MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f8d88733008dd5f32990c118fda0dc2ed6d9dde6ba86a911d9f1f03b64d243f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f8d88733008dd5f32990c118fda0dc2ed6d9dde6ba86a911d9f1f03b64d243f
SHA3-384 hash: 3d9738cac097dc2ae7a5d4f66101a68a3d4e8deda6d3263daf3d1609cb724dfbc2ea83266eb821b7b709981b29cc615e
SHA1 hash: 645c56fbc3ed1692491ced75e4dab82fee834c6c
MD5 hash: 1c4253a8f79966167a67d53deea62d75
humanhash: georgia-connecticut-xray-low
File name:1c4253a8f79966167a67d53deea62d75.exe
Download: download sample
Signature Loki
Create hunting rule
File size:163'328 bytes
First seen:2021-05-29 17:30:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 27ecc0b57cd2c602099f43c8db5587f3 (1 x Loki)
ssdeep 3072:yT+BfGMxoZb0yt9FhoenOMjQz9C7LNrVppobYDV0uMHe:0+BfNxAb9t975QJCvNrVpzDM
Threatray 3'105 similar samples on MalwareBazaar
TLSH 19F3E132B7A01176D1715F388D2A012AF92B3C301636AC0EF6955E0E99797F25B19B2F
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://life-is-beautiful.in/api/Panel/five/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://life-is-beautiful.in/api/Panel/five/fre.php https://threatfox.abuse.ch/ioc/66894/

Intelligence

File Origin
# of uploads :
1
# of downloads :
344
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1c4253a8f79966167a67d53deea62d75.exe
Verdict:
Malicious activity
Analysis date:
2021-05-29 17:31:50 UTC
Tags:
trojan lokibot stealer opendir
Link:
https://app.any.run/tasks/94036ebc-a3cd-4473-8310-c71a6b448811

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Xtreme
Create hunting rule
Link:
https://www.capesandbox.com/analysis/163195/
Detection(s):
Win.Trojan.Xtreme-5744908-0
Create hunting rule

Win.Trojan.XtremeRAT-9817317-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the Windows subdirectories
Launching a process
Creating a window
DNS request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Reading critical registry keys
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Deleting a recently created file
Moving a file to the %AppData% subdirectory
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot Xtreme RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/794282
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to register a low level keyboard hook
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Installs Xtreme RAT
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Yara detected Xtreme RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 426678 Sample: ZF0bO7pGz7.exe Startdate: 29/05/2021 Architecture: WINDOWS Score: 100 57 molingoli.sytes.net 2->57 59 life-is-beautiful.in 2->59 69 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->69 71 Multi AV Scanner detection for domain / URL 2->71 73 Found malware configuration 2->73 75 12 other signatures 2->75 9 ZF0bO7pGz7.exe 5 8 2->9         started        13 Server.exe 4 2->13         started        15 Server.exe 2 2->15         started        17 Server.exe 2 2->17         started        signatures3 process4 file5 49 C:\Windows\InstallDir\Server.exe, PE32 9->49 dropped 51 C:\Windows\...\Server.exe:Zone.Identifier, ASCII 9->51 dropped 97 Creates an undocumented autostart registry key 9->97 99 Contain functionality to detect virtual machines 9->99 101 Contains functionality to inject threads in other processes 9->101 103 7 other signatures 9->103 19 svchost.exe 1 9->19         started        22 644build.exe 54 9->22         started        25 iexplore.exe 9->25         started        33 7 other processes 9->33 53 C:\Users\user\AppData\Local\...\644build.exe, PE32 13->53 dropped 55 C:\Users\user\AppData\...\644build.exe.exe, data 13->55 dropped 27 644build.exe 13->27         started        29 iexplore.exe 13->29         started        31 explorer.exe 13->31         started        35 2 other processes 13->35 signatures6 process7 dnsIp8 77 Contain functionality to detect virtual machines 19->77 79 Drops executables to the windows directory (C:\Windows) and starts them 19->79 37 Server.exe 16 19->37         started        63 life-is-beautiful.in 199.79.62.206, 49734, 49736, 49737 PUBLIC-DOMAIN-REGISTRYUS United States 22->63 65 molingoli.sytes.net 22->65 67 192.168.2.1 unknown unknown 22->67 81 Antivirus detection for dropped file 22->81 83 Multi AV Scanner detection for dropped file 22->83 85 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->85 87 5 other signatures 22->87 signatures9 process10 dnsIp11 61 molingoli.sytes.net 37->61 89 Antivirus detection for dropped file 37->89 91 Multi AV Scanner detection for dropped file 37->91 93 Machine Learning detection for dropped file 37->93 95 4 other signatures 37->95 41 644build.exe 37->41         started        43 iexplore.exe 37->43         started        45 explorer.exe 37->45         started        47 2 other processes 37->47 signatures12 process13
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9f8d88733008dd5f32990c118fda0dc2ed6d9dde6ba86a911d9f1f03b64d243f/
Threat name:
Win32.Backdoor.XtremeRAT
Create hunting rule
Status:
Malicious
First seen:
2021-05-21 07:22:00 UTC
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t6gyq4zqbdov6muzbqiy7wqnylww3ho6nougvei5t4pqhnsneq7q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
4eec9ac382b6fcbf861641137d9a597a04a891a47983252137a7b0fdbbeb842b
Loki
6a65000d2899ac262440e41a15b5cd30f196cde449bcc5bb4af7824a253dfdfc
Loki
73a2b7c5a949d1439f4a729aca0e7a13f428dc0394416c73ec4fce7b2810da2b
Loki
8b1f2987c5d3c458937b3709fb521c53d55fad6d3c9e03ae2e3cfc1c5c98229d
Loki
9ef305091f40e275d536c509669d30ca345e09cf887bb77ba01099e7f6de3ec5
Loki
a56b83419b879f415fcd6961f31ad0345305288cd67b61ce4a533f8c2ae12c25
Loki
ab485fe083782333ffb0e112304d71ada2886aa9019648cfc75e20859efc9788
Loki
d378f6971357840b8cf71b654d7ff91eb0edb08b1415fcba5b8d9aedaebcebb5
Loki
e66690ac534774a152675178c27d0f778fe68c8cb65c4b934e1796c3166b8818
Loki
fa65e886e4df52c1f48b8aca57d2610a8ceb3877c9a9a3bc86a5fa32b7a9040f
Loki
+ 3'095 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot persistence spyware stealer trojan
Link:
https://tria.ge/reports/210529-m2dsh1cjg6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
Lokibot
Malware Config
C2 Extraction:
http://life-is-beautiful.in/api/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f8d88733008dd5f32990c118fda0dc2ed6d9dde6ba86a911d9f1f03b64d243f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxProductID
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox product IDs
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:RAT_Xtreme
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects Xtreme RAT
Reference:http://malwareconfig.com/stats/Xtreme
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:VMware_detection_bin_mem
Create hunting rule
Author:James_inthe_box
Description:VMWare detection
Rule name:win_extreme_rat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_extreme_rat_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Xtrem RAT v3.5
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com
Rule name:Xtreme_Sep17_1
Create hunting rule
Author:Florian Roth
Description:Detects XTREME sample analyzed in September 2017
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/163195/

Comments