MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 dc127be1f37e6073c03b9b79590d6710a22d481e47d7a483b38c216277ab4e86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Loki
Vendor detections: 7
| SHA256 hash: | dc127be1f37e6073c03b9b79590d6710a22d481e47d7a483b38c216277ab4e86 |
|---|---|
| SHA3-384 hash: | 84fcb16194a183920c49a6e2a4321992399898a29c4fefbf108345ba8f386806812e41bdb09431005990bdd4751bc8c7 |
| SHA1 hash: | 90c724194bac0f23d46cf44c996422fbd17ec616 |
| MD5 hash: | be75eb2acde97638cad220e3a400b99b |
| humanhash: | skylark-edward-jupiter-item |
| File name: | be75eb2acde97638cad220e3a400b99b |
| Download: | download sample |
| Signature | Loki |
| File size: | 640'000 bytes |
| First seen: | 2020-11-17 15:56:29 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger) |
| ssdeep | 12288:7hnhEjcmxXYS9Wjy7ABsSBwWytN1pY9U9LQRn5yN0:+MyE/azpYyLQlD |
| TLSH | ACD49DE6A3983F67F07DD3B595280825C3F1ED12C763DB4D7C8A31CE8895E1287A161A |
| Reporter |  seifreed |
| Tags: | Loki |
Intelligence
File Origin
# of uploads :
1
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Reading critical registry keys
Changing a file
Replacing files
DNS request
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Backdoor.Androm
Status:
Malicious
First seen:
2020-11-11 08:06:50 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
5/5
Detection(s):
Malicious file
Unpacked files
SH256 hash:
dc127be1f37e6073c03b9b79590d6710a22d481e47d7a483b38c216277ab4e86
MD5 hash:
be75eb2acde97638cad220e3a400b99b
SHA1 hash:
90c724194bac0f23d46cf44c996422fbd17ec616
SH256 hash:
c8671a87d685f2354d96f3cfcad530dfa5f3ec535a0f5ec14940d81fb857813b
MD5 hash:
b5358f677850210361f573c7d249c258
SHA1 hash:
215e06e319515d779efa88f7c05b343d6ec3f6a5
SH256 hash:
f5050b11cb304ff6febb50e7211a49eea77d47571cbc43bcb4a11bdedc77159b
MD5 hash:
7c78b959061c780e9898a0a0f7a731a0
SHA1 hash:
03d0d786a3acf89e3ba7ed04e461217979f6dca0
SH256 hash:
98d70bd1ecd5fc44606e5bbd572fa38c657144d9de511d69182a87e7a632020d
MD5 hash:
410904f85b5178ed433333a343b0bb8e
SHA1 hash:
47de291e50971a15b08c2ff1b5a855c647dae733
SH256 hash:
c6fcf5d515d56cf746b4c4aa4695f11e9ad7f6063a96cda810bf39dc47c5a7a0
MD5 hash:
47509d9db24c975e55c287afdc459fad
SHA1 hash:
4f1f893555c985d7cbba731cf1fdbf49c6ecf793
SH256 hash:
d5257b83b0bf875039857c0bf4ba0d9d60cb22baf8e57cff69b218b811dcd972
MD5 hash:
63c02199f98eb0ff11bdf96ceda5fc6a
SHA1 hash:
6a58a2482ea5be2ff9e0122f0510c648c814b00c
Detections:
win_lokipws_g0
win_lokipws_auto
Please note that we are no longer able to provide a coverage score for Virus Total.
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Email_stealer_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Email in files like avemaria |
| Rule name: | infostealer_loki |
|---|
| Rule name: | infostealer_xor_patterns |
|---|---|
| Author: | jeFF0Falltrades |
| Description: | The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads. |
| Rule name: | Loki |
|---|---|
| Author: | kevoreilly |
| Description: | Loki Payload |
| Rule name: | Lokibot |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Lokibot in memory |
| Reference: | internal research |
| Rule name: | STEALER_Lokibot |
|---|---|
| Author: | Marc Rivero | McAfee ATR Team |
| Description: | Rule to detect Lokibot stealer |
| Rule name: | win_lokipws_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | autogenerated rule brought to you by yara-signator |
| Rule name: | with_sqlite |
|---|---|
| Author: | Julian J. Gonzalez <info@seguridadparatodos.es> |
| Description: | Rule to detect the presence of SQLite data in raw image |
| Reference: | http://www.st2labs.com |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Delivery method
Other
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.