MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d94c9ec0221c2e8a9d5f0846a4abb9210ac96f58ae11355d5094caafaac76b4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d94c9ec0221c2e8a9d5f0846a4abb9210ac96f58ae11355d5094caafaac76b4a
SHA3-384 hash: c983bace5c85a9e8879fb2f8f9842b1c61ea5dee7a71af75cf38bc72e9d3fad7a0c270d7efab8c61e9cf515ce650b71c
SHA1 hash: 1db5eb66214e7014d49ef6e731b0dd383dd8793c
MD5 hash: a0a40e4139311311c2c31d200e7e3a59
humanhash: fruit-bulldog-cat-victor
File name:proformapdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'203'712 bytes
First seen:2021-06-22 13:16:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:u+UXXIcXoiXXIcXo0XXIcXoEZr5G87Zl7CrQGfZ2W67LqOtQtgc3+21PnXXIcXo8:i/hFZVlagWaL/s+mZZZ0GTZ
Threatray 3'278 similar samples on MalwareBazaar
TLSH DC457C1D955E9D53C7AEFA788AF2BA80E37C93A47C7FD123053208BAE968D8D11574C0
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://63.141.228.141/32.php/hVjgJl5jKemRQ

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://63.141.228.141/32.php/hVjgJl5jKemRQ https://threatfox.abuse.ch/ioc/139928/

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
proformapdf.exe
Verdict:
Malicious activity
Analysis date:
2021-06-22 13:20:35 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/ae565bdf-3bec-4df4-90e8-a25ce35e81a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167569/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/10517181-b937-4a9a-9480-5ac614b6be00
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805964
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d94c9ec0221c2e8a9d5f0846a4abb9210ac96f58ae11355d5094caafaac76b4a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-22 11:18:21 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3fgj5qbcdqxivhk7bbdkjk5zeefms32yvyitkxkqstfk7kwhnnfa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
05fde892732b9dc4d7e78ef54fd7d2ab28caa582afab008a4556909b47c831e3
Loki
20c96b7d59f0c3cfaf7d4d712a8b7defb21d901dd53c910e27fdef15e85b0836
Loki
22377e133f9eeb822f92390f2c5abf0a7f9eb856e7f66e435041b171dcf3d987
Loki
312148dcc6a95e0f52319990b3a3a7bcc7276420a2d79dd693a207c4708179a1
Loki
39d8cdb221c6bdedc7cbff266ae9c2ec6c1bce4474e72ea897c0d2e03cb39f0c
Loki
3a1d1af83f1d6d41b81db7d6b8fa12704cc90a488e0c70aaa2344c49f5c770e5
Loki
c64c7917c1c243020aba73f6fe8046c780f876405d5842f7419db30b618efc01
Loki
df1f012094e4d7601eecac850af54eb268691a8dd95f79fae052e6b7588780f5
Loki
ec259bb9de0be071ad6cbfb9f691b754ba4b2b8e751a79deb086a994e165a9a2
Loki
f450de216509d54d57606d71016ad6749f124b789a35ceffbbc5f768d62bdf4d
Loki
+ 3'268 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210622-gcqppdr9xx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://63.141.228.141/32.php/hVjgJl5jKemRQ
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
0daece2bfd7a3bfd7c40077cd49ef355493c1e4e7d6bf2a0d4bb81765a0f9eda
MD5 hash:
8455f029588fb55891f11ab8215e65fd
SHA1 hash:
8f1f13bd403c069c9559bd455162b11489a5300c
Link:
https://www.unpac.me/results/6c0e235d-e018-44a0-ad6c-2dd03afcf20f/
SH256 hash:
485c70224b01677aa5bc1278d7472a53f7917e3fa4ba86ffa475d9250b0a4d98
MD5 hash:
46937571f64345b65c05518b2fdd8264
SHA1 hash:
772211c2e2b8d1c32ae82c33e76e9e7b772516ec
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/6c0e235d-e018-44a0-ad6c-2dd03afcf20f/
Parent samples :
d94c9ec0221c2e8a9d5f0846a4abb9210ac96f58ae11355d5094caafaac76b4a
31faaeb4816858f1780d975c523c3e6a9779231cbf2dace17b6b862b491cb00e
b445a79380a50d3f1447597a287e3dda84286ee66d76d0fbda22a04edba1d16e
SH256 hash:
06306e33b7e10429759ab8c42e31e9eb8edbd76c4f1a792a5c231a57876ea338
MD5 hash:
5bdd03077864d32db51b085294859f68
SHA1 hash:
70392a93a4c8be2377915fd6e6d3e7a3a9600adf
Link:
https://www.unpac.me/results/6c0e235d-e018-44a0-ad6c-2dd03afcf20f/
SH256 hash:
d94c9ec0221c2e8a9d5f0846a4abb9210ac96f58ae11355d5094caafaac76b4a
MD5 hash:
a0a40e4139311311c2c31d200e7e3a59
SHA1 hash:
1db5eb66214e7014d49ef6e731b0dd383dd8793c
Link:
https://www.unpac.me/results/6c0e235d-e018-44a0-ad6c-2dd03afcf20f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d94c9ec0221c2e8a9d5f0846a4abb9210ac96f58ae11355d5094caafaac76b4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167569/

Comments