MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0709f9e2f76a07b22aa5361179d7120bd8127fc42a0f5c289f73e8f764460092. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	0709f9e2f76a07b22aa5361179d7120bd8127fc42a0f5c289f73e8f764460092
SHA3-384 hash:	9446be43a066ea9b5dbfbb42e7ed4e3c6205f71f3af47e0f04d007a93704f6f65aebcf6f01f036df17962fb579004055
SHA1 hash:	845e0d61b4235e98eabc3283127f5df172bff299
MD5 hash:	d9c567f2ba8a1793ff8928fb5ab552ac
humanhash:	eleven-carbon-cardinal-fifteen
File name:	02708799.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	652'800 bytes
First seen:	2023-05-29 08:21:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:IHkmFx2iqNhujGjUmhUo5B8kI5OnOdSHV502kiuDx5yhEh4:IEmFxUFhd8kI5OnBV50xi45+Eh
Threatray	4'223 similar samples on MalwareBazaar
TLSH	T1BED4124427F3872BD83B47FD207159B003FB668E7A21F7564E83B0E8AE16F515A01A5B
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	Neiki
Tags:	Loki

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

02708799.exe

Verdict:

Malicious activity

Analysis date:

2023-05-29 08:24:12 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/1cca943c-bfe0-4c08-8f3f-5f1fe50d0a1d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/392989/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.23742.1639.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/647460ad1684784512a33858/reports/ad2b286f-cc1f-42fd-90d8-af96ba0c8b06/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/0709f9e2f76a07b22aa5361179d7120bd8127fc42a0f5c289f73e8f764460092

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3e91d76a-4dbd-4153-ade4-f8856577b339

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1244346

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0709f9e2f76a07b22aa5361179d7120bd8127fc42a0f5c289f73e8f764460092/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2023-05-29 07:52:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=a4e7tyxxnid3ekvfgyixtvysbpmbe76efihvyke7opupozcgacja._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

0af4bdeb4de3a9f8cac5601c872cd4d9a7e9fb06a4fc0a7ed4fb60d6cb64b957

Loki

0f6a0c8f4c9d3fa419bd22b2687328e7a721ad0b1ef504a64166b1c630997cee

Loki

4e12ca0674f72503e00f35b8b27aa98da0855baa9e25264b357bb934e31a2217

Loki

594a574211cffc47d78817221315092ab978403b71e1ff43922286ec9f60e188

Loki

79866667d5cd578a1c6eda54a748ff9d316fff39064eecd282bc2a9ad8a5ac7d

Loki

7f0fcb4f3651ec6a3b273322857afe8aa8373f77964afd0bb592378a4a97fe1a

Loki

a1f8dd874a1d63dfbd2cc504fbe6d5784eb00610b02fef44b606b7a127f41bc4

Loki

f3797cb6054ef9d5de1b4ecb2745424ef0481c5cb28ec2f2384d2591019e1650

Loki

+ 4'213 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230529-j9kpqsbb71/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://185.246.220.85/fresh/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

e8e18f20e876d1bf7d066079aabf42fecd3a6f900c1980ac73e97ca5bc73d409

MD5 hash:

aa60ff3d0d4d0fbea2fbb7ea642bd965

SHA1 hash:

ffa8d2b74597c2fc4079119969a05147d9f97d5d

Link:

https://www.unpac.me/results/324c85c2-59f2-4c9b-a36a-e7eb1a5ebbd5/

SH256 hash:

3f0ad963782b81f460ecd1fbc77465530f239222ef2faecaf4ce15cb8a350cb3

MD5 hash:

daaf8c8e883ef08ca411febc4dd5a27c

SHA1 hash:

9c9aa7dbe735cc7add045ef8d350fd5507102c59

Link:

https://www.unpac.me/results/324c85c2-59f2-4c9b-a36a-e7eb1a5ebbd5/

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/324c85c2-59f2-4c9b-a36a-e7eb1a5ebbd5/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

0b861d0e19d173621dba77fc3954b6325b3e89e0856817eb9ac1b0e4b4b6f9a0

MD5 hash:

34e9924238cc9c184aed0f7e0dd905ab

SHA1 hash:

42e0e3852a327ae2d232858ba41fca9cadd628db

Link:

https://www.unpac.me/results/324c85c2-59f2-4c9b-a36a-e7eb1a5ebbd5/

SH256 hash:

07686bd3670d7660420f09f8771135bb16588e15b45561219ead1841952d38f1

MD5 hash:

046a6366921953d042f7a0ffcb26c50d

SHA1 hash:

2dd27e32320fc0277397f57d24ed4b13d99e09ac

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/324c85c2-59f2-4c9b-a36a-e7eb1a5ebbd5/

Parent samples :

4de70d7c97aac4c236396bb488f748b432fda9537e06afa042a77235b1cb8117
36ffec829c35dbf09529550e086446cfd835b4a43c71014ab217783fde2bdb9f
dc77fa38dcbfa8304ae07b051d7658f367286bc92005d327a34c944975719b00
ae4a3ef24f5482b9344969457ac89e08d2598a3721f1725325e86039758f91a2
763fc70c680ac478f31474306d6bb7a0f34893f98d691e0a49b6948a800cf7d4
307b462b554900aa1b0802f4e89752cde49cb4045bc83ac8708578d37ebdadb0
db182e4d02790fa627a9d62e3b9439203d2dd5c88c44a5355a7681b7defe24da
93cc16dfe8c10579f28d8d70196f5c64044493818861f32c9d3e8f15cc3b7aaa
f85b9025ca21804e4ef484b69c89ab2f70de661606b5987e8ff32111256b2a70
90d7dc2cd673fb159368c95d06eb59523898f1498a6d9ce5eb8618690d93e724
15a2d3053598efc70f0ac04252def24ef4dcb216b0ef0a25a957916c8a42207c
72e9d6672de64aae16ae8f4433a9ed08171a7f86decb0d134a03123dd93035d8
21e0ec96d06a0b1e71712fd34ce50e1e4c5a937e8fe8c21f89c5eade948affd5
b6219cebfd6180b0278dc07062893751f3e9c056a23b0b876b2752513cc4a1a5
d3d3facae5e604eded7bf28b146dff57334aa0d9691f1f32eb6f0a30f819bcb8
b7af929b8d99a8a2ec29774cd6c8cf77071b4c865bfe140aedf8b181ce54df89
63b5c9b4340cab3bacf97fd686e3990fef6f00eb6e2f75770d2d8711d09c2464
da108473566740a4ecd7f86677ee7a22779808be300f3329ca4a6d8877d0fcdf
4e21a93e941a2e0899526af6e6196ab23b2c916bdd01a396a7c546122b1980df
d9b8816dc05c98d38419c94b02dc18ebd9494d13088ca2e1bb757f987001c1fd
0709f9e2f76a07b22aa5361179d7120bd8127fc42a0f5c289f73e8f764460092
07d199eaef476d20fa7fde86555086bc6193f7426f4b38513299928f06939d8f
1290e2fa7dd284fcddc2bf9caeac02ccbae1f1e715766eefd7644c245a6ecc53
35c38475ab2e902a2f2c56b2b17f27afb10b3b56365c853a8bb33a9c906366e8
48e32c11cf9fe47ee75f05a9cd9c1bf4598869fe1564eaf7c1bbabf309e823b1
9d19092e410ffb1914d7cd9271ec34b5aa8973eda65fd821851e53921a7017fe

SH256 hash:

0709f9e2f76a07b22aa5361179d7120bd8127fc42a0f5c289f73e8f764460092

MD5 hash:

d9c567f2ba8a1793ff8928fb5ab552ac

SHA1 hash:

845e0d61b4235e98eabc3283127f5df172bff299

Link:

https://www.unpac.me/results/324c85c2-59f2-4c9b-a36a-e7eb1a5ebbd5/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0709f9e2f76a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/0709f9e2f76a07b22aa5361179d7120bd8127fc42a0f5c289f73e8f764460092

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/392989/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample