MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06460ceaf5a16fcd4d69720ff95097e3980c319b3d30184a7f79de52c15a8384. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	06460ceaf5a16fcd4d69720ff95097e3980c319b3d30184a7f79de52c15a8384
SHA3-384 hash:	44ed9b49fadc371a5a5cf46683d091b446d96898ecefab90a9e99fa367a18978febd6906ea5de65e44dcee143a79214b
SHA1 hash:	891f34031c78c5abdb2409875df6f12ca2402ee6
MD5 hash:	a72d1cf1d33ee850c6b714ee2f9c60b0
humanhash:	friend-mars-idaho-black
File name:	DaxParker Purchase Order 03062023pdf files.ex.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	1'017'856 bytes
First seen:	2023-03-06 11:25:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:q1Qwe3cOQVFPRSzpL3iu7IBv+4OcdPv3Gm5ydGk81dFhbaeFD:qB7FPRW3it1+4xbEcdq
Threatray	121 similar samples on MalwareBazaar
TLSH	T1332529B02D738162E14F06717429BBC91F3E6C4766D9E16F197A79804E309BAF2C4E72
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	f0cccc6969e8c4f0 (2 x Loki, 2 x Formbook)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://68.183.13.128/?page_id=4136377

Intelligence

File Origin

# of uploads :

# of downloads :

219

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

DaxParker Purchase Order 03062023pdf files.ex.exe

Verdict:

Malicious activity

Analysis date:

2023-03-06 11:26:20 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/522a7cfe-d459-490d-82a7-8d28aab2007a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/371930/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6405cdcb03b144271569e7c3/reports/58bcb47f-cd6a-4d06-9e18-e35ac4ae255e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/06460ceaf5a16fcd4d69720ff95097e3980c319b3d30184a7f79de52c15a8384

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/35923755-8f50-413f-ac19-d7116cc6e7ac

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1187737

Signature

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/06460ceaf5a16fcd4d69720ff95097e3980c319b3d30184a7f79de52c15a8384/

Threat name:

ByteCode-MSIL.Spyware.Snakekeylogger

Status:

Malicious

First seen:

2023-03-06 11:41:52 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 25 (76.00%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=azdaz2xvufx42tljoih7suex4omaymm3huybqst7phpffqk2qoca._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

1004c0413336aec1c5d34dc6cfe493d6928b1550874454efe7355d0c011f44df

Loki

53e04b40ad30d83c66ef729d87e5822f732fbc6804cbe216d68898f583ce7ad3

Loki

63ca930143e890d08ed3b8b8e0804350795ce6b053ac57621602743562f199f7

Loki

66bf3cedae82f70793c807db231ed455594c60e5cf0daabbfebdd7d69ec1f91d

Loki

9235e70ae950a3b47729b9cd33bd38b37a0f89b855f4d171ff04a907815b3c65

Loki

99e2a2ff576947884f1b3019b01893b5e1df07e20187c9de9f274bbb971118db

Loki

fccebf9b597398ab3e46b9f50076f8a3bcdb24cd4f3786e1c4540637cf32d96b

Loki

+ 111 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230306-njt8psbd5x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Lokibot

Malware Config

C2 Extraction:

http://68.183.13.128/?page_id=4136377
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f

MD5 hash:

f4e7e91d4fdda2d3feb401b5b1d53abf

SHA1 hash:

cf9e76e6418850ac853bd9c6ce82a0be7920fc1d

Link:

https://www.unpac.me/results/17fc13a1-c5af-44c2-8f6f-c0aedcd5b2a7/

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/17fc13a1-c5af-44c2-8f6f-c0aedcd5b2a7/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

9cad8d4b6e8ae179ab80d807c8ffa1e631367212fc1822c79d014736028ba08e

MD5 hash:

41763d524c57ca2f54c70fe5c5423693

SHA1 hash:

4548e1ebb2d281f00714d738a38ebe1918c872e9

Link:

https://www.unpac.me/results/17fc13a1-c5af-44c2-8f6f-c0aedcd5b2a7/

SH256 hash:

11d023325f99b8ea727359780bb58d68bdd5b948ca2ba3e9fc13b36ab2fb005c

MD5 hash:

a53c9a40bca8d343700294aaba3b9978

SHA1 hash:

3dcfd33aa1ea390079dc91ed52c640f4e7149cd9

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/17fc13a1-c5af-44c2-8f6f-c0aedcd5b2a7/

Parent samples :

89c9935b305ddc218ccce08c0676176e0c8be511b15f9fa9af9a7560c76560c7
d6edba98646efecccc2f9e35c537d8a08f986bef694efdc8cdc0301f80fba616
06460ceaf5a16fcd4d69720ff95097e3980c319b3d30184a7f79de52c15a8384

SH256 hash:

3f0ef3004b2f53d4619c5e21415ef2cf1629dc66c839b0f0333dbee4be47faab

MD5 hash:

08125d4e14b001c5de67a76d6901c34f

SHA1 hash:

1e941781a935c3bdc3c3a4a629289426178a645c

Link:

https://www.unpac.me/results/17fc13a1-c5af-44c2-8f6f-c0aedcd5b2a7/

SH256 hash:

06460ceaf5a16fcd4d69720ff95097e3980c319b3d30184a7f79de52c15a8384

MD5 hash:

a72d1cf1d33ee850c6b714ee2f9c60b0

SHA1 hash:

891f34031c78c5abdb2409875df6f12ca2402ee6

Link:

https://www.unpac.me/results/17fc13a1-c5af-44c2-8f6f-c0aedcd5b2a7/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/06460ceaf5a1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/06460ceaf5a16fcd4d69720ff95097e3980c319b3d30184a7f79de52c15a8384

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/371930/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample