MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eef20ad084cce596d60be110ffa96a7cc93b5a38cbc2bbe773ca66ae771e4889. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eef20ad084cce596d60be110ffa96a7cc93b5a38cbc2bbe773ca66ae771e4889
SHA3-384 hash: d406abb32c05a043d053896f3a1947c6cefe9c4eefc62dc850ebeb3b58222d8861cbec05531c70e44fdf93583d0692a4
SHA1 hash: c0a7c9945df3a55c01d5441f3181533030542013
MD5 hash: 00862d9d48cc080f755ffb8080ed34ca
humanhash: yellow-juliet-sierra-tango
File name:Informe bancario.xlsx.bat.exe
Download: download sample
Signature Loki
Create hunting rule
File size:727'040 bytes
First seen:2021-07-08 16:41:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'799 x AgentTesla, 19'718 x Formbook, 12'278 x SnakeKeylogger)
ssdeep 12288:4CLzD1s7W+K90n5/aAJTS4+q0jyjU5EZDP0lbqzrIO20Nmy:xnD67WD0n5/DdKmw5EtkbqzzNm
Threatray 3'966 similar samples on MalwareBazaar
TLSH T1A8F48C7A60369F61EDBFC73A4730552C4FEEB67BC257E2B91CA0709904D0F540A62A27
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://185.227.139.18/dsaicosaicasdi.php/FXsbYX1K4uTzS

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.227.139.18/dsaicosaicasdi.php/FXsbYX1K4uTzS https://threatfox.abuse.ch/ioc/158700/

Intelligence

File Origin
# of uploads :
1
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Informe bancario.xlsx.bat.exe
Verdict:
Malicious activity
Analysis date:
2021-07-08 16:42:46 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/712d36cb-7197-4231-98b8-28e1839c92c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170521/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.908-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/28a232b8-1cf4-4d17-b992-4eee7e9b9018
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813643
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eef20ad084cce596d60be110ffa96a7cc93b5a38cbc2bbe773ca66ae771e4889/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 16:42:09 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=53zavueeztsznvql4eip7klkptetwwryzpblxz3tzjtk45y6jceq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0ecc2f2a0346ca13361092909a8587927ab52b9532ae7b6d69367546369b31bd
Loki
18a2d764976f493babcba30bfbf8fb1260c39f6f05ff0a217932b0e4a5755c59
Loki
525a8b4b10e2eb7067eac0ff67cffa19779019dbf5ea82f55f8b589acdd3049a
Loki
6bea537574ef586ad6148ac5189a286d0c553518b74fed3288017013f52d6d08
Loki
7595980954007d3f83848feeb1b75115710f953952eec63ad46e6ea257aec55a
Loki
8b58c709b540728e2546dbaa406d689c63d5174c821184e2beb0290b85e4fcc1
Loki
8bf2fb9f4686b128f0ecf8c5512fca579317147575eef3c6f423e5280dd751c0
Loki
8dc3d4e2fe3d376b13ae0ff882d26d69fe06a72ab549f005b8e76beef5b3b548
Loki
97b68c9bf689232d9ba457a3f39ff815400e9ed0adf6dfadca5809784c205cfb
Loki
c3343b92155dfd866001b1126374d5d6e6e8efcbb889eccf0699dd6f29be580c
Loki
+ 3'956 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210708-yes1b2aj5x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://185.227.139.18/dsaicosaicasdi.php/FXsbYX1K4uTzS
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
6fed23628762e1f405b5efed7e77177c5c457f324a0b8369dcb3cef52cf7730c
MD5 hash:
8d5b5ee4158b0f8ae9dbf0d4e0f6e959
SHA1 hash:
bcdc020e368b030a0fbc40fad4f346873ba18990
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/998d9426-95f1-4dd7-b949-ef04a274f3f2/
SH256 hash:
a386ed47f2f637212ebf682aa024adacaf779bfa214f9e1f538a08f7b41a9224
MD5 hash:
186ecb58fb6760c14648984a55266585
SHA1 hash:
b765fea7a125ad3a7484e321c8b44c02235c1513
Link:
https://www.unpac.me/results/998d9426-95f1-4dd7-b949-ef04a274f3f2/
SH256 hash:
5209992fd1f96cd1959efb5e1afa71f5c9ae2ab4430e258fe9d0ec915098d110
MD5 hash:
257ca10e5cbb2f8bdf0ae6f3e900e11e
SHA1 hash:
9d25ee80dbe3bbce5ab4479912c5e21b19b6aeec
Link:
https://www.unpac.me/results/998d9426-95f1-4dd7-b949-ef04a274f3f2/
SH256 hash:
eef20ad084cce596d60be110ffa96a7cc93b5a38cbc2bbe773ca66ae771e4889
MD5 hash:
00862d9d48cc080f755ffb8080ed34ca
SHA1 hash:
c0a7c9945df3a55c01d5441f3181533030542013
Link:
https://www.unpac.me/results/998d9426-95f1-4dd7-b949-ef04a274f3f2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/eef20ad084cce596d60be110ffa96a7cc93b5a38cbc2bbe773ca66ae771e4889

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170521/

Comments