MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b8c2f5ca53cdc33c7ee23f6c104812d47de1dbfb8ba5ccd9038db9f7189d0a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b8c2f5ca53cdc33c7ee23f6c104812d47de1dbfb8ba5ccd9038db9f7189d0a3
SHA3-384 hash: 7d4f6640c79b24b2a5c20154a3c270e39bd27ca6f0286a1502ae930b8c0f1c258c6599ade6e67aaede435a6ef24bdea6
SHA1 hash: 390920baed7867ee47fc1b26ebfd3c70be894c0b
MD5 hash: 8c7fff8f2d33246116b995148cd24659
humanhash: twelve-muppet-oscar-island
File name:PO.exe
Download: download sample
Signature Loki
Create hunting rule
File size:367'104 bytes
First seen:2020-08-06 06:33:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:dg2qsl5i4yzJzCslMjtHvU2hycntiRCLl3EVYBDFoTZXyw5lGfvW:Vqsl8L1z9lrZotqQVEVogZr5qv
Threatray 1'561 similar samples on MalwareBazaar
TLSH ED74D0041A984B12DB7C4BFF06A4953547B49F2F2D22E3585FC631E709BEBB40A909E7
Reporter abuse_ch
Tags:exe geo KOR Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: mail-smail-vm34.hanmail.net
Sending IP: 203.133.181.14
From: 이규철 <alo9999@victim-domain>
Subject: 견적
Attachment: PO.cab (contains "PO.exe")

Loki C2:
http://79.124.8.8/plesk-site-preview/krockabread.com/http/79.124.8.8/lento/Panel/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
62
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/40150/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Reading critical registry keys
Creating a file
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Moving of the original file
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/412257
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6b8c2f5ca53cdc33c7ee23f6c104812d47de1dbfb8ba5ccd9038db9f7189d0a3/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-06 06:34:08 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nogc6xffhtodhr7oep3mcbebfvd54hn7xc5fztmqhdnz64mj2crq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
18ab0809d3bdfbe8c014e6eb8a478815344a6c8a3316ad3435891f1726a05995
Loki
3174c59112b25985b8c1454e28c3e42dce2e6b44e3da96d891bfd25622e586ea
Loki
35ba63b01ddc9f28a887e6286e205db48ae20c6b70f181d9f026abe468e4f32c
Loki
57d86d719f126ab791a63997ed510dec77649924b2e47d54b73ed3641b56678f
Loki
71c3b44c9696a97dea2455c598c742bc64213c46a692e8df57b1e57ca08fc524
Loki
a41851a6ade9f88136829a392e1ac11e0e06c21a25fdd0e3961a347d28204608
Loki
b1bb531b94fd992587eb042d3cf9d3cc5de717dc0c684c47b87e0913181330db
Loki
eb62fd0141733058ab86e491cd42e645341527cbaa10f339438528071ca17d28
Loki
ed08a1f65980d0f24e174be95df0c9b1bbb05703a7f267315ab34d02d46efaed
Loki
fcfc827205cd38cdf997f72b1d58eba51ac12da6ba5939279b626522b11fd938
Loki
+ 1'551 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/200806-6x8938ra32/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://79.124.8.8/plesk-site-preview/krockabread.com/http/79.124.8.8/lento/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/6b8c2f5ca53cdc33c7ee23f6c104812d47de1dbfb8ba5ccd9038db9f7189d0a3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

cab 11f365a36f4748ef53b04c51af36283bdf3c53ecf39ac9f69d0a9e842d042e9f

Loki

Executable exe 6b8c2f5ca53cdc33c7ee23f6c104812d47de1dbfb8ba5ccd9038db9f7189d0a3

(this sample)

  
Dropped by
MD5 2164f727c22ba1e4bf295ad597631741
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/40150/
  
Dropped by
SHA256 11f365a36f4748ef53b04c51af36283bdf3c53ecf39ac9f69d0a9e842d042e9f

Comments