb222ecff626bc125c976
57865aa6799923846c036857c9dd631006ea5f50bfcbcae54dba0d9209f25514
cacfb6c27497dc8b096a670eb26497d7af1ebb698f2b34514c18f75aa60c0745
f805f87e61a37553d84801457f31c1bf5cff3a34263c36fd3569be39f41a5d92
SH256 hash:
cacfb6c27497dc8b096a670eb26497d7af1ebb698f2b34514c18f75aa60c0745
MD5 hash:
5ff7d4ccd01930d49fafd5b519d01490
SHA1 hash:
653dea05786e3dbacc91e7f4fbf482bc9bac80be
Link:
https://www.unpac.me/results/d682d4b3-39b5-41c6-8f5b-da15fcdd8a3c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cacfb6c27497dc8b096a670eb26497d7af1ebb698f2b34514c18f75aa60c0745

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/151559/

Comments