MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03bdd34865273923034d10f9c46da5d0c82f7c42ff03f5db033e06b46f817fe2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03bdd34865273923034d10f9c46da5d0c82f7c42ff03f5db033e06b46f817fe2
SHA3-384 hash: fe6c61f8ec2cdb8256c68f96569c28713c6b141da15615f191f3812635d33a570a175004d528a3d9805d0634a031e249
SHA1 hash: 5fe0b664f1b0d73b807cbef7aba2d4cd84441000
MD5 hash: 104d468a05ca5138876654d59b6445a1
humanhash: louisiana-lithium-asparagus-yankee
File name:Po_20201015.exe
Download: download sample
Signature Loki
Create hunting rule
File size:369'152 bytes
First seen:2020-10-15 12:56:36 UTC
Last seen:2020-10-15 13:16:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:NiV9FZ9nLiaoJv5tKf/lQcxwh9H78SCD6oEXzl4uRN67aEdDrXxg:y9ZaPKH1x8PCD6TXz5smEdPxg
Threatray 1'651 similar samples on MalwareBazaar
TLSH 3274226332B00233C1CA4BFEB4A4640423E559853427E78D1EFA38EB7AB2751D6B5627
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: xbx0.506.fdion.ml
Sending IP: 68.183.49.202
From: Nguyen Quoc Thong <nqthong@506.fdion.ml>
Subject: Re: Purchase Order
Attachment: Po_20201015.gz (contains "Po_20201015.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71397/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42621.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492447
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298715 Sample: Po_20201015.exe Startdate: 15/10/2020 Architecture: WINDOWS Score: 100 31 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 11 other signatures 2->37 7 Po_20201015.exe 6 2->7         started        process3 file4 23 C:\Users\user\AppData\...\zbRonALRhknHbm.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmp9641.tmp, XML 7->25 dropped 27 C:\Users\user\AppData\...\Po_20201015.exe.log, ASCII 7->27 dropped 39 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->39 41 Tries to steal Mail credentials (via file registry) 7->41 43 Injects a PE file into a foreign processes 7->43 11 Po_20201015.exe 54 7->11         started        15 schtasks.exe 1 7->15         started        17 Po_20201015.exe 7->17         started        19 Po_20201015.exe 7->19         started        signatures5 process6 dnsIp7 29 195.69.140.147, 49731, 49732, 49733 XSGGE Georgia 11->29 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 21 conhost.exe 15->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/03bdd34865273923034d10f9c46da5d0c82f7c42ff03f5db033e06b46f817fe2/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 02:05:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ao65gsdfe44sga2ncd44i3nf2dec67cc74b7lwydhydli34bp7ra._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
11f3b25ae9fd0ba16395cb35d4d528f5180ecb436d0e095f9f4f0ff1e468e8eb
Loki
25f48722bf24e935d7bdca104b416f87424ced29dfec2fbebc817725f09af5f1
Loki
5c5ebd97c48cdd89aeaf3977c3f7951b5351e88c6e88e09627357fc1e1226c22
Loki
67eb81371ab1f5b10fee97f764cc640790bb518fa452554b34ddb4f2f7f74391
Loki
6d73b61228e78c8e44db200696182dd1287981e0b433ad534fec23ae19eff146
Loki
742df88a1a378e32ee39558cca89f9b9df3f865c2ba33635e9e260fbe1377f1f
Loki
7b7fd4955b651b7279580f7f52d30b7539becf0a637257ee53abeb7dcd03e3e8
Loki
a1cc51486690053098454d2e313c4db5071afb8ae600d8caa87a4c5769ee51c2
Loki
ca74ca06ac3bfd92aabfc85fc7e10ae5d9e2e6306ed488eb7bf0b06640890a9f
Loki
f9dfd82d610e342a0d0a21dad1df689c979f863ee1b9f978c56dee49c5bfbb69
Loki
+ 1'641 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
evasion spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/201015-haad2ytb92/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Lokibot
Malware Config
C2 Extraction:
http://195.69.140.147/.op/cr.php/OxWthiADbKcbo
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
03bdd34865273923034d10f9c46da5d0c82f7c42ff03f5db033e06b46f817fe2
MD5 hash:
104d468a05ca5138876654d59b6445a1
SHA1 hash:
5fe0b664f1b0d73b807cbef7aba2d4cd84441000
Link:
https://www.unpac.me/results/508c2e74-41d5-4938-afbc-bc14e91d6375/
SH256 hash:
1fb47b88c33d46e65f1770aeab22cfeed5adffb24a5ab70d1ae77381d5fe1e37
MD5 hash:
278c2ae6dab13beef73319697753ebbb
SHA1 hash:
0c4475002a1e3a22eb40ad9e4ad32a6e0a1ffe90
Link:
https://www.unpac.me/results/508c2e74-41d5-4938-afbc-bc14e91d6375/
SH256 hash:
4922d88c344596a8c093a0130affd365fd191dbcead548b84cf2dfdb2f81e3fe
MD5 hash:
0505fc148cb3c4e1fe8970ca512a852e
SHA1 hash:
385190e25eec3b936922f90c32b902b9127d1e6a
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/508c2e74-41d5-4938-afbc-bc14e91d6375/
Parent samples :
ad6946570be39c2f4da1777083f2339cae24bec7928b460db68e55e53c915e22
03bdd34865273923034d10f9c46da5d0c82f7c42ff03f5db033e06b46f817fe2
94f3a02a7435ee096c0f5ee7321d8d82ae12826b144bf1c706ebaf6508734450
6490275833a54ddb21377ef003cacd595697c7659c1b7c6fc24a285fec1946ee
87623678275abae494cc6b28d4fcdb8e1fd1e016e7abd0e3bfd879a391d77256
0237202354dd53b6bea45eb62bfbe0a6cbf5652c259c483eec90501c694b9c4a
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/508c2e74-41d5-4938-afbc-bc14e91d6375/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/03bdd34865273923034d10f9c46da5d0c82f7c42ff03f5db033e06b46f817fe2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

gz c7272868949fd062d682c1181e97c2cc402387bdc2fcf30231d147b3b279c84c

Loki

Executable exe 03bdd34865273923034d10f9c46da5d0c82f7c42ff03f5db033e06b46f817fe2

(this sample)

  
Dropped by
MD5 823a161d458afb4dc3f62c4660506cbb
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71397/
  
Dropped by
SHA256 c7272868949fd062d682c1181e97c2cc402387bdc2fcf30231d147b3b279c84c

Comments