MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 edc80c67f18684f69dade8ffe6f190ca30eb0857ad5bb6a184ac76ac3cd1dde4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: edc80c67f18684f69dade8ffe6f190ca30eb0857ad5bb6a184ac76ac3cd1dde4
SHA3-384 hash: 72bad73f85e737d8d75240860031a35439546f82ca69f2ca70940400e4c0c858e19d8b5c6ea346067cb164bb6de24573
SHA1 hash: 1569909ad2f5c6d31e94f211b4cd357e1d701d5e
MD5 hash: 54ad63318fc4ad597a5c0599cc1efbe1
humanhash: football-jig-ink-chicken
File name:54ad63318fc4ad597a5c0599cc1efbe1.exe
Download: download sample
Signature Loki
Create hunting rule
File size:363'520 bytes
First seen:2020-11-19 06:15:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 6144:pY39kJzSlzWvi5M5efmUUltq4Y/mXV3Zw6BE8TbKZGZqhmfldIm7trNItrmEpQT:EahVzUq3Zw6mebpqhygCrNIt6T
Threatray 1'997 similar samples on MalwareBazaar
TLSH 14741246574DC25AFBBE8671E031495B02FBB8C8D016FEB48B88B45A87B3F076116279
Reporter abuse_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/542698
Signature
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/edc80c67f18684f69dade8ffe6f190ca30eb0857ad5bb6a184ac76ac3cd1dde4/
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 06:16:05 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
1fc07dd40ce54a5f60fd732d7cef7e8021ef21971fe7027ffdf524f326c59ac8
Loki
2773ca0f617c527ecacc2ab05f488ad9bb4875816d8f934e920bcbc40dd3f604
Loki
2f53c96770351e95583b6c3d3bde7c4d44f0fc9e324517fd084a61000ed63dde
Loki
549041de891707defd3ad382b4a084683e0079d161edc02cc4ad16319402d7df
Loki
61a34452d0fe45c9ca538fae20e355c89d2d104b5dc8f50ca46be2d1e59e83c4
Loki
78b048f04b9e8f67609d91321edbf8cf27d3b94cafda8210568d67002c09855d
Loki
925f7ac6e0ab0911c0cd801094f7d22e407ab69755173d6a38fb4f325bb160f5
Loki
c46c893972a4e58ca13bd9751cad2e962d0a8d6b59e2a5d061250c1b79fbafed
Loki
e6c6e7d2f285d7248b7b8e2e4db1aa8340f967ff3f45a6a4c35165e24d3ff9a2
Loki
f0224af96362f4a0ce3124c641d2be5f99773d37fb1c47339f9e2561420e0363
Loki
+ 1'987 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/201119-cd699jgt9x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Unpacked files
SH256 hash:
edc80c67f18684f69dade8ffe6f190ca30eb0857ad5bb6a184ac76ac3cd1dde4
MD5 hash:
54ad63318fc4ad597a5c0599cc1efbe1
SHA1 hash:
1569909ad2f5c6d31e94f211b4cd357e1d701d5e
Link:
https://www.unpac.me/results/a6649b84-4df4-4ba7-824b-9f9a3e3de5ab/
SH256 hash:
d21f4be1d5a28cddec0eb37d16d193ea10cba9ef064b746396b9f8ee4c95d061
MD5 hash:
20d9236dbddc18e4c3b41050dfce3218
SHA1 hash:
15b63e8d5aec54eadec4904ba239c599b60cb91d
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/a6649b84-4df4-4ba7-824b-9f9a3e3de5ab/
Parent samples :
47cd254d9e0104e8fbe51d35b06c2e250c8af9d6896702f88c793eaeda58bd18
72c5f337c25c6673db536039bf248ab7dceeed651b26ebb34c7debd53ad48440
24f9deac942621a63882293c9e365f068ecf4e1bb78485a2dce42765eb5e37b5
8b211eb288370426bec2c6472ccb0830a9487e3c0c53fcbf9061c4349bd1e2c8
edc80c67f18684f69dade8ffe6f190ca30eb0857ad5bb6a184ac76ac3cd1dde4
SH256 hash:
34d46abfd3c81b2af882a6f366cc7c786f30ee41ff42893f975d3241cacbec77
MD5 hash:
ea3772f3d4a140fcb59d36cd00e87292
SHA1 hash:
497779c762760a7821f61960344120566c64ba52
Link:
https://www.unpac.me/results/a6649b84-4df4-4ba7-824b-9f9a3e3de5ab/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe edc80c67f18684f69dade8ffe6f190ca30eb0857ad5bb6a184ac76ac3cd1dde4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/807263/
  
Delivery method
Distributed via web download

Comments