MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 070df000e80ccf39e53f4aa7eab00126fee74516937d795f1cef25f6321acc12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 070df000e80ccf39e53f4aa7eab00126fee74516937d795f1cef25f6321acc12
SHA3-384 hash: eff94c0e2cb39c79dde3fe41a5903698d5c8f9cff3c7633efa073a08cd45150c95cfcd109c8f19432e34d1ca1c563d16
SHA1 hash: 5bb50a5052d457a1707e56c05f5bd48ad41fa099
MD5 hash: 3d971be15fdbf544cc74486f78cf8c07
humanhash: uranus-florida-mango-summer
File name:wonjure.exe
Download: download sample
Signature Loki
Create hunting rule
File size:157'184 bytes
First seen:2020-07-13 12:52:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:qLSXk7/EGQ0+t0/QbMiol3M8CtXWeS6pCtfQZN5zBCFo60b:QQZGsF+3MGRHQvNw+60
Threatray 1'579 similar samples on MalwareBazaar
TLSH A0E30115A3DF5766DD35AEB03C640332C33BAF044926F6A87B993198CC32F961922772
Reporter abuse_ch
Tags:exe geo KOR Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: mail-smail-vm39.hanmail.net
Sending IP: 203.133.180.227
From: 동산상사 <dongsan34@daum.net>
Subject: 발주서송부건
Attachment: file.cab (contains "wonjure.exe")

Loki C2:
http://79.124.8.8/plesk-site-preview/akinsab.ru/http/79.124.8.8/wonjure/Panel/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/25336/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Reading critical registry keys
Launching a service
Creating a file
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/070df000e80ccf39e53f4aa7eab00126fee74516937d795f1cef25f6321acc12/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-13 12:53:05 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a4g7aahibthttzj7jkt6vmabe37ooriwsn6xsxy454s7mmq2zqja._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
24525c617a94df99025ac3d748b7ab13aba5ed37aea5100cd424e684760a43da
Loki
2920875227a99846d5be677db5ff05a24a88468ad68c35520983465c462353cf
Loki
2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee
Loki
3d611ca54f64546327d9bc6993662d5058a7f07fa8e16b81fc7ee6ff60d952f2
Loki
4d3e8c6d43fcdf1f060986547c0d0af4a27c4ebe9377b374c6981f27d317d5cf
Loki
57e052aa747095c82cdc7e459d734e98bf1dde6853d94f2b1179f47b30ddcdad
Loki
aff8e79eb627e87ebf95d5f77df5a0ca063004b733df90cd1caad8350eca88b3
Loki
b1c1df9daeb93473a208117db8782e0a6245e3b8c6f13da6405a79a1e36ab821
Loki
edc773741982183fbbca2bc01649bdd6904f8aac5392cec6cfcfeab881c1e727
Loki
f9e2b4bbf2bd2f5e267f01e74ed12025fc3fcebfbd534a59f083db8a080e5f32
Loki
+ 1'569 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/200713-a5sqcremjs/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://79.124.8.8/plesk-site-preview/akinsab.ru/http/79.124.8.8/wonjure/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

cab fc23ade85616054d74808ca5283542d8d7f0f7133c05f66e4fdb4dc3429afec6

Loki

Executable exe 070df000e80ccf39e53f4aa7eab00126fee74516937d795f1cef25f6321acc12

(this sample)

  
Dropped by
MD5 050350532f908ace9f67dbb6299e24f8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/25336/
  
Dropped by
SHA256 fc23ade85616054d74808ca5283542d8d7f0f7133c05f66e4fdb4dc3429afec6

Comments