MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bb97dce40fb704d418bf56eaac0d0d8a62457920f57f20474d1b05a6e8bcf36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0bb97dce40fb704d418bf56eaac0d0d8a62457920f57f20474d1b05a6e8bcf36
SHA3-384 hash: 974fa488d5dcf33d67178eb9748b0c6af6529942d106b74d261f734e53d99b52d3dfe6ea0cbf9c8573530d2ef0c5a0e9
SHA1 hash: 9d1de8a1371dead41e6d7bf7fc203e022397bfa7
MD5 hash: c503e307341f2a94c5cd6e0cc3160647
humanhash: may-diet-utah-georgia
File name:0BB97DCE40FB704D418BF56EAAC0D0D8A62457920F57F.exe
Download: download sample
Signature Loki
Create hunting rule
File size:423'424 bytes
First seen:2021-09-20 11:11:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a391fda099714b955a3102eda9e0c1dc (1 x FormBook, 1 x Loki)
ssdeep 6144:d+BfhH6Avgk3YuJamgkkI4Iev2JGEhb8XnYTq6h70riHD2uxgWQlMSzYvoCYms93:dIDvpzad/V2lgXn0gSD0hXyteAePRV
Threatray 29 similar samples on MalwareBazaar
TLSH T15F941215A2945536E0B38F3CCC5A13A6E47F3832193AA84FF5542D198D7E3E3271DA4B
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://molinolatebaida.com/fotos/Panel/five/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://molinolatebaida.com/fotos/Panel/five/fre.php https://threatfox.abuse.ch/ioc/223817/

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0BB97DCE40FB704D418BF56EAAC0D0D8A62457920F57F.exe
Verdict:
Malicious activity
Analysis date:
2021-09-20 11:12:16 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/15c9e61d-454d-4b58-9488-8481b3e46843

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Xtreme
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189401/
Detection(s):
Win.Trojan.XtremeRAT-9817317-0
Create hunting rule

Win.Trojan.Xtreme-5744908-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Reading critical registry keys
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Deleting a recently created file
Moving a file to the %AppData% subdirectory
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the Windows subdirectories
Launching a process
Creating a window
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Enabling autorun
Unauthorized injection to a system process
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd7f77cb-955b-4860-af14-863f0a26ff08
Result
Threat name:
Xtreme RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853964
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to register a low level keyboard hook
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Installs a global keyboard hook
Installs Xtreme RAT
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Xtreme RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 486397 Sample: 0BB97DCE40FB704D418BF56EAAC... Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 63 molinolatebaida.com 2->63 65 junpio70.hopto.org 2->65 81 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 Antivirus / Scanner detection for submitted sample 2->85 87 6 other signatures 2->87 9 0BB97DCE40FB704D418BF56EAAC0D0D8A62457920F57F.exe 5 8 2->9         started        13 Server.exe 3 2->13         started        15 Server.exe 3 2->15         started        signatures3 process4 file5 53 C:\Windows\InstallDir\Server.exe, PE32 9->53 dropped 55 C:\Users\user\AppData\Local\...\436ikoi.exe, PE32 9->55 dropped 57 C:\Windows\...\Server.exe:Zone.Identifier, ASCII 9->57 dropped 97 Creates an undocumented autostart registry key 9->97 99 Creates multiple autostart registry keys 9->99 101 Contain functionality to detect virtual machines 9->101 103 8 other signatures 9->103 17 svchost.exe 1 9->17         started        21 436ikoi.exe 1 9->21         started        23 chrome.exe 9->23         started        31 7 other processes 9->31 59 C:\Users\user\AppData\...\436ikoi.exe.exe, data 13->59 dropped 25 436ikoi.exe 15->25         started        27 chrome.exe 15->27         started        29 explorer.exe 15->29         started        33 2 other processes 15->33 signatures6 process7 dnsIp8 61 192.168.2.1 unknown unknown 17->61 69 Contain functionality to detect virtual machines 17->69 71 Drops executables to the windows directory (C:\Windows) and starts them 17->71 35 Server.exe 16 17->35         started        39 Server.exe 3 17->39         started        73 Antivirus detection for dropped file 21->73 75 Multi AV Scanner detection for dropped file 21->75 77 Machine Learning detection for dropped file 21->77 79 3 other signatures 21->79 signatures9 process10 dnsIp11 67 junpio70.hopto.org 35->67 89 Antivirus detection for dropped file 35->89 91 Multi AV Scanner detection for dropped file 35->91 93 Machine Learning detection for dropped file 35->93 95 4 other signatures 35->95 41 chrome.exe 35->41         started        43 explorer.exe 35->43         started        45 chrome.exe 35->45         started        51 5 other processes 35->51 47 chrome.exe 39->47         started        49 explorer.exe 39->49         started        signatures12 process13
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0bb97dce40fb704d418bf56eaac0d0d8a62457920f57f20474d1b05a6e8bcf36/
Threat name:
Win32.Backdoor.Xtreme
Create hunting rule
Status:
Malicious
First seen:
2018-03-24 17:28:17 UTC
AV detection:
28 of 28 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bo4x3tsa7nye2qml6vxkvqgq3ctciv4sb5l7ebdu2gyfu3ulz43a._file
Verdict:
malicious
Similar samples:
1b81bb8eba4f537a34f2ca2ab55b98b28eda558e2ef11a3fcf2f167f4ef6b66c
Loki
48236bb4fa38724fb0a368673e14c364fde3fa5e95ba42db44a0193ba4c13beb
Loki
5a9be6ab91b206446ee357cb8cad8c2ec9fb0727e895b679886fd35bddc4ae9b
Loki
7b3038c1373ca79b19dc5789778a1a0cf38d49a0fcda94d9288be6f648d9d269
Loki
8edd6dd53784f816039a5f935567cb551d0743a85713116670d2caae1d9ebd86
Loki
9f8d88733008dd5f32990c118fda0dc2ed6d9dde6ba86a911d9f1f03b64d243f
Loki
a018379d343600dab5b728e46d2ee4e12d3853837fcf129d6831a57787d9d00c
Loki
af504337b51f5fb5bcc3c779afc95bf5b167431660ebd8b71fcfdff1ec9e227a
Loki
c121b14316a1f7976c4337f37c29acd3a1efeff592617736b1ae1e6d3bf04b09
Loki
c8b1cce5ae65d68b7ca2a419b1499d7bec6e4e3d1e04d3e3f040eeaeb6080146
Loki
+ 19 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot persistence spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/210920-naa4gagdhm/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies Installed Components in the registry
UPX packed file
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://molinolatebaida.com/fotos/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
0bb97dce40fb704d418bf56eaac0d0d8a62457920f57f20474d1b05a6e8bcf36
MD5 hash:
c503e307341f2a94c5cd6e0cc3160647
SHA1 hash:
9d1de8a1371dead41e6d7bf7fc203e022397bfa7
Detections:
win_extreme_rat_auto
Create hunting rule
win_extreme_rat_w0
Create hunting rule
Link:
https://www.unpac.me/results/32b207aa-d1a3-47fd-be70-42b690cff712/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Xtreme RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0bb97dce40fb704d418bf56eaac0d0d8a62457920f57f20474d1b05a6e8bcf36

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxProductID
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox product IDs
Rule name:RAT_Xtreme
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects Xtreme RAT
Reference:http://malwareconfig.com/stats/Xtreme
Rule name:win_extreme_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_extreme_rat_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Xtrem RAT v3.5
Rule name:Xtreme_Sep17_1
Create hunting rule
Author:Florian Roth
Description:Detects XTREME sample analyzed in September 2017
Reference:Internal Research
Rule name:Xtreme_Sep17_1_RID2C05
Create hunting rule
Author:Florian Roth
Description:Detects XTREME sample analyzed in September 2017
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189401/

Comments