MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f49835a41a28aa1ed0f0ee8807125c8f47c821f9868c71c53223412aa15a367f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f49835a41a28aa1ed0f0ee8807125c8f47c821f9868c71c53223412aa15a367f
SHA3-384 hash: ea74eaab0a0981377a0d7faa9ab2a28f8a25566a00c15f4e8dab701275334b4874db7a0e55fc6a22c5adfbaae90cdff9
SHA1 hash: f0335dac1682f4b5e8437dc6543132a9ec460f85
MD5 hash: 8ad46c33cb9190bfe37091aeb2762261
humanhash: lithium-magnesium-utah-six
File name:file.exe
Download: download sample
Signature Loki
Create hunting rule
File size:422'400 bytes
First seen:2021-05-05 13:06:49 UTC
Last seen:2021-05-06 10:12:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:Is0i/Y63G1s4orU+HG8D5uYcLcatC/5Vvh9lNkq6ed9UdLRfRbyzGuyNpqRm:Dp53Ks4sv2u5t6edU9f4qu4pCm
Threatray 2'934 similar samples on MalwareBazaar
TLSH 9D94F093A7C9A2ADF87B6B70AE3105A007B7F9557A76C31D096DE00D0F63B458B02736
Reporter abuse_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
3
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/150609/
Detection(s):
Win.Dropper.Smdd-6956905-0
Create hunting rule

Win.Packed.Generic-9835658-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Creating a window
Sending a UDP request
Creating a file in the Windows subdirectories
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f49835a41a28aa1ed0f0ee8807125c8f47c821f9868c71c53223412aa15a367f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-05 13:07:06 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6smdlja2fcvb5uhq52eaoes4r5d4qipzq2ghdrjsenasvik2gz7q._file
Verdict:
unknown
Similar samples:
0f77d6c4dce6e5ca6139b77b22d0f92c0a2862184e4a1ec8f4c95d55c4ed589a
Loki
15e84355978fd585af794a5aa1b61144a9197d1410219a4e129aca0ce953904d
Loki
40e8910e48e5bfde7fd30bbc51a1d371a378dc4a306ed2145990219554f80a4a
Loki
5e7621b7f875f9e6c730454d916a2bc2acb7d8b1fbc1dbe7cdb1917d42f1590b
Loki
86d5516b71ddd68cf50273d5fa8a501c399be218b35dcfc09c29ef97f3afc111
Loki
9afbb7350fafda2e3e4e86047c929d7dc7023956ab54f073de2ba2e93d176329
Loki
b1c19db83bdddbc4d91689cf0c9f035bd7778492c164fa664f99552dedc1ee10
Loki
b64ddd178d652c5432004449edc53fea2abdba8633259b4d8b329e1c8484e98a
Loki
c015de0626ba91b194a47d0c8d76594e1bddadae9d9a6891b26ff7c2bc0fade3
Loki
fdbd4ac1322e5a2c5ef5b808da68f48ca1ff111cd649c86aa0123c3d5538c7f0
Loki
+ 2'924 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210505-bya6gap7he/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://51.195.53.221/p.php/5hPy21sFvv3Df
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
68b716109ff4e18e21bd0acacb3796f7930771d19f6a766d7d3aa0bbde4ce7e0
MD5 hash:
a3d1d373062f59282307d4b9966d702b
SHA1 hash:
60c9c330e6ff63d3e0b3b0b700ac37bde5997ced
Link:
https://www.unpac.me/results/81b037f8-d312-4a8d-96c6-22fa70281b92/
SH256 hash:
f49835a41a28aa1ed0f0ee8807125c8f47c821f9868c71c53223412aa15a367f
MD5 hash:
8ad46c33cb9190bfe37091aeb2762261
SHA1 hash:
f0335dac1682f4b5e8437dc6543132a9ec460f85
Link:
https://www.unpac.me/results/81b037f8-d312-4a8d-96c6-22fa70281b92/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f49835a41a28aa1ed0f0ee8807125c8f47c821f9868c71c53223412aa15a367f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/150609/

Comments