MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd9f677c964c81fe9af3c6fcad870a07e7f3fdd78917391789c8f21c09e442fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd9f677c964c81fe9af3c6fcad870a07e7f3fdd78917391789c8f21c09e442fb
SHA3-384 hash: 17a9bd39ca7908afe6c8d5b78f580d705289a770644100770c9db8b924bcc5ce36e4e6724b73ab11523c34f8d025c5df
SHA1 hash: 953c733031c82439544ced04e3f6ca45c8a3a19c
MD5 hash: e3e088fc838eedef856bd24f1b73e0f8
humanhash: yankee-lactose-missouri-xray
File name:e3e088fc838eedef856bd24f1b73e0f8.exe
Download: download sample
Signature Loki
Create hunting rule
File size:241'652 bytes
First seen:2022-03-22 18:48:20 UTC
Last seen:2022-03-22 20:42:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 3072:rS17XJiDxmJJphkXP9FdJBGlQmJNrbVfsOzBn/briKPGi+eblD8q7690/QggwdTd:rGiehkljJYl5/VfsOlbrZBz769YtHb
Threatray 6'979 similar samples on MalwareBazaar
TLSH T1123412075AE0C9BBE9D8FC7145B9B774D3FAA1C0118A69138B910F9EBD2548F4A211E3
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/255069/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.1576.17970.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Query of malicious DNS domain
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/623a1a34b94fb38cb4d0ef45/reports/671b492f-14fe-4ff3-98a2-8e3e887b2ba5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b6856e72-32fc-47b8-96e0-97707e5a35c3
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962084
Behaviour
Behavior Graph:
n/a
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dd9f677c964c81fe9af3c6fcad870a07e7f3fdd78917391789c8f21c09e442fb/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2022-03-22 15:50:06 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3wpwo7ewjsa75gxty36k3byka7t7h7oxreltsf4jzdzbycpeil5q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
2289816fa967e230968ffe986a76950ba4938c6f0c3b27912ec480bf5c0e62d5
Loki
3851e1c8c896ecae1035576a4b37d1fafa0690df428e255ed709c155cf77279c
Loki
50cb7b0b1d15d89428745bd508343b52d5f197b5f57cdf83a077973bae3d1ec1
Loki
5af35520dd30145e091e7db9d4d9be25ec23cdf5b7d914a402ef880fb35bd558
Loki
9740fa7b19f17e4c6df857ec1240c243a77ad689894ecaa92bd112709c242664
Loki
d705d1e518e32f4c1dcfdce42040cd87d30ad8cd032d9bd4fe1fde67285ac5b9
Loki
da2f8b897d09228f81c3019c98676c771b85f0d68471628dfb685201af0422d5
Loki
+ 6'969 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/220322-xgcejsgfe6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
Malware Config
C2 Extraction:
http://furnaceshst.net/ge3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
704e2a2b3f1a75984cf26697b3e04782ed85fcdd10cc459aeac4999488cf7380
MD5 hash:
599acda6e3e96d1c7151fc13cb79a3fc
SHA1 hash:
3a08290967bd852299e4a4a7657eb6e489f71bc3
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/00c4a925-35c2-48ca-a641-522c5c238d95/
Parent samples :
def21396deb548726569993e3462fe6633e7d731d4652215744610b23d99a4ca
dd9f677c964c81fe9af3c6fcad870a07e7f3fdd78917391789c8f21c09e442fb
SH256 hash:
2e140d0cb79a85ec789e93457db6cb1433984a5e24f6199265d41f0dbb6e4a7a
MD5 hash:
d12297f8de40bf8da9a2dd67355e4b1c
SHA1 hash:
2ed659f80831dfa91ff2dd27439a259481f4e74d
Link:
https://www.unpac.me/results/00c4a925-35c2-48ca-a641-522c5c238d95/
SH256 hash:
dd9f677c964c81fe9af3c6fcad870a07e7f3fdd78917391789c8f21c09e442fb
MD5 hash:
e3e088fc838eedef856bd24f1b73e0f8
SHA1 hash:
953c733031c82439544ced04e3f6ca45c8a3a19c
Link:
https://www.unpac.me/results/00c4a925-35c2-48ca-a641-522c5c238d95/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dd9f677c964c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/dd9f677c964c81fe9af3c6fcad870a07e7f3fdd78917391789c8f21c09e442fb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe dd9f677c964c81fe9af3c6fcad870a07e7f3fdd78917391789c8f21c09e442fb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2111105/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/255069/

Comments