MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfc761bd651db9fbcf544787fa5b982e93949fda88c7362f34c101f8446a32ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfc761bd651db9fbcf544787fa5b982e93949fda88c7362f34c101f8446a32ec
SHA3-384 hash: d2f838599f78e125de6d2a19718741b676107455ee15a41faee1845ffb841a5e869379e896a204c0995b2f9ab7d4d481
SHA1 hash: cf9d343645c8e8b5e74ceff811f83f660a28d752
MD5 hash: fb0240a1e41364a2f5f77e5a6206f724
humanhash: zebra-four-berlin-yankee
File name:fb0240a1e41364a2f5f77e5a6206f724
Download: download sample
Signature Loki
Create hunting rule
File size:175'616 bytes
First seen:2021-09-07 10:21:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0162c0d4b083e9259ae3a5f11034f58d (3 x AgentTesla, 3 x Loki, 2 x Formbook)
ssdeep 768:JrhQ0Y1Z7nkkMjX2czWpG5/MXXHMB52p0T8WXDDEq:JrhQ0A7n
Threatray 4'633 similar samples on MalwareBazaar
TLSH T1D0041E053208E64AC7D476795FE5CBB10728BD9C5C940A3339F9AF8F3AFC12B2625261
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fb0240a1e41364a2f5f77e5a6206f724
Verdict:
Malicious activity
Analysis date:
2021-09-07 10:21:56 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/d2f0c5f1-957d-4b20-af45-335c0086e00d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185995/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader42.34782.17143.6532.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Reading critical registry keys
Sending a UDP request
Changing a file
Replacing files
Connection attempt to an infection source
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Query of malicious DNS domain
Moving of the original file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ae4f820d-880e-44ab-961d-2d092ae05733
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846497
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dfc761bd651db9fbcf544787fa5b982e93949fda88c7362f34c101f8446a32ec/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 07:54:17 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
1675fb76302c10aa0fe1f2f538357e39aeaba6c7162921c3e6c9a4cd3ebedd60
Loki
2466b0d75b3a043f2b0f341e7eb9a67612b230228543473dfd7a663338f0688e
Loki
4a6b31994025e7a6dcfeab2954dd3ae8aba701d227ac5b9684ca97e1031256c5
Loki
533fd8da75df1b1ba32eb92e70fcc930920a8839736e50c043c5df11eed21dd2
Loki
54802aa4ca1557f67314a573e918be4157b838d1bd0aa30c23d8e1f312994dac
Loki
8744b1bba11ed42a3e422599468f9d7aa117bf7264875591a82ebbf1dc4dbffa
Loki
a9d8ff851ff8644ca724b4f4cac643aebdcdf200df30b86066db120cd0d574b2
Loki
ad03d6c2459c0ee88848bd587581f4dc1183017aac47a757e566e0390e727f4d
Loki
+ 4'623 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer suricata trojan
Link:
https://tria.ge/reports/210907-md8y8sffbm/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://arku.xyz/tkrr/T1/w2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
dfc761bd651db9fbcf544787fa5b982e93949fda88c7362f34c101f8446a32ec
MD5 hash:
fb0240a1e41364a2f5f77e5a6206f724
SHA1 hash:
cf9d343645c8e8b5e74ceff811f83f660a28d752
Link:
https://www.unpac.me/results/2b1c3bb1-81a1-4242-bc27-c200cfc6375f/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dfc761bd651d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/dfc761bd651db9fbcf544787fa5b982e93949fda88c7362f34c101f8446a32ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Embedded_PE
Create hunting rule
Rule name:Embedded_PE
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe dfc761bd651db9fbcf544787fa5b982e93949fda88c7362f34c101f8446a32ec

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/185995/

Comments


Avatar
zbet commented on 2021-09-07 10:21:28 UTC

url : hxxp://elite-detailing.ma/butlaoz/hsgfbtakroc.exe