MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffd77921b7841aadd46c6f0d58f80b2f54158da89fb677cabcdaf0431b283399. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ffd77921b7841aadd46c6f0d58f80b2f54158da89fb677cabcdaf0431b283399
SHA3-384 hash: 735720d53d180d170315e0d033ccc7ef30f576047f5d53b04356d8bb26a068a7c57bf1f364f593cec778c08951224503
SHA1 hash: c3ee851b658a058a0b0920fffea76c05704a9a23
MD5 hash: c95fdb7e8ec18534b549dba339688353
humanhash: white-hot-virginia-four
File name:c95fdb7e8ec18534b549dba339688353
Download: download sample
Signature Loki
Create hunting rule
File size:520'192 bytes
First seen:2022-01-24 07:27:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:8vQYeaJp80rWbziBGpQSoRfyBrVCkGIIO34Kj4E0lIKY2oTOr6OmMDCjRxbz6q6x:8TMpQEBrVVGPVpfW86Om7j+q6+i9vYF
Threatray 41 similar samples on MalwareBazaar
TLSH T121B4CF4033B8960BDABA96F6187401D00B7AB91BAD75D7DE5CC2B1DF05F1B419B223A3
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221834/
Detection(s):
SecuriteInfo.com.Variant.Lazy.105604.26205.3404.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expand.exe ftp.exe obfuscated packed remote.exe shell32.dll
Link:
https://www.filescan.io/uploads/61ee55080f8c757253e10492/reports/5cf0d8f0-d9ea-4f01-8055-60de18b54d8e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e50830a-15fd-4876-8d6c-3e43c945c053
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/926095
Signature
.NET source code contains potential unpacker
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ffd77921b7841aadd46c6f0d58f80b2f54158da89fb677cabcdaf0431b283399/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-24 03:33:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
36
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
126f45f3b66e9b35762f43076a1c534f7bfbf36ab3a342ad18fcdf4117fa0d99
Loki
53870aefd3a2ecf727142d294e55b106a70eba55996cb1ec50963e0bc49bfb09
Loki
8ff3a9677131d5f17d08063f7133019c1571b41bca6ee0aad1223f1780674839
Loki
b7b6ea94f77d168308048fa2026c25cfb2337cf90b4722d445021c6f87ebef0a
Loki
c038069e737cb2c74934c0e86449fb4e37d7bbeaef092cfe06e925431bcb4806
Loki
f11ab395547ecacdcc66bd98f1006c3f9fd1ae42272ec5c9c9376a0657b58947
Loki
f2c6a57690440bb544bc9d083daf77fd62abe9b0c1840e89e44af5ffd9311e70
Loki
+ 31 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220124-japveadfeq/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: RenamesItself
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://secure01-redirect.net/gc12/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
0bd738429f8dc1ac3bbddcc36e17986c40709b1a258e820ae3573f0f60c603a8
MD5 hash:
b5885fb672371dd70ba3ff7503860e90
SHA1 hash:
dd7d3965408ee5045eec9438200b121090ae2896
Link:
https://www.unpac.me/results/809aaac6-1ae2-4806-a2a1-5782e7fa097b/
SH256 hash:
ffd77921b7841aadd46c6f0d58f80b2f54158da89fb677cabcdaf0431b283399
MD5 hash:
c95fdb7e8ec18534b549dba339688353
SHA1 hash:
c3ee851b658a058a0b0920fffea76c05704a9a23
Link:
https://www.unpac.me/results/809aaac6-1ae2-4806-a2a1-5782e7fa097b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/ffd77921b7841aadd46c6f0d58f80b2f54158da89fb677cabcdaf0431b283399

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe ffd77921b7841aadd46c6f0d58f80b2f54158da89fb677cabcdaf0431b283399

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2001951/
Cape
Cape
https://www.capesandbox.com/analysis/221834/

Comments


Avatar
zbet commented on 2022-01-24 07:27:49 UTC

url : hxxp://103.138.109.35/googlecould/csrss.exe