MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d43cd307bf48505b33150202c0e787fcf79af09be0389558f5461d2a2ef64f2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d43cd307bf48505b33150202c0e787fcf79af09be0389558f5461d2a2ef64f2b
SHA3-384 hash: 82a81a9ed74743f72fdc34a225ae8008e96de2d914940c627288723c69dfcdc56fb812fa8d825108b440063614bca342
SHA1 hash: 59a89092ab039ce6968c5855fdcd76dcefbd4e8f
MD5 hash: eb9158b121ed38379a2c6e3e91c21929
humanhash: saturn-lion-beer-east
File name:eb9158b121ed38379a2c6e3e91c21929
Download: download sample
Signature Loki
Create hunting rule
File size:264'047 bytes
First seen:2021-09-28 09:02:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 6144:l8LxBjEln87x7roi0Smawia7Hy9k5dA14tTvIx0yd8Hs6ZCh:0S8N/oi0SByyiS18LIx0ydhh
Threatray 4'809 similar samples on MalwareBazaar
TLSH T136441222A1C2C5FFFBD296B095357AB6F27A9F86050512578FE41F373074A06D80BB86
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SOA Swift.xlsx
Verdict:
Malicious activity
Analysis date:
2021-09-22 05:50:30 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/7cc5f3e7-bf5d-4baa-b7ae-ef340a61e688

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/192483/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Creating a window
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/52452aaf-8787-4004-86c7-0260e9efe7f7
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/860369
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d43cd307bf48505b33150202c0e787fcf79af09be0389558f5461d2a2ef64f2b/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 07:01:09 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
053ba5ebdf692c17beed17aec6e7ca7d183ab55b5264170fd11a7f7850828289
Loki
0c4efefcd2850c9764e65fb0f5a084573dfb65c7103b4513781c02e06e21c83a
Loki
393ea3f7449b31e164eef3ad26b5deba8f9f11c45cecbd0dc55c975ff0793f86
Loki
6ebd45483d2222727a82c70feeb7c19017751b381247c7917462f26678d313d8
Loki
7c53e1f63d1d88bc24f08cdb03e119ebedd27c84802f3b012b7a424ea9ed8e5f
Loki
98ee9eb5449562fdfe5e0a448cec7ef60f315e5f8a7c65c40a5b61290bcbe97d
Loki
cf047a5781d40b7500be89db809fe4343223b20e043819bbba6511ed4f5858e1
Loki
d29732d660ad3b3e1f478b179c69afae0274e5e40354e5136e22376371e795b6
Loki
de3292924ba69a7f7dfd5b6687d6c774a7aecf8e2ac1368d30ce81c61a14e73f
Loki
+ 4'799 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210928-kz15eabchl/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Unpacked files
SH256 hash:
73d3ff56d25b5e38b3797d9a0a9a38e7562482643d98e98fad3859b7131e38e4
MD5 hash:
697d6a656689a4149a5f0dcb38147570
SHA1 hash:
ed37ba2df07f4e58e065eea1249542f3d2fccdc6
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/00a2130b-0623-45a6-97b5-75a9ed7023c3/
Parent samples :
1e2c0a2e3475f1479cb478814d9e92012d1039cda44e6c0f3fcd43e05da6fe1b
a4345b31634094a183f6f268c1ed8481d29be7a21ddacff1032dd73270048326
d43cd307bf48505b33150202c0e787fcf79af09be0389558f5461d2a2ef64f2b
SH256 hash:
064bbb4d379049514f80f1c6e1ab89c54385f54b88af700be8b85888aec9a011
MD5 hash:
cacf978c6a8ed4c857e4095353de16f9
SHA1 hash:
7d5d24740d5fe3553fc89bef9e79bbd52742c575
Link:
https://www.unpac.me/results/00a2130b-0623-45a6-97b5-75a9ed7023c3/
SH256 hash:
d43cd307bf48505b33150202c0e787fcf79af09be0389558f5461d2a2ef64f2b
MD5 hash:
eb9158b121ed38379a2c6e3e91c21929
SHA1 hash:
59a89092ab039ce6968c5855fdcd76dcefbd4e8f
Link:
https://www.unpac.me/results/00a2130b-0623-45a6-97b5-75a9ed7023c3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/d43cd307bf48505b33150202c0e787fcf79af09be0389558f5461d2a2ef64f2b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe d43cd307bf48505b33150202c0e787fcf79af09be0389558f5461d2a2ef64f2b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1646500/
Cape
Cape
https://www.capesandbox.com/analysis/192483/

Comments


Avatar
zbet commented on 2021-09-28 09:02:46 UTC

url : hxxp://107.172.93.32/wins/vbc.exe