MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 edf3903c8a44afdd2c2ede31eccc3bb8c088f21cb933637a0e79592f0079c2c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: edf3903c8a44afdd2c2ede31eccc3bb8c088f21cb933637a0e79592f0079c2c3
SHA3-384 hash: 595f4c0daeb350f46e47556adc413390a406643fe05623d9ea80e0e50c2028ca9deb43e0a6094978a14f1ee1e59a0c98
SHA1 hash: e55ececadad36190a395bdfb507defdb1a59a4cc
MD5 hash: e07b836d7100bdf914686d2a75013f5c
humanhash: autumn-foxtrot-double-lima
File name:e07b836d7100bdf914686d2a75013f5c
Download: download sample
Signature Loki
Create hunting rule
File size:299'008 bytes
First seen:2022-03-30 15:08:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8ee4f2cace7854793aad420556d77bc0 (2 x Loki, 2 x Stop)
ssdeep 3072:fDURjsEa93uME9LPYbpmdUfeInC1L7mmZVkOgGLktCfF5ikMw0K4M/h332l:LU1AJuME9LPCpmdUfJcnmmZkbC4w0Rz
Threatray 7'211 similar samples on MalwareBazaar
TLSH T13654AE327580C832E57212719B56CFB4266EBC71596156833BD43B0DAA332DEAED138F
File icon (PE):PE icon
dhash icon 480c1c4c4f594b14 (172 x Smoke Loader, 134 x RedLineStealer, 98 x Amadey)
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/259728/
Detection(s):
Win.Dropper.Stop-9938042-0
Create hunting rule

Win.Packed.Strab-9942213-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Stealing user critical data
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12109/overview
Behaviour
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/624472959253b276b7a8cb77/reports/53f4fa97-beee-47b2-8827-bdefbfe9b2fc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2c58b7ac-929a-436e-b15b-8631e8c04b2d
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/967679
Behaviour
Behavior Graph:
n/a
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/edf3903c8a44afdd2c2ede31eccc3bb8c088f21cb933637a0e79592f0079c2c3/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-03-30 15:09:09 UTC
File Type:
PE (Exe)
Extracted files:
35
AV detection:
23 of 25 (92.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5xzzapekisx52lbo3yy6ztb3xdair4q4xezwg6qopfms6adzylbq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
6fa3ca5bec61c6c9427b467ecefd895568f9d2db64097a2acb5d987228f97b0c
Loki
733662f82e9957520803040fdc7ac39766988c8fbe989544be40154cafce3ed5
Loki
7ec8d23c5167687f3e60e57527cedf105a3de3b1d88e47924d96bad31bfe5385
Loki
8c6e740b2a9841664d6824708850c48260c34646dae42455a6b9e31863a26bf9
Loki
b9d518ec7f1282ba657fe75fa1f9ffae78998050044296a35bda4f038cad61a4
Loki
f491ca92789db4ebf58c5107059fd90616472d55a8ee51734cb9b77d89d0a7e3
Loki
+ 7'201 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220330-sje61ahdgk/
Behaviour
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://164.90.194.235/?id=22044231991792986
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
19a17b6798dc66c9545b6b9589a5a03a5a49118f77a622aa4464f688c9ed21bd
MD5 hash:
b14ea9885fb45c0357efdec4f772b0a9
SHA1 hash:
db790fee6515046d6a196a9cdf5292f9cd3dd681
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/4454d2fb-bb8e-42ea-9321-3967ad6a923b/
Parent samples :
50762a8f6247c667e01b4f2d2a1c067401d8e278fd37e73668c927349b9727fc
a4182d8f62fb365856798683af6277ad0c3b3a9d9788fe1e2cef07bb918197d6
51c4a9a807294ba857735727b3c3378db60c3bafad52d7cc80538c41ad27eecd
cb59cd4c7a4896aab48aa27530bb65363920e5da091eec1aa2bdb538f9ae1491
6fa3ca5bec61c6c9427b467ecefd895568f9d2db64097a2acb5d987228f97b0c
ce79401a906246017cec719b5a89b228c0589704f04f962de647bbd34e5e1b2d
5ee578d8eb6093a0d276d092a6e431f1a947c3aebf19887cdf1f10f0fdd58982
eec6a78a53f177c69c4ed582296a052aaca152c4fd46a1d3fe87d2b18e756b77
067ba1eef584f508f510de3878bd69532e1e41d898a33f90f9bb5d39b3b5785f
10a09655d773fb061a1972e273aa5801fa4d4ab586b91e146469c5981b5562b1
c57b86be5a9fa166a946d78d8b63d9817ff3e14df83abd88b654bd66167696de
edf3903c8a44afdd2c2ede31eccc3bb8c088f21cb933637a0e79592f0079c2c3
28766d53e02141d8332cdb160ebbc4bee6df26596d0c041e15aae650d6613d32
SH256 hash:
edf3903c8a44afdd2c2ede31eccc3bb8c088f21cb933637a0e79592f0079c2c3
MD5 hash:
e07b836d7100bdf914686d2a75013f5c
SHA1 hash:
e55ececadad36190a395bdfb507defdb1a59a4cc
Link:
https://www.unpac.me/results/4454d2fb-bb8e-42ea-9321-3967ad6a923b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/edf3903c8a44afdd2c2ede31eccc3bb8c088f21cb933637a0e79592f0079c2c3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe edf3903c8a44afdd2c2ede31eccc3bb8c088f21cb933637a0e79592f0079c2c3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2122599/
Cape
Cape
https://www.capesandbox.com/analysis/259728/

Comments


Avatar
zbet commented on 2022-03-30 15:08:42 UTC

url : hxxp://192.3.122.154/200/vbc.exe