MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffe823abb3c806772c54f94db204bbb85891f2b4ec638fea125f17bd11ccec16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 16

Intelligence 16 IOCs YARA File information Comments

SHA256 hash:	ffe823abb3c806772c54f94db204bbb85891f2b4ec638fea125f17bd11ccec16
SHA3-384 hash:	5143bec3aaf220f322e2429dfe1f3f34fd4031c7028e5faf7535436a68a2f1594562d10409c73f94939824ab171ec0ab
SHA1 hash:	313ec9bb34cf80db1e6a8fd30d086039982df432
MD5 hash:	dae621568a66f6d38a75c2dc568fe6bc
humanhash:	muppet-lima-ink-saturn
File name:	dae621568a66f6d38a75c2dc568fe6bc.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	347'136 bytes
First seen:	2022-02-18 11:04:41 UTC
Last seen:	2022-02-18 13:08:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	84a42a12f2bbc8b1d3328617af7521d0 (4 x RaccoonStealer, 1 x Loki)
ssdeep	6144:Y6gyWxYXNY44MwgodHRKuL3eScDKXF0pJ5gCVrX8pnlo:1aYXy47NodHRKuLYDKupTgCxX+
Threatray	6'418 similar samples on MalwareBazaar
TLSH	T18B74AE40BBA0C03DE4B712F87876D3ADA52E7DB19B2451CB62D12AEE56346E0DC7530B
File icon (PE):
dhash icon	25ac137839939b91 (12 x Smoke Loader, 7 x Amadey, 5 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

225

Origin country :

n/a

Vendor Threat Intelligence

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/242507/

Detection(s):

SecuriteInfo.com.Trojan.Siggen16.59744.21100.20788.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for analyzed file

Sending a custom TCP request

Stealing user critical data

Query of malicious DNS domain

Moving of the original file

Sending an HTTP POST request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/6587/overview

Behaviour

MalwareBazaar

MeasuringTime

CPUID_Instruction

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/620f7d67ac8ad0468b508370/reports/fbcd727a-d7e6-4535-9908-d25cf2469908/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/df9579fb-0222-4ac5-b114-ae3caec87e87

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/942154

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/ffe823abb3c806772c54f94db204bbb85891f2b4ec638fea125f17bd11ccec16/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2022-02-18 05:02:39 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=77uchk5tzadholcu7fg3ebf3xbmjd4vu5rry72qsl4l32eom5qla._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

02123a89ddac869b20148825d4d486598c910a71b300937f4b461cdab90f960b

Loki

21fe47c1ec28c406ad49dfeffa4dbae703a86b9ae7f93695d0d69aa58e408b3a

Loki

3a54de0b1011ef669ea2fbbec688ae4d0ba04324cd35064df4824b6b47ae5ab0

Loki

625fe1298820b5e535751e38ba8b25c8521e0a663f7fa0248b8b243d80acbe1d

Loki

76ca65253be929f259643b25e5c85373a25febf33b462dd43fb6bf61454aaa3f

Loki

96d4f14f8d1be02a21feb4533eca4f270716e7b0feefe6e5a477454f13db99d1

Loki

d16b5c249dea1a1d9f395d5b38a62a5a4466c70fe23f2e7dbe95e8b531d7d383

Loki

dc199c7585c7d30d2132c40f40a6177da8312cdd9cc641282e4499f1fb32c979

Loki

+ 6'408 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer suricata trojan

Link:

https://tria.ge/reports/220218-m6vx3sdcek/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Drops file in Windows directory

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://secure01-redirect.net/gc8/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php