MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0211f1dc94407a86459131e36dcffe165c9329eaac37c195701817260a3e01d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 15


Intelligence 15 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0211f1dc94407a86459131e36dcffe165c9329eaac37c195701817260a3e01d6
SHA3-384 hash: 9d36eb25762a10a35d25c2771c353ac9bb224666a960b4f9546b031155a821ec4ae73c90aed5c21e7e2874bb3bd04496
SHA1 hash: 21b6e56849e7795428df3969481814f975dd3c1c
MD5 hash: 651b936f511d8f36c69a93704fd3afde
humanhash: black-four-seventeen-robert
File name:0371000451985042023.exe
Download: download sample
Signature Loki
Create hunting rule
File size:573'440 bytes
First seen:2023-05-09 00:45:06 UTC
Last seen:2023-05-09 08:14:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:5voZRLxJht7S1ErRc2nQtblN/qr8x3u0Gn0qFreOrbNj5Ay5Sr:5ehxt7S1Ey2nSbryc+JUOX3vS
Threatray 4'333 similar samples on MalwareBazaar
TLSH T1BFC4D0B0E1AE46F1E20B8AB02978BDA21E7231D3EDD9457807396544DFB7B143F8854E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0b1b9a92b4646968 (9 x Loki, 7 x AgentTesla, 5 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://104.156.227.195/~blog/?p=407596278315634

Intelligence

File Origin
# of uploads :
2
# of downloads :
270
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
0371000451985042023.exe
Verdict:
Malicious activity
Analysis date:
2023-05-09 00:47:12 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/e04d03ad-f8ca-4371-be40-47e3e6672de6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/387625/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Reading critical registry keys
Changing a file
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for analyzed file
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Stealing user critical data
Moving of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/645997cad054a0b0ef840a1c/reports/fd3c5a1f-2a94-4a69-981d-b42cfa6c3a2b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/0211f1dc94407a86459131e36dcffe165c9329eaac37c195701817260a3e01d6
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e3a2411a-acf7-49ab-9071-df07bc4abe45
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1228768
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0211f1dc94407a86459131e36dcffe165c9329eaac37c195701817260a3e01d6/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2023-05-09 00:26:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 35 (54.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aii7dxeuib5imrmrghrw3t76czojgkpkvq34dflqdalsmcr6ahla._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0699e889c84a872eccddfa07916b7a7e379ce6335e1796d67d119b6450323790
Loki
1098c30f8d02c4acabc58ffabc34f30e2a234c702851e1c6c88a072d795a2ef1
Loki
216c876b63a28c7262bf7e425521f035509db0260e830710fbaf94dd2b61212f
Loki
416d574131255e4656d9d548ef7c74c1ba3850aa80a9acd9dbd0352eb03053ee
Loki
446532d38cb4ebb9c65b386158c45599c5215f64a4f7fba9824141ddf33ec16e
Loki
45ecfd36d97932c3c4fb1548684eaa696d4288cb373d95bae9010e057291611b
Loki
583810f9b255c471b1881133ca5d65efd3c96a389cf0f40461c40db3f7861355
Loki
74c836dfe668140a6936e71347ac8eafd517ec914d7201666081f99c2a6ae846
Loki
850877e704f398dcf595d4e4f2f89d9e39f636ce49d35a0cb1696864b7f56e7e
Loki
e4a9cb185c46bf812bf29890c14a2f20f6dbddfc1e34abe5e15af668077b33f6
Loki
+ 4'323 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230509-a4l6yade87/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://104.156.227.195/~blog/?p=407596278315634
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
3ab1dcc37e7c5c643bf41e9f0f81f816f24974fbddde95e2af52426e3374dd35
MD5 hash:
8a2c496875c0871aecc16aae768b323f
SHA1 hash:
f5423a32125c70b512de301c5616c7b75477e2e7
Link:
https://www.unpac.me/results/3511dba0-c805-4e56-bbb7-6f80a76b55b9/
SH256 hash:
805b4ced0232391deb5a458df4e742c571bcdb19acfaa4f82dd1f5f9e93cb9a2
MD5 hash:
6866cefe75390774efafdba6c101076c
SHA1 hash:
9a86eece0d5997d304cd6f83b00405f894c68606
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/3511dba0-c805-4e56-bbb7-6f80a76b55b9/
Parent samples :
6d4b6902689bfea045b5dcb0ae5357cd840886cde981343be7d437696b369cc5
0211f1dc94407a86459131e36dcffe165c9329eaac37c195701817260a3e01d6
66b390d754492159e474e9860d5431520b5d674150865a1e61377644a528da6c
2075360d183bc285b081e1602bef5395973930a99383d06c74ffc6bf8e9665f0
SH256 hash:
76419c6099fb320a1f6899635bd8a4e9e82531623be020865fa4e05d3fd2a970
MD5 hash:
95799f35327b706d446502d4510c288d
SHA1 hash:
5853c191684ffa1379775bfe5bda1dae23b1f363
Link:
https://www.unpac.me/results/3511dba0-c805-4e56-bbb7-6f80a76b55b9/
SH256 hash:
b52c29ba9ef8996bdf721950d900db96f1befb9883eb38c2075528e60c7aabd4
MD5 hash:
7b6143d9d94c8b80d191b77d8b6d1ba2
SHA1 hash:
1c91704ff6da2a9dd8aaa2ff2d5a5f69a445f76b
Link:
https://www.unpac.me/results/3511dba0-c805-4e56-bbb7-6f80a76b55b9/
SH256 hash:
111567b9b4c05d831a64f8bb1ac1d46c80fc6c1f59e092baf97380feba07c724
MD5 hash:
924d9556c9f89ed2b90feba88eebdc93
SHA1 hash:
0fe01972845afcee16a4a7091a0367fd3341d07a
Link:
https://www.unpac.me/results/3511dba0-c805-4e56-bbb7-6f80a76b55b9/
SH256 hash:
0211f1dc94407a86459131e36dcffe165c9329eaac37c195701817260a3e01d6
MD5 hash:
651b936f511d8f36c69a93704fd3afde
SHA1 hash:
21b6e56849e7795428df3969481814f975dd3c1c
Link:
https://www.unpac.me/results/3511dba0-c805-4e56-bbb7-6f80a76b55b9/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0211f1dc9440/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/0211f1dc94407a86459131e36dcffe165c9329eaac37c195701817260a3e01d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:LokiBot
Create hunting rule
Author:kevoreilly
Description:LokiBot Payload
Rule name:malware_Lokibot_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:Windows_Trojan_Lokibot_0f421617
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Lokibot_1f885282
Create hunting rule
Author:Elastic Security
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/387625/

Comments