MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d586560a58ad44be9be80b819685a714d228d98596f1b44c4b08bdebc1c108db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d586560a58ad44be9be80b819685a714d228d98596f1b44c4b08bdebc1c108db
SHA3-384 hash: 478ebf81df0be69e7b07b4ae8cbb4bd30563da293adbd1175528f5792ffb22238afc7972e2450d88166e9579d328f0ec
SHA1 hash: 67bdaab57d4854310a16c986b9b0620ba79c61a5
MD5 hash: 0a3c9c8db267f60127cc80272e8d0b7a
humanhash: ack-happy-echo-single
File name:0a3c9c8db267f60127cc80272e8d0b7a
Download: download sample
Signature Loki
Create hunting rule
File size:334'628 bytes
First seen:2021-08-05 07:45:19 UTC
Last seen:2021-08-05 14:19:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7f3a4a0e96d9bcc5b3425ad3dca611da (7 x Loki, 5 x Formbook, 2 x AgentTesla)
ssdeep 6144:UZbfkNQfL5Pu7Z1FRaFpoUTmwK5qoDjdVrJYpeBQuWhqZOc/8tQmIklmvqPAgj6V:Sbfkuj5LqUTmw+q2LJCeBQXqZOw81R6V
Threatray 3'984 similar samples on MalwareBazaar
TLSH T17664F105B1C08573E55148315476C9B16A3CFA354BA49EEBBBC86A3E9F302C28536FE7
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0a3c9c8db267f60127cc80272e8d0b7a
Verdict:
Malicious activity
Analysis date:
2021-08-05 07:46:27 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/20b75213-47a7-4205-b28a-d26f878a1541

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/176564/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.55817.31998.11420.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Reading critical registry keys
Changing a file
Replacing files
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Sending a UDP request
Stealing user critical data
Connection attempt to an infection source
Moving of the original file
Sending an HTTP POST request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8d62ea79-b17c-425b-9a05-021c86e1b851
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/827814
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d586560a58ad44be9be80b819685a714d228d98596f1b44c4b08bdebc1c108db/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-08-05 05:46:58 UTC
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2wdfmcsyvvcl5g7iboaznbnhctjcrwmfs3y3itclbc66xqobbdnq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
3353c2ea708d348c56facaab5c7aebb5a2ec6c820d076d25dc41f30fac712f6d
Loki
8ad687f4cb4a7c3cdf496a11b138089ede3f4c269bdbce4dfa8e18a8f7f4f144
Loki
8b6e08de57154b0a2e3805cecb24f32a487ff9768787c167a23a47927c93561f
Loki
b236304dad4fcf402b8dddc467038cbaf623284155ccc5671c972f57d238e088
Loki
b43f61f0ce7cc012f811460ae0c1483e90c6f5936a6c9033bdb9a14212879e42
Loki
b60c3bb36c73fa8d71560395ee90845572ba73e2adec148b1c60772450b0b425
Loki
b7780e3be29286fab7cf6ca17d1fc3f4acdde8329915d19e506719e553d81e7b
Loki
+ 3'974 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer suricata trojan
Link:
https://tria.ge/reports/210805-dbxkdwn7ma/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://185.227.139.18/dsaicosaicasdi.php/XjjuWy0TVqjre
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
58ee83e559968615f1158a80068db0b445179bda82ec44773bf31c6488823213
MD5 hash:
54b08ebff71d9dd2174b6b8c4cb2b7c9
SHA1 hash:
4df8e3b24eeda1c51952f255308e9ff48712eebf
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/75aef3d1-04bd-4646-aa44-87f82ab184d4/
Parent samples :
dbadb8a0f9e9085409ebaf01c9a2af057597b2bbf5b8ecdef2f1c5601cdfedc1
e9e36bd1b8aa447659150278e83976797ed8a5d73e580ca745e246b474a7539d
b48c2ac8f72c116687094de6d2b1fc1b1c2c5192ef6c9ca0df947a6e4066ac16
f751e7c6878e6b3165a3dc815468501cb14355222e75cb2f18afc3cd4565cbdc
d586560a58ad44be9be80b819685a714d228d98596f1b44c4b08bdebc1c108db
c2a568e116a85d6085f78797c6906be3986236bdebc72c8e50638798aed60503
SH256 hash:
d586560a58ad44be9be80b819685a714d228d98596f1b44c4b08bdebc1c108db
MD5 hash:
0a3c9c8db267f60127cc80272e8d0b7a
SHA1 hash:
67bdaab57d4854310a16c986b9b0620ba79c61a5
Link:
https://www.unpac.me/results/75aef3d1-04bd-4646-aa44-87f82ab184d4/
Malware family:
Mal/Generic-S
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d586560a58ad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/d586560a58ad44be9be80b819685a714d228d98596f1b44c4b08bdebc1c108db

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe d586560a58ad44be9be80b819685a714d228d98596f1b44c4b08bdebc1c108db

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1507223/
Cape
Cape
https://www.capesandbox.com/analysis/176564/

Comments


Avatar
zbet commented on 2021-08-05 07:45:20 UTC

url : hxxp://198.23.212.137/swiss/vbc.exe