MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 daf01c5114ac5dd2e6a52d4ce4174e19482ed9f4d0409d734bc3c39a29f48497. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	daf01c5114ac5dd2e6a52d4ce4174e19482ed9f4d0409d734bc3c39a29f48497
SHA3-384 hash:	60b40bae7ed8efb84dee4b90134fcf8dd20534ab6f89927c43490c368396a0d8d6b1237c2384adcedfa185e9cf884eb4
SHA1 hash:	495477cdbadf5c7ba26c7e8e2903ce6534b15e32
MD5 hash:	75cfd0a0c8b9bc3f741e0963ab00d5c7
humanhash:	friend-massachusetts-double-carbon
File name:	75cfd0a0c8b9bc3f741e0963ab00d5c7.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	1'421'312 bytes
First seen:	2022-08-31 15:05:38 UTC
Last seen:	2022-08-31 15:38:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	09af7f6ebe86ff9b7fc9ecd8da0cda36 (1 x Loki)
ssdeep	24576:TAwLuc7VRctRRm/vqQIbwGiYEX3PuOobtnLtd/uo34qFlLBxC:MwLuestsvrCAWlbtLtNu8n
TLSH	T15E6502ABE9048E4AC18E9271DD781F1C9DD20F379F95D4573D6A32D849304B8AA13F2E
TrID	84.0% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 5.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.6% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13) 2.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	e1ecb6b29e86c0e2 (1 x Loki)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://login-mail-server.s3rv.me/server/Panel/five/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://login-mail-server.s3rv.me/server/Panel/five/fre.php	https://threatfox.abuse.ch/ioc/846989/

Intelligence

File Origin

# of uploads :

# of downloads :

301

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/306890/

Detection(s):

SecuriteInfo.com.Trojan.VbCrypt.1514.12769.20876.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Unauthorized injection to a recently created process

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Reading critical registry keys

Launching a process

Creating a process with a hidden window

Setting a keyboard event handler

Changing a file

DNS request

Sending an HTTP POST request

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Enabling the 'hidden' option for recently created files

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Enabling autorun

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/630f78f75e025f2e7b043dc7/reports/b7a3b104-286d-4123-8322-c01f956ff20d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

DarkComet, Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1061674

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/daf01c5114ac5dd2e6a52d4ce4174e19482ed9f4d0409d734bc3c39a29f48497/

Threat name:

Win32.Backdoor.Androm

Status:

Malicious

First seen:

2017-07-07 09:13:30 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3lybyuiuvro5fzvffvgoif2odfec5wpu2baj242lypbzukpuqslq._file

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:darkcomet family:lokibot botnet:guest16 collection persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/220831-sgqjyshfg2/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Accesses Microsoft Outlook profiles

Adds Run key to start application

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Darkcomet

Lokibot

Modifies WinLogon for persistence

Malware Config

C2 Extraction:

185.140.53.117:1985
http://login-mail-server.s3rv.me/server/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

7bf51153a9eb2dcececeeb40e1f342e52af3feea6089e6d5622946c4786c2b9f

MD5 hash:

c9c3888efa15a191d7a5c75e9c89d0d9

SHA1 hash:

c03c568b576d299322963166cf614599abe52994

Detections:

win_lokipws_g0

win_lokipws_auto

lokibot

Link:

https://www.unpac.me/results/80622af0-078f-4f90-bdf2-bc0c90ab957b/

SH256 hash:

5356f94fc2d25126dc80b7552da5c311d90318cb9f89bacf296dee3ce0d26e2f

MD5 hash:

d80debf77a79e5d605f91e2a589ea1d5

SHA1 hash:

9a33e569d2b50491dd09f3bebde1e5c11643e60a

Detections:

win_darkcomet_a0

Link:

https://www.unpac.me/results/80622af0-078f-4f90-bdf2-bc0c90ab957b/

SH256 hash:

e7d88c2cf35c584f15334c2c16c96ea4eb0ea75fe4cd6d205f784b1e5e0f2bc6

MD5 hash:

aefb1aa4b33fcf72bdc10585ed4e6db4

SHA1 hash:

bc0a8607d8712156e3f2dc18e5629c28734f0598

Link:

https://www.unpac.me/results/80622af0-078f-4f90-bdf2-bc0c90ab957b/

SH256 hash:

8249c72986cb1516990129250136b21adcaad1d45f95f0ece14154a5703a3f49

MD5 hash:

e66604c33082be8973cf995ca3931238

SHA1 hash:

79e8dd74e90f38c1c351e6dc023c2a2c8b25e3cb

Link:

https://www.unpac.me/results/80622af0-078f-4f90-bdf2-bc0c90ab957b/

SH256 hash:

78ca9a99b2abdc048487a88cfc95c0e7d89822a41febb904dc09316db0ff0d8a

MD5 hash:

8d99bad2f563bbabfb3bb3bf5e4267a4

SHA1 hash:

1d51c670de70bfbd3cdb57d5abeae6abbbb50465

Link:

https://www.unpac.me/results/80622af0-078f-4f90-bdf2-bc0c90ab957b/

SH256 hash:

daf01c5114ac5dd2e6a52d4ce4174e19482ed9f4d0409d734bc3c39a29f48497

MD5 hash:

75cfd0a0c8b9bc3f741e0963ab00d5c7

SHA1 hash:

495477cdbadf5c7ba26c7e8e2903ce6534b15e32

Link:

https://www.unpac.me/results/80622af0-078f-4f90-bdf2-bc0c90ab957b/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/daf01c5114ac/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DarkComet

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/daf01c5114ac5dd2e6a52d4ce4174e19482ed9f4d0409d734bc3c39a29f48497

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/306890/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample