MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703
SHA3-384 hash: f8ac5e8fb00aeb99ead71f34c7b779121d2aabef6ab4f5f23aac1d243b778a5da00de2103847336e0dc497044370d892
SHA1 hash: 7579e290775b3ae1596ceae78ec06cd89d025019
MD5 hash: 42b6dbac1e076157112bfe9cab5eb637
humanhash: fruit-india-magazine-mountain
File name:gunzipped.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'145'856 bytes
First seen:2021-06-24 09:02:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:GXj4+bAaMd3REebAaMd3q1XwQTlsD7V7mK4zAT1q:MRAaMVRE2AaMVq1LmhQAZ
Threatray 74 similar samples on MalwareBazaar
TLSH 3C35E1103AD5901AF176BF7459E0F6A99A6FBFB27A13C00D38E136472633B42DD81279
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://63.141.228.141/32.php/DEuZ9gRuoeHIN

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://63.141.228.141/32.php/DEuZ9gRuoeHIN https://threatfox.abuse.ch/ioc/153160/

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
gunzipped.exe
Verdict:
Malicious activity
Analysis date:
2021-06-24 09:14:22 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/617bce5f-cf8e-4794-8972-9a1c4af03235

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167935/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.867-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/19a0302c-0fec-45b5-bb03-c517d87627f3
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807314
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 09:02:27 UTC
AV detection:
9 of 46 (19.57%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aloikz4cxalubyqnak7duupzuihpkewcsb35mzko4ctmd7dfy4bq._file
Verdict:
unknown
Similar samples:
04f2bf850d32539660ffbadc861a721fc634bdeb6d2d9e09336024716ae9dae9
Loki
1823dd1d67def7b7f0df8ab785a80afceaaceb5088465304c80ecaa9f293a460
Loki
2849f8e54789388e2464504860329fc6d42ca47879cc61b8960e7297477cc948
Loki
2f20c054ff4637f4a052b973cc20d4ca7f80503abde935c68731ef0fdc737319
Loki
49b0abe332a386c4524d4a5a41e4ca43768e0416d7f3edfc47503314ad1ffc8c
Loki
515212213cc20758110038963c28d94d9f713bd4ee2d88e2f5eb4a917af0979d
Loki
60263179eccb843c5aa38040ebd2483b29a3923a94987f006561488e5d0f1d96
Loki
961945f660c788431e4da67d6e3730ab4e3283979ad8d67df4c4bcdcb4a9f6e0
Loki
c94cc9b7cdd7d427ec608a607b8fe4515eba0479422b02b7008c3973ebc1dcf3
Loki
eed9c06050ec45f480528543bba5e3176158763beda21f62220bde77f0bdeb3e
Loki
+ 64 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot evasion spyware stealer trojan
Link:
https://tria.ge/reports/210624-betjsecwcn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Lokibot
Malware Config
C2 Extraction:
http://63.141.228.141/32.php/DEuZ9gRuoeHIN
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
1c5e0a0d909d1da24af87967a1e154c8aa490a1f99c6624e7214d20eb84f4fec
MD5 hash:
81faf15c7e3c9446d906659f7c7a9f16
SHA1 hash:
d7e05a22b109ce608109dc509029a7fe22b4b8bf
Link:
https://www.unpac.me/results/04e5d3e3-3278-49ef-9fe0-f969f6bc2687/
SH256 hash:
b3bbdde7f3c9c22384211e3f26bebbf4d08192e0508ebc123ddb3547980d0e47
MD5 hash:
21dbfd6f89f67137c76f30b9d2584e2a
SHA1 hash:
d577e4b48660e8c53bc30fe7a7ce30b3b527f6d0
Link:
https://www.unpac.me/results/04e5d3e3-3278-49ef-9fe0-f969f6bc2687/
SH256 hash:
0508b769cfc888001321af9a629cb2e4091866b8dfea6d8b80818e123444d7b5
MD5 hash:
07a1298b92602d1b6b67364433dfb6da
SHA1 hash:
cfcb05895e527478f372fd63e220aea084ff1baf
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/04e5d3e3-3278-49ef-9fe0-f969f6bc2687/
SH256 hash:
02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703
MD5 hash:
42b6dbac1e076157112bfe9cab5eb637
SHA1 hash:
7579e290775b3ae1596ceae78ec06cd89d025019
Link:
https://www.unpac.me/results/04e5d3e3-3278-49ef-9fe0-f969f6bc2687/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/02dc856782b81740e20d02be3a51f9a20ef512c29077d6654ee0a6c1fc65c703

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167935/

Comments