MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa74917b3412cf02ceb60de07292b3b5ad1b9553cf2b4f91cbd0b463276c128d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	fa74917b3412cf02ceb60de07292b3b5ad1b9553cf2b4f91cbd0b463276c128d
SHA3-384 hash:	c2b9fea1f65ad22031b3d8e834b83d4af3295011885299d63eeb66b7d49aa296d2867d55ace07e57bee28d4bea89f789
SHA1 hash:	bb5853e568638a08e4946bd485166e16d8caddbc
MD5 hash:	62d3e3ee385e01f1373de562d3b7c57a
humanhash:	mobile-kitten-florida-blue
File name:	FA74917B3412CF02CEB60DE07292B3B5AD1B9553CF2B4.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	550'400 bytes
First seen:	2022-12-03 05:15:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	22103fe291d736c62df924a9fa661f63 (1 x Loki)
ssdeep	12288:VAZ1UTYSwufC5pznPeiPXrJbIXEIJ+esTCmxO:hDK5pzPeiPrJbGU2mxO
Threatray	11'584 similar samples on MalwareBazaar
TLSH	T1C7C422EDFFAD2622CC140C3500EE2E55BF38D6647D76E383405A4A6E3C66B6AB432471
TrID	28.8% (.EXE) Win32 Executable (generic) (4505/5/1) 19.2% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 13.2% (.EXE) Win16/32 Executable Delphi generic (2072/23) 12.9% (.EXE) OS/2 Executable (generic) (2029/13) 12.8% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	c8d2d0f0e8ccf0f0 (1 x Loki)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://impexawards.com/medco/Panel/five/fre.php

Intelligence

File Origin

# of uploads :

# of downloads :

196

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

FA74917B3412CF02CEB60DE07292B3B5AD1B9553CF2B4.exe

Verdict:

No threats detected

Analysis date:

2022-12-03 05:16:49 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f7c06232-087b-48a0-b637-4030d58466e9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/342150/

Detection(s):

PUA.Win.Packer.AsprotectSke-6

PUA.Win.Packer.AsprotectSke-1

PUA.Win.Packer.AsprotectSke-4

PUA.Win.Packer.Asprotect-3

PUA.Win.Packer.AsprotectSke-5

Win.Dropper.LokiBot-9784195-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Unauthorized injection to a recently created process

Reading critical registry keys

Changing a file

DNS request

Sending an HTTP POST request

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for analyzed file

Stealing user critical data

Moving of the original file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm fareit lokibot nanocore packed

Link:

https://www.filescan.io/uploads/638adb9204e0e79bdf40739a/reports/2cff69cc-cb00-4ba6-a248-550bed1609ed/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Orcus RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bf936306-7125-4e98-82b2-4ef84d462c52

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1126962

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Checks if UnHackMe application is installed (likely to disable it)

Contains functionality to detect sleep reduction / modifications

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

PE file has nameless sections

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fa74917b3412cf02ceb60de07292b3b5ad1b9553cf2b4f91cbd0b463276c128d/

Threat name:

Win32.Infostealer.Tepfer

Status:

Malicious

First seen:

2017-06-07 00:59:27 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7j2jc6zuclhqftvwbxqhfevtwwwrxfktz4vu7eol2c2ggj3mckgq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

381689aa52129bc94e5b821684bf9c00e91af0ef9a56b4490ee071e0cae08c58

Loki

5b51a7e451c70c0271f21acf38747c5af235c18394585c4470f127c343b6ff8c

Loki

a512d074556e9c5f7fe2fbb2ac63088adbaf8b4011a1629cc71cede78bdb2f19

Loki

a5d6e92e8d795d49e69b5f095b8cd864182ed00499985a0efa85d013edb966d7

Loki

b4fd188ef7836ae52efeb16712d088dd2cd21d09e37b19cc645b0f8b8762424c

Loki

e4680e26cc89886c7bcfcc9145902d92c5232f3572970d8d0b60ee3ff2e9d89a

Loki

+ 11'574 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

bootkit persistence

Link:

https://tria.ge/reports/221203-fx5btsbg81/

Behaviour

Writes to the Master Boot Record (MBR)

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/063afd4d-9133-4151-b259-f3d64482d6aa

Unpacked files

SH256 hash:

53ffb5c1907ac5fe5689b794f3bf49f2f9cc39d82ae655b607c36bfd66909b93

MD5 hash:

6a5b4266d8bd449a15e6252105054400

SHA1 hash:

a2801ffe6e60c83ac6aa63d99da873f0d81a1c97

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/9f989ace-70b2-4a4d-a03c-e86b4bde720e/

SH256 hash:

3c1053b69df234c0db3927a8fde416852af0d3e5107f9531d91bcffca9df635a

MD5 hash:

00a234ac513fcd3a2dc5c19210839687

SHA1 hash:

0f36c79ae10d54c2c5f337899496dc1c8d5b86b3

Link:

https://www.unpac.me/results/9f989ace-70b2-4a4d-a03c-e86b4bde720e/

SH256 hash:

fa74917b3412cf02ceb60de07292b3b5ad1b9553cf2b4f91cbd0b463276c128d

MD5 hash:

62d3e3ee385e01f1373de562d3b7c57a

SHA1 hash:

bb5853e568638a08e4946bd485166e16d8caddbc

Link:

https://www.unpac.me/results/9f989ace-70b2-4a4d-a03c-e86b4bde720e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.41

Link:

https://yomi.yoroi.company/submissions/fa74917b3412cf02ceb60de07292b3b5ad1b9553cf2b4f91cbd0b463276c128d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/342150/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample