MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cda4901e34db30dc7438f3e0a45715cc40b870ed0eb2f5f1e7b3dec7d0228a5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cda4901e34db30dc7438f3e0a45715cc40b870ed0eb2f5f1e7b3dec7d0228a5e
SHA3-384 hash: a1ca2225e645738cc71d35bc3065ba8e241444f24952608e1c0330d26fbfa86327c85d402eba56e553b07fd8c883c696
SHA1 hash: 85dc06cbb3415fa759a43cca08f3a8d9d6738a64
MD5 hash: 5ea24e32645a71f1ac5a0e122fdc9aff
humanhash: two-lake-texas-johnny
File name:5ea24e32645a71f1ac5a0e122fdc9aff.exe
Download: download sample
Signature Loki
Create hunting rule
File size:748'032 bytes
First seen:2022-01-22 07:49:27 UTC
Last seen:2022-01-22 10:02:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:jhNNJbD7tuZALQjRpFoFe6RJNipQcq6+i9vYFUGh7W5on0fM+u3okTul7b3c9Jzl:rNbuKiRytlipQH6+i9vYF
Threatray 6'466 similar samples on MalwareBazaar
TLSH T167F4D5AD325071EFC867C972CEA81D64EB60757A531BC207901312ADAE4DA97DF242F3
Reporter abuse_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5ea24e32645a71f1ac5a0e122fdc9aff.exe
Verdict:
Malicious activity
Analysis date:
2022-01-22 09:04:54 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/1b645c2a-a06f-4397-be03-037e7f2c3922

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/221603/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.GLJ.genEldorado.20404.21616.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive ftp.exe obfuscated packed remote.exe
Link:
https://www.filescan.io/uploads/61ebb72ff81da814af988ca3/reports/89c53dbf-3b39-4077-8921-a111d0096dea/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c184fb3f-e6b5-41e7-9722-2f837688a280
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925587
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cda4901e34db30dc7438f3e0a45715cc40b870ed0eb2f5f1e7b3dec7d0228a5e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-22 07:50:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
36
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zwsjahru3myny5by6pqkivyvzralq4hnb2zpl4phwppmpubcrjpa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
1c0ebffff17cb0bc33637a04d6cf313cc22a4652fca74c29a74a3a2eb1aaca94
Loki
1d885d15d44ee25d356b70b392b8e28afd66c96703653108224ae7337def768b
Loki
8cd7b7de5ee297ffccffb4b76da64f4e3dbbda669dc444785e0962b2b6a3b011
Loki
c038069e737cb2c74934c0e86449fb4e37d7bbeaef092cfe06e925431bcb4806
Loki
dff3acb06750e7022ea0b9937588022dbd36b26e905153d85087185517c3343a
Loki
+ 6'456 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220122-jpac9sachl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://178.128.244.245/search.php?key=804bbca69db34fdedd7e35b325f9dcac
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
d8c48a3b6b2aef6c76a551a848df1f0abd91e56f612320bd383cbe0bac750da8
MD5 hash:
d203ebb9dec16efc1c8cad4690be47cf
SHA1 hash:
96e28d77f48a254d391f6f3b95093b273ba0deac
Link:
https://www.unpac.me/results/a80962a7-c2c9-41af-83b8-cece45853e2a/
SH256 hash:
18166a11163c80ae8dce278685ee00f3cc4ee0a421d36921bbecce0cd7c28cc8
MD5 hash:
5044a688f7b1a2af86f5822923dbba7b
SHA1 hash:
81589812daae70fdac1d0128abf8f9ffdd102d83
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/a80962a7-c2c9-41af-83b8-cece45853e2a/
Parent samples :
787792a3a33c029a0fbf12d1943e2fade10ed0131dae14ee3c53ef8079fe2a27
bde19e5d6dd3a25d4e9000047abd15c5cde7245d6e0f1a7da2c327395e94cf8a
cda4901e34db30dc7438f3e0a45715cc40b870ed0eb2f5f1e7b3dec7d0228a5e
bf444cdc0512fb1356e21d63e99e5b07a03cb8e8728364463f5739b57ef77088
c206dea522616bcc623ba4ce9913dd0cbc56d9c48e37f15e133ef28680b12497
24ffea1bbee8be69f8507d1dff177b7da804ee45a22e5980d51d795f7bd3c948
SH256 hash:
b204bf36a15d45fcac16a3c37ffd64e451d7073575268edc3345a2785bf26fc4
MD5 hash:
e9b674750323c40c856830b530e3b941
SHA1 hash:
7a82cba7d2ece4dad8d200179411cb069f73ade8
Link:
https://www.unpac.me/results/a80962a7-c2c9-41af-83b8-cece45853e2a/
SH256 hash:
cda4901e34db30dc7438f3e0a45715cc40b870ed0eb2f5f1e7b3dec7d0228a5e
MD5 hash:
5ea24e32645a71f1ac5a0e122fdc9aff
SHA1 hash:
85dc06cbb3415fa759a43cca08f3a8d9d6738a64
Link:
https://www.unpac.me/results/a80962a7-c2c9-41af-83b8-cece45853e2a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/cda4901e34db30dc7438f3e0a45715cc40b870ed0eb2f5f1e7b3dec7d0228a5e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe cda4901e34db30dc7438f3e0a45715cc40b870ed0eb2f5f1e7b3dec7d0228a5e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/221603/
  
URLhaus
https://urlhaus.abuse.ch/url/1989812/
  
Delivery method
Distributed via web download

Comments