MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9e36bd1b8aa447659150278e83976797ed8a5d73e580ca745e246b474a7539d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 15


Intelligence 15 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9e36bd1b8aa447659150278e83976797ed8a5d73e580ca745e246b474a7539d
SHA3-384 hash: 73174d6d604beff765c8b8d23777491fabd06f06519239125ca8617b26e23f7ddbafdcbb05b69a3cc9f0a54a1d37e248
SHA1 hash: bf6ec03e625c3cdeffc55079553457508222ff84
MD5 hash: a4e87c684a48d0b140509540dd333232
humanhash: mockingbird-uranus-bluebird-fix
File name:a4e87c684a48d0b140509540dd333232
Download: download sample
Signature Loki
Create hunting rule
File size:298'305 bytes
First seen:2021-08-03 19:01:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 47132e7294d9df76f8ee6d6805dd5e2d (5 x Loki, 4 x Formbook, 1 x BitRAT)
ssdeep 6144:Z3CWs6VpP25tNZSCV+PJD2wyQH4KrenMNR9ShadU5EtW:ZyWs825tNB+920DqMb9xc
Threatray 3'933 similar samples on MalwareBazaar
TLSH T19654F122BFE2C831E5A3A5301874D5366A2EF9220B34CD7B764503365F387D2993987B
Reporter zbetcheckin
Tags:32 exe Loki

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.227.139.18/dsaicosaicasdi.php/XjjuWy0TVqjre https://threatfox.abuse.ch/ioc/165548/

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2form.docx
Verdict:
Malicious activity
Analysis date:
2021-08-04 04:56:27 UTC
Tags:
generated-doc exploit CVE-2017-11882 loader trojan lokibot stealer
Link:
https://app.any.run/tasks/981367ca-3df3-47b6-acb0-16ec438d67ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lokibot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/176166/
Detection(s):
SecuriteInfo.com.Generic.Cryptor.X.6285D7FF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Reading critical registry keys
Sending a custom TCP request
Sending a UDP request
Changing a file
Replacing files
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Connection attempt to an infection source
Moving of the original file
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9d563c8a-50ac-4b58-85dd-b43492a5926a
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/826473
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e9e36bd1b8aa447659150278e83976797ed8a5d73e580ca745e246b474a7539d/
Threat name:
Win32.Ransomware.Cryptor
Create hunting rule
Status:
Malicious
First seen:
2021-08-03 19:02:09 UTC
AV detection:
23 of 46 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5hrwxunyvjchmwivaj4oqolwpf7nrjoxhzmazj2f4jdli5fhkooq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0fb699b995c7844be905bde197f7ba9da846861a5030b1bbf15bf5a5cc9c460b
Loki
44df96504ff0a727740da2a67982e2d214849ecf98a64de1ffcbf92bb46331a1
Loki
89b691f7c5016920b20535dc985904842bdf04ab6a8dd34f1716883083b3f47c
Loki
b0b75a09ed9067afa8b28f6615fee9a81511f35a6e9c075535d51031870fe3c6
Loki
b7780e3be29286fab7cf6ca17d1fc3f4acdde8329915d19e506719e553d81e7b
Loki
bbbe39716fc34ce2fc73e72a86669a1948ed5fb6a83ab0ce7f939409ac5d5474
Loki
ce207e2947bf28ce45b063ed003e4a80e4e164aa4d1002c246044d9c3dd33bf2
Loki
dc22feb35cf38c969ce024363e6af1c621d3ca38de0055aa6361a00f87638f8c
Loki
+ 3'923 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer suricata trojan
Link:
https://tria.ge/reports/210803-a6cml4x9wx/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://185.227.139.18/dsaicosaicasdi.php/XjjuWy0TVqjre
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
58ee83e559968615f1158a80068db0b445179bda82ec44773bf31c6488823213
MD5 hash:
54b08ebff71d9dd2174b6b8c4cb2b7c9
SHA1 hash:
4df8e3b24eeda1c51952f255308e9ff48712eebf
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/d5bac477-7eae-4f05-9598-5f6da615facf/
Parent samples :
dbadb8a0f9e9085409ebaf01c9a2af057597b2bbf5b8ecdef2f1c5601cdfedc1
e9e36bd1b8aa447659150278e83976797ed8a5d73e580ca745e246b474a7539d
b48c2ac8f72c116687094de6d2b1fc1b1c2c5192ef6c9ca0df947a6e4066ac16
f751e7c6878e6b3165a3dc815468501cb14355222e75cb2f18afc3cd4565cbdc
d586560a58ad44be9be80b819685a714d228d98596f1b44c4b08bdebc1c108db
c2a568e116a85d6085f78797c6906be3986236bdebc72c8e50638798aed60503
SH256 hash:
e9e36bd1b8aa447659150278e83976797ed8a5d73e580ca745e246b474a7539d
MD5 hash:
a4e87c684a48d0b140509540dd333232
SHA1 hash:
bf6ec03e625c3cdeffc55079553457508222ff84
Link:
https://www.unpac.me/results/d5bac477-7eae-4f05-9598-5f6da615facf/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e9e36bd1b8aa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/e9e36bd1b8aa447659150278e83976797ed8a5d73e580ca745e246b474a7539d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe e9e36bd1b8aa447659150278e83976797ed8a5d73e580ca745e246b474a7539d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1503050/
Cape
Cape
https://www.capesandbox.com/analysis/176166/

Comments


Avatar
zbet commented on 2021-08-03 19:01:44 UTC

url : hxxp://198.23.212.137/windows/vbc.exe