MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f751e7c6878e6b3165a3dc815468501cb14355222e75cb2f18afc3cd4565cbdc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f751e7c6878e6b3165a3dc815468501cb14355222e75cb2f18afc3cd4565cbdc
SHA3-384 hash: 0257bac606daebcfad75225d9f9382f3a8f3d4496b4017b59729d5e316b961fa3ab15dfcb7bb92d03f0bb90fe84bd663
SHA1 hash: 0a31647296b18ff82c19ba142e138661b30c6aab
MD5 hash: 8633a61c44a39b8e0f1bf9a8f353b7f0
humanhash: steak-venus-edward-missouri
File name:vbc.exe
Download: download sample
Signature Loki
Create hunting rule
File size:248'712 bytes
First seen:2021-08-04 12:51:36 UTC
Last seen:2021-08-04 14:24:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d8dda11e9d039cb0a1c2e717bdda6d64 (5 x Formbook, 2 x Loki)
ssdeep 6144:Znb6FRrH1Y5iOX5v3EpVtDR5O2ieSvxOcP6cSOiz5l0Rz3Y+ZTvG:Zu1YkdzpRL/SvxHPIOill0Rz7Za
Threatray 3'952 similar samples on MalwareBazaar
TLSH T1AA34F1926AC5D231F52182BF997B6E9CD9DCEAC10F8207C3E3C8081956A15E3BD3855F
Reporter info_sec_ca
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vbc.exe
Verdict:
Malicious activity
Analysis date:
2021-08-04 12:52:57 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/72bdf4d8-c516-4987-968d-8adbae6962d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/176327/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.7222.19181.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/84de62bb-82f5-4d9a-b2f9-17bb755e772e
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/826843
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f751e7c6878e6b3165a3dc815468501cb14355222e75cb2f18afc3cd4565cbdc/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-08-04 09:49:57 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0bf01b361f00112f425be6120d9dd36b8943d585373e95756fc10a56cdc7c48a
Loki
2d65a3c7da04463e34efa56f9754da234575e1082c239ce1aad1d2115d4d029a
Loki
7378348862e752850264984acef7fa776b6333bd9a770b60d787ba1675d89ece
Loki
76eba186ced24d6b41413b8c645f69516c0c140b6f36c3d7068e8a62ab35ed24
Loki
b0b75a09ed9067afa8b28f6615fee9a81511f35a6e9c075535d51031870fe3c6
Loki
bec8e8e71bc2a00b95d339c9f19b8c40a9e17beb943df3b9abb897f56d6d671f
Loki
+ 3'942 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer suricata trojan
Link:
https://tria.ge/reports/210804-n4xws6nnze/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://185.227.139.18/dsaicosaicasdi.php/XjjuWy0TVqjre
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
58ee83e559968615f1158a80068db0b445179bda82ec44773bf31c6488823213
MD5 hash:
54b08ebff71d9dd2174b6b8c4cb2b7c9
SHA1 hash:
4df8e3b24eeda1c51952f255308e9ff48712eebf
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/0d1ffb48-285b-4be5-8d76-47ba46ca76f4/
Parent samples :
dbadb8a0f9e9085409ebaf01c9a2af057597b2bbf5b8ecdef2f1c5601cdfedc1
e9e36bd1b8aa447659150278e83976797ed8a5d73e580ca745e246b474a7539d
b48c2ac8f72c116687094de6d2b1fc1b1c2c5192ef6c9ca0df947a6e4066ac16
f751e7c6878e6b3165a3dc815468501cb14355222e75cb2f18afc3cd4565cbdc
d586560a58ad44be9be80b819685a714d228d98596f1b44c4b08bdebc1c108db
c2a568e116a85d6085f78797c6906be3986236bdebc72c8e50638798aed60503
SH256 hash:
f751e7c6878e6b3165a3dc815468501cb14355222e75cb2f18afc3cd4565cbdc
MD5 hash:
8633a61c44a39b8e0f1bf9a8f353b7f0
SHA1 hash:
0a31647296b18ff82c19ba142e138661b30c6aab
Link:
https://www.unpac.me/results/0d1ffb48-285b-4be5-8d76-47ba46ca76f4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f751e7c6878e6b3165a3dc815468501cb14355222e75cb2f18afc3cd4565cbdc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe f751e7c6878e6b3165a3dc815468501cb14355222e75cb2f18afc3cd4565cbdc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1504215/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/176327/

Comments