MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d691c2a8c6d1424bb3d39b27fa3712bb0b18e3690a49414b1a5afd602ded9bf7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d691c2a8c6d1424bb3d39b27fa3712bb0b18e3690a49414b1a5afd602ded9bf7
SHA3-384 hash: ab2d84095ce65df31c3976b99f171cff6205bf1966d5b2b8edc6330b9ef082e43d1195e9a59e49cf87747a76353c1134
SHA1 hash: 061f984da96ed5b31680c89d247c958a5531ae54
MD5 hash: e69c00a3b5195c732c9e299e1878f062
humanhash: diet-red-spaghetti-kilo
File name:RFQ For June 2021.exe
Download: download sample
Signature Loki
Create hunting rule
File size:377'856 bytes
First seen:2021-06-21 07:06:29 UTC
Last seen:2021-06-21 08:11:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:c8eOCIutm+cFDIDcu59REqOqzmBH9803zIq9nhaVEt9nIRsoma:7ClcFIDcuNYYmHLR9IRfJ
Threatray 65 similar samples on MalwareBazaar
TLSH 82849AB73104D12DCB77C63D9012E259BE631E831CF5A64E1BC473FD88366866AB2B46
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://63.141.228.141/32.php/fhAq3ugeI7NI8

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://63.141.228.141/32.php/fhAq3ugeI7NI8 https://threatfox.abuse.ch/ioc/138084/

Intelligence

File Origin
# of uploads :
2
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ For June 2021.exe
Verdict:
No threats detected
Analysis date:
2021-06-21 07:30:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6abba0a6-906d-4f8d-9b12-3f528cf1a1c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.26874.7332.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3a06650e-7485-4f48-9e47-d667f5fb36aa
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805178
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d691c2a8c6d1424bb3d39b27fa3712bb0b18e3690a49414b1a5afd602ded9bf7/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 07:07:11 UTC
AV detection:
10 of 46 (21.74%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=22i4fkgg2fbexm6ttmt7unysxmfrry3jbjeucsy2ll6walpntp3q._file
Verdict:
unknown
Similar samples:
40d9a35f5447c114156de80c7b633907db8c7e26f04388f42c3b76b4183ab0d8
Loki
5391a6ed1fe458685e02c04cad045a5148d4f01e4d45b9dd70927c46b5e6420f
Loki
588692919a751e9852cf32e0b1da42c347f2ff99a2afd2378c6a7573d7a532fc
Loki
62dfec4ae1b54d763d3ae01d9a0458c6ebf2e35f898bcaebac5e10d5ff477c7c
Loki
667cc8470b2505337ba40eef76fc4ecb743b2bfea8081f17df81315afeb9ac35
Loki
a78e2922a71640ceaab1d98b56e1e6807f4b9c9f303383d9ed5b677aa5b5675e
Loki
bf618789e2d59d7bb417670150e59434cbf04c0300847740718f03f89591af58
Loki
cf8994976d58b8778246f5c5908ec64a0fdfebfe2bd80ecaa96ed27baf9d1ed2
Loki
f27c6d23143bb1c0ea77515c806ee7d75889c31262c7c26a5868989fef41e466
Loki
f4af46ad96a86cad60d613a3387a0a68c580247ef88943e2ea0e5b9679a38c2e
Loki
+ 55 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210621-a71re1twne/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://63.141.228.141/32.php/fhAq3ugeI7NI8
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
b96f512bc2b21584e575e3952b9d233d6e3b2c70d932dcb8ba417a5238499601
MD5 hash:
3173fa7046bbdeb0a856c0ff8577acb6
SHA1 hash:
6d9bb66715bbca3f2db89b6313f73b4f5810f62d
Link:
https://www.unpac.me/results/1358a1af-5f2d-4a55-a993-ae0055e5efea/
SH256 hash:
d58d41e867c4d4deb304241771192df66eaa49afe44ed802463e211d85d2b9ce
MD5 hash:
4ccafc8d1b0320bb450b1315f0884dad
SHA1 hash:
5e0fe1f01573c63121c99c21276e027eb880f893
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/1358a1af-5f2d-4a55-a993-ae0055e5efea/
SH256 hash:
35135561193dc8000ea423d58718b6075d681129a5ea6506395af16beeb327ba
MD5 hash:
fdd14f3fc37a2eaf1a22f5e8c733865b
SHA1 hash:
29a84017c2cc82c48351bde21e90543c568e2d4d
Link:
https://www.unpac.me/results/1358a1af-5f2d-4a55-a993-ae0055e5efea/
SH256 hash:
d691c2a8c6d1424bb3d39b27fa3712bb0b18e3690a49414b1a5afd602ded9bf7
MD5 hash:
e69c00a3b5195c732c9e299e1878f062
SHA1 hash:
061f984da96ed5b31680c89d247c958a5531ae54
Link:
https://www.unpac.me/results/1358a1af-5f2d-4a55-a993-ae0055e5efea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d691c2a8c6d1424bb3d39b27fa3712bb0b18e3690a49414b1a5afd602ded9bf7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments