MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5078fdbde359885628dd3d3c1df88b7255ece2dba7a1b26b44fdce580fc3ff7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5078fdbde359885628dd3d3c1df88b7255ece2dba7a1b26b44fdce580fc3ff7
SHA3-384 hash: 624e873fcecac398907b3f11dab9b10bcbed3919b14c1156544d4807450fe3ed991fc6fb94607c3f332436596df72e8b
SHA1 hash: 7d33999c2042466e972430c861b974bf3d3367f6
MD5 hash: 184c97c1c55e1b529379a5ec7c737548
humanhash: friend-solar-ink-lamp
File name:ΑΙΤΗΣΗ ΓΙΑ ΠΡΟΣΦΟΡΑ 21-01-2021.exe
Download: download sample
Signature Loki
Create hunting rule
File size:413'696 bytes
First seen:2021-01-19 12:54:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 616765ca1e3c367f5f3771d38d13b610 (7 x Loki, 4 x RemcosRAT, 4 x AgentTesla)
ssdeep 6144:63CDRM9sIkrdnvYgUmCey/QOEHKUc1Vqv4bKEy1ZglddKR:Sf9HmdvYKCeYXCKJ1VK4bKBq7KR
Threatray 2'336 similar samples on MalwareBazaar
TLSH B394AE2371F08071F062C2B5B2649BA2357E7E215F21588B6FEDB95D1A7C2E0623F752
Reporter abuse_ch
Tags:exe geo GRC Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: cloudhost-2060988.uk-south-2.nxcli.net
Sending IP: 165.84.218.167
From: Αριστοτέλειο Πανεπιστήμιο Θεσσαλονίκης <webmaster@auth.gr>
Subject: ΑΙΤΗΣΗ ΓΙΑ ΠΡΟΣΦΟΡΑ (Αριστοτέλειο Πανεπιστήμιο Θεσσαλονίκης) EUI894/GR4633
Attachment: ΑΙΤΗΣΗ ΓΙΑ ΠΡΟΣΦΟΡΑ 21-01-2021.rar (contains "ΑΙΤΗΣΗ ΓΙΑ ΠΡΟΣΦΟΡΑ 21-01-2021.exe")

Loki C2:
http://51.195.53.221/p.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ΑΙΤΗΣΗ ΓΙΑ ΠΡΟΣΦΟΡΑ 21-01-2021.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-19 12:56:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3651f0a3-c02e-4f64-9c28-5c45ffc81079

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112879/
Detection(s):
PUA.Win.Adware.Bang5mai-6804572-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Reading critical registry keys
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Sending a UDP request
Stealing user critical data
Moving of the original file
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/584984
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5078fdbde359885628dd3d3c1df88b7255ece2dba7a1b26b44fdce580fc3ff7/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 09:40:05 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6udy7w66gwmikyun2pj4dx4iw4sv5trnxj5bwjvuj7oolah4h73q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0b813805cdf296dc50f3336dcbf6e41f4dc119e753be9511634857eba90a7b0f
Loki
22f5494084ff004f52cf031f8dc00e72f764863e88b90be6e8fe0009af7178b9
Loki
2347a0e7713f626fa94f646b3a410e5262236f9af04219bb1263f4d9a054a3fe
Loki
35f2d31f591a7850c05f86c1124aef7193bdd2f2ad7421d1fb09e1144b3fc3d3
Loki
3da3d4d08d81e85337fcad590190b1575b80834e246012f3684ebe6d86118886
Loki
43e7e33417e21b41c839b367474714e1b889eeb68f13838a7d2ddbdaa8ddf6b6
Loki
445e1ae4fb515ce4fca81255fc4f569ba238d2a7b3ba0c093f4d55bc8fa5ae08
Loki
7c543362b23c8618d029f1fff5185c8af6adaaa3a6f358d4c8415e8e71ae7818
Loki
88fefe74a59525eecee004f0ca10e3b964462adc1f3b44a794282e17dd3dd67e
Loki
8f381987b6d04acb2f13d81524cd91deed670b4e678d34fc3960278a28cc4eb6
Loki
+ 2'326 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210119-kr1ke173q2/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://51.195.53.221/p.php/pXqVbj1ory8MD
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
b1f5505948535db9e353ebdfb87d8431a0bd559374d0c0de3152784a2f300e72
MD5 hash:
c9258d73175b7908277ec26a9bc98b8d
SHA1 hash:
01c6fb15e6f845370b2d40ab2eb2e659229f7e21
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/d4c27851-f29e-420e-a97c-5ae50281ea86/
Parent samples :
445e1ae4fb515ce4fca81255fc4f569ba238d2a7b3ba0c093f4d55bc8fa5ae08
f5078fdbde359885628dd3d3c1df88b7255ece2dba7a1b26b44fdce580fc3ff7
SH256 hash:
f5078fdbde359885628dd3d3c1df88b7255ece2dba7a1b26b44fdce580fc3ff7
MD5 hash:
184c97c1c55e1b529379a5ec7c737548
SHA1 hash:
7d33999c2042466e972430c861b974bf3d3367f6
Link:
https://www.unpac.me/results/d4c27851-f29e-420e-a97c-5ae50281ea86/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f5078fdbde359885628dd3d3c1df88b7255ece2dba7a1b26b44fdce580fc3ff7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

rar 98074087cbf7d034d68f98107162f2285775976e0c9d30957b7b03361cd91c53

Loki

Executable exe f5078fdbde359885628dd3d3c1df88b7255ece2dba7a1b26b44fdce580fc3ff7

(this sample)

  
Dropped by
MD5 50345320eedfa66e2bc567c928898b18
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 98074087cbf7d034d68f98107162f2285775976e0c9d30957b7b03361cd91c53
Cape
Cape
https://www.capesandbox.com/analysis/112879/

Comments