MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf30f4616da5cf69253a4d21081ebc43546835d2f5ec3164b74daecf5f94f5d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf30f4616da5cf69253a4d21081ebc43546835d2f5ec3164b74daecf5f94f5d2
SHA3-384 hash: 7da2a399bd5faff12790e902786c3528304b5d3af74d3518e3a3b4731633098b9017e38e1e4d40dc1334d4ecd5dec3d3
SHA1 hash: a07bf7c795870b389754a5219cba1dc500e9e8c4
MD5 hash: d81c29b22b384da36fad651a404135d3
humanhash: lactose-nevada-nebraska-lemon
File name:PO 200818-O1B.exe
Download: download sample
Signature Loki
Create hunting rule
File size:308'224 bytes
First seen:2020-08-18 12:47:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:MrA4EcmZHyXFaxmVmie9bngP6qGAGN4se/+B9au07OLcpf9uuq4qds+d+bIOL1L:MrA4EcmZHAFaxmVmie9bngP5GPa/bJ7b
Threatray 1'476 similar samples on MalwareBazaar
TLSH 5764CF6C31E450A5F2F59BB5ADB02D08077E370F9525DE0B0E91A5A943F1BE0A817F2B
Reporter abuse_ch
Tags:CHN exe geo Loki


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail-smail-vm49.hanmail.net
Sending IP: 203.133.180.237
From: 구매부 김승준 과장 <lkj02250000@daum.net>
Subject: 견적 요청
Attachment: PO 200818-01B.cab (contains "PO 200818-O1B.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47849/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Reading critical registry keys
Creating a file
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Moving of the original file
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bf30f4616da5cf69253a4d21081ebc43546835d2f5ec3164b74daecf5f94f5d2/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 12:49:06 UTC
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x4ypiylnuxhwsjj2juqqqhv4inkgqnos6xwdczfxjwxm6x4u6xja._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
01d0e94a720972c1823b00d8cf58764c46560b5076532ffc8d605c9f7772a50f
Loki
0a24de6dc7649dec6421707d17740a28c2e6bc292206f585713c6ff17e7f6112
Loki
2920875227a99846d5be677db5ff05a24a88468ad68c35520983465c462353cf
Loki
3d611ca54f64546327d9bc6993662d5058a7f07fa8e16b81fc7ee6ff60d952f2
Loki
4d3e8c6d43fcdf1f060986547c0d0af4a27c4ebe9377b374c6981f27d317d5cf
Loki
5feae79dd60821d07068c2c3d5a9d6051c10064cbcf5d85150753c2e70e9da2a
Loki
7196ed7fd02f5b2849ba106668bc24016a87ed1622f65b0cd814f4471480d30e
Loki
991e13e3b9c2e677d07ac57a29818b67faff846632bb9657b9af35e6fb92ea2a
Loki
b1c1df9daeb93473a208117db8782e0a6245e3b8c6f13da6405a79a1e36ab821
Loki
f7402454608a5e4510e78a5332f29cbbb01df24be9a879c0c48f27e69a66777d
Loki
+ 1'466 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/200818-y85v7wkmpn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://79.124.8.8/plesk-site-preview/krockabread.com/http/79.124.8.8/kiriko/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf30f4616da5cf69253a4d21081ebc43546835d2f5ec3164b74daecf5f94f5d2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

cab 86380292c7cd18d0b949cd194a1742a0d7ff63475d20f292459374bcc671ad5e

Loki

Executable exe bf30f4616da5cf69253a4d21081ebc43546835d2f5ec3164b74daecf5f94f5d2

(this sample)

  
Dropped by
MD5 307d29573421e898a94f40ccb45712d0
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47849/
  
Dropped by
SHA256 86380292c7cd18d0b949cd194a1742a0d7ff63475d20f292459374bcc671ad5e

Comments