MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31df98db4c11815fe60b4a2a6252b5d49306788f10b3e1a475cd7ae16a224e61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31df98db4c11815fe60b4a2a6252b5d49306788f10b3e1a475cd7ae16a224e61
SHA3-384 hash: 651869faa747860d1bf7fc92e99d7ce6be68d911e0704401a258516ec1c39abbc838150463cda6785b242447fcf40491
SHA1 hash: babd465080a7bf4425fd42780a8b49283ef623e6
MD5 hash: 26cb5d0d5d62af02e200f40f45a88f7d
humanhash: cup-tennis-mars-fillet
File name:kwitansi bank 0070620200012-pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:376'832 bytes
First seen:2020-07-07 12:53:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:duZrpFgXePlNPPF1Qbw+DFHzSeCO09t/h+Q5dva4RoNvbvFvWQQPO/Ldpj0ac:duZr/gXePlNPPF1QU+BHtCO6MiaGibNY
Threatray 1'569 similar samples on MalwareBazaar
TLSH B5846B7532279EA7C63A08F4800428414FB055AB3A6DE3EDBCC3B1C7A5C5FD09A569B7
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: smtpgw2.nayatel.com
Sending IP: 115.186.188.155
From: Banco Patagonia <vdelapena@bancopatagonia.com.ar>
Subject: Patagonia e-bank Empresas: Aviso de transferencia de fondos
Attachment: kwitansi bank 0070620200012-pdf.gz (contains "kwitansi bank 0070620200012-pdf.exe")

Loki C2:
http://mygreencity.in/scripts/Panel/five/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/22285/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Reading critical registry keys
Launching a service
Creating a file
Changing a file
Replacing files
DNS request
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Stealing user critical data
Moving of the original file
Enabling autorun with Startup directory
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/31df98db4c11815fe60b4a2a6252b5d49306788f10b3e1a475cd7ae16a224e61/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-07 12:55:06 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ghpzrw2mcgav7zqljivgeuvv2sjqm6epccz6djdvzv5oc2rcjzqq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
082e166994f21973b69b5a604aa7c8172b2c8457b35c8dac62712485962d62cb
Loki
50823ae6e2e1cdf7aeb3fa1e9398ef0f5f7c244d22e3a1fce261aa0836bd02bd
Loki
53edc68ef8a890aac3c8f6fe8c72e1a8cf5057c600a3f85d12b99b59b05e47be
Loki
55b4be92fb1e6cf2d51b1598bea503929ef8f3166b19bffefd3320bf7eba4613
Loki
935e06731d9b88fcf33673ae11c9f9d184610aa64a6b7e1da89b1328a34e1b83
Loki
be06b8eb9fc296493c0f6838ad4b55993e2076c53383565cbfa03715af7cc2cd
Loki
c51d4fc5a8422271d20c83380f1cb646a19ca48c6bd4e509b29579d01bd8ea68
Loki
df1f012094e4d7601eecac850af54eb268691a8dd95f79fae052e6b7588780f5
Loki
f073191a21f23331e81a72be9b9c150902abf2247e1107f18a8f76ed2ab8ab69
Loki
f450de216509d54d57606d71016ad6749f124b789a35ceffbbc5f768d62bdf4d
Loki
+ 1'559 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/200707-v5xmr62m16/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
Creates scheduled task(s)
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://mygreencity.in/scripts/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

gz dae03e7693f1c2385c49f9857db98f88c9aea503ea4cbea13445e61cbc8794cb

Loki

Executable exe 31df98db4c11815fe60b4a2a6252b5d49306788f10b3e1a475cd7ae16a224e61

(this sample)

  
Dropped by
MD5 fd01e68dcd839bf3d9ecc34f96e40d85
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 dae03e7693f1c2385c49f9857db98f88c9aea503ea4cbea13445e61cbc8794cb
Cape
Cape
https://www.capesandbox.com/analysis/22285/

Comments