MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b31e3396946781f4215290726981f96511ebc2d286a56d911e102ee7145c6ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 16

Intelligence 16 IOCs YARA 15 File information Comments

SHA256 hash:	0b31e3396946781f4215290726981f96511ebc2d286a56d911e102ee7145c6ee
SHA3-384 hash:	cb59317a89fa2ad1078c08b0cc1dc19bc6451485687bceda02f9f433bf9d54588a7e9704f2f0bde1380ca6d6f17ae68e
SHA1 hash:	1fc2da1c1c87af9637bfb4858fee4037cd5e60ab
MD5 hash:	2d9d9dc24b22cccd2ca8ca4d2975115d
humanhash:	oscar-foxtrot-beer-ack
File name:	kellyzx.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	765'440 bytes
First seen:	2023-02-03 14:06:16 UTC
Last seen:	2023-02-03 15:35:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:ehefaqG4yPaj5XwBtP3NjHetuoOqFyq6Fy2Mxzo3:geSqG4yPatXwBtP3N4qY6F0xM
Threatray	16'139 similar samples on MalwareBazaar
TLSH	T1C5F46D6337B199B2F78720B104287B885BF17603BE56E2938BB737C06785DB77298152
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	James_inthe_box
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

199

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

kellyzx.exe

Verdict:

Malicious activity

Analysis date:

2023-02-03 14:08:37 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/c8f181a7-18ae-4478-a1e1-5efabb90b907

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/359922/

Detection(s):

SecuriteInfo.com.Trojan.Siggen19.38907.10465.31806.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Creating a window

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lokibot packed

Link:

https://www.filescan.io/uploads/63dd150789bd67c10fdc5c02/reports/7ef66b21-0eb7-4d93-a17e-cffebddfe824/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/0b31e3396946781f4215290726981f96511ebc2d286a56d911e102ee7145c6ee

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2386b1d8-fda7-4a68-8178-f46468276631

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1165204

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0b31e3396946781f4215290726981f96511ebc2d286a56d911e102ee7145c6ee/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-02-03 14:05:20 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bmy6goljiz4b6qqvfedsnga7szir5pbnfbvfnwir4ebo44kfy3xa._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

4e12ca0674f72503e00f35b8b27aa98da0855baa9e25264b357bb934e31a2217

Loki

75f3ada6a5d7bf870af3e1f66cd00e437ae13d44a627d841239a4cbe5d53b1fe

Loki

7f0fcb4f3651ec6a3b273322857afe8aa8373f77964afd0bb592378a4a97fe1a

Loki

c5d9ca19abf562a2da5b6e99f5eec5906f6f55f8056f5eb6f9840e541c053b9f

Loki

+ 16'129 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230203-rez5yaff37/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://171.22.30.147/kelly/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

178cc7474b323b0ae6b3095ff67127726530d9d44be5cb58ba7315ef3a1199ad

MD5 hash:

159af9cf7f94d64c8120c80268965306

SHA1 hash:

fb41ab37af2c83e96d97e9cd066f90e72d4887ea

Link:

https://www.unpac.me/results/469a0e76-0b77-4047-9a5b-4965f51e98d2/

SH256 hash:

3d2e982f1e2c1e37d34bc9f3e3fc929605c524dc17a2fca690b6f06f6b70c9bf

MD5 hash:

d2ca8066772cd53d7d6b27251efd0e98

SHA1 hash:

339ad97f2b030c017d6d77242480c8a4a3f6a8ba

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/469a0e76-0b77-4047-9a5b-4965f51e98d2/

Parent samples :

2d83164d1358ec644bb36c5edd0c16e115510789fea78f6a009a5969a74cd9e9
61a6189c8bf0e10eb20156d9c8847d3849d5307822ecea88bb3421835a347fb3
9ae97e832eb469696126acef1245094cee8c496f2cd4e0ae68cd3b923d7117e2
1c99a914285fd2e4bbf9c25627a9155db90d7859a1e17e127eb29ba0adc4ae0b
4337ccc0329004c467b984ac20a8f86bf743a3e344900a6fadf4f73b2cfa0446
1421401fed49a2dc8f783cb79c0fe97a9d5607a44ecb3eb1973cd29fd963d573
e9511e82695b2fcbfff9fd605278da2f663b29fd785d048d04e8dff8cec3965d
09427baaa4e10ede078546157e86d570b5d1acf2b4196fddc3e88afe2448f5fb
66bb9199ec8427d9425197aa3c8d006f4cdd8b1fa535e0de5312b3bddd832aec
eeb800f752648769bd2af8b1e03aa8be27d4458efe9e0450e8a24e860425b0e7
59181328ea5b20dbebffa92c11f3ffa3616cdc8529ae91c3794186055867c6e3
9b5f04b58d83c067c57bd8fc882566c2d11e082e7fcfc80bb235d7ad1fb2753c
e1b43a4ba3e06006328305893b4af467d63aeac6d0c9e43057a20b883e67c89b
f96f2dc00edf430af1b60c783867a75415e55965fbabea46318ebbef910d9a76
57cdb4d1bc88747a4552289f269a58948d096853d812b2224feab1751d974c30
376b4b5c353b5bc460e6197d9bbea4728f8d5e2d3481f2fce574cedbe6b0de54
9fab36962c0d264fca98c96f3355f68921e89a0f4a6a7aadf8391b1b6e119331
75810d481132b97e8f2f43404e06b9bc5b66477856c078c7f39469e0b729d3f5
e7ecce5580d7ffce80b2921d953d528aeb9c1f724a49d91db380478c5423c3f2
2a1e3d8cac1bc3a9ecf929736afce96f3af7eef91faacf66af7e3511ef072cf7
73a6100eaa8300bd7adf9fa67eed914ef1e31f543cad2c6aafd5010b590f2ba3
b9ff83bfec02bbaba2e8966e3923e08238e295dc9e66b139df4ba1c3f024a8d9
f151c4d9ea6f201827c1b36d882505af0e6ab2760c961595fcce8bcb4924a24e
0b31e3396946781f4215290726981f96511ebc2d286a56d911e102ee7145c6ee
6deffbb2c41517cfcd64d62f5b4c159c5fb88b5157fa44877960c490ff23278b
138a5f951399c688c4f860a1d5ab27a187ec6498720b538b269a343b1769127b
ff0b68504322c7b426a61ec212c9530dca511bd2e3b7cf91ea87a2ec84de4486
551ea82313ce0400560a5aaa288b8ad8c80e6e1ff329b6574ebefd24463b2c14
e0012a37abf360a40a1908969dd4b34f9abd45d074be84161da714327eb3e2a2
3ff129da1bffaa9e882a0f1a3f83dd8e10307d3aa5e0e0a4384b3e6de3dcd825
519ce7c158cc6efd1c30436ec5b237fda2915964c888fa83b7c12c2e24a1573b
9e0b361effefa25b4c44bfe40419f010d5db51fad24175180e47870a33949d1d
50ea6e82b9cf125d35e10d066e15cf1efea3cf48afa838bb72809367e60d0eef
f6484b4fcbe0540db14d4dc0e16280ae3916f63668b6ccbe95aa692bcae52c50
95709146a788e3cae6af75199ba67b1aa327c8fe1c605f2cf8341861389cd011
1004c0413336aec1c5d34dc6cfe493d6928b1550874454efe7355d0c011f44df
2d608bc71f7bc5345161dbcafd234dd45058d585a0dc2750906b1079cfb4bfe1
2ce452da51ffdeed905e03d198db2d6931d31bf7ba64d23e59abc6937004aaed
f5f266dc641ff0991027fb2c539423a86db1a2cbb8b8c57d0d628a0b13bafc86
4cfeafd256d56b8d617006bb48351e85a46b7f278d3363c0712c3277036bf7ec
3adfe49939de14f4f61573e4dfbbd7e47845d6b2b71a8b1d9849776da20acdea
b53d6ce1c2366c6c8eae28514dc9aa86b0dfa7f6c18ace6df1db1681f295955c
1a4cb882dbff14000f8050dd777ad91390ef18c824fad6a75239c9df1865e5a9
1f9306a8710aa6e2dd1aa8cbed8009479a3f87a67eb7a206ea994ae7f11c1c29
59756812bcaf8868c6b929998cf8abcc8748cd7046026b0eced151e29e433100
0040c8a0a4f5fdc9a18c894965f3d97ca4a92dc97b97c324f934a4978430bbeb
7aaedf8e1c200b793a2da307849e2c8f78436747c77e86fb09c50b74d8e0e951
bd39fed12fc1628ea0d32be8de963054fba43b2786e173ab93df9bba9421c07a
b078eb9c9dbfecda42635246799bd361b9adf674d9d4df1f30b40cf8f0626764
4e03dfc5f70361b7adea720dcf58b2183dbc3ecab58bc8718c2432cd6a3ff7d7
15ff16c0806c71acd981ad9f9a8b6bd31b2c4b9300b0dfad04a8e547e0d8226b
8ac0763b0509962eb0a279639ec077b9de3a6089994ca2222788da921f8e587c
061d5260cf6dc7d572961097606059265b986188ebfe59c603fab9a4165a973e
cefd971616a56a52fa3c0cb966cfc4c982413038cb0907baca5170e1bd585b4c
101e1bee011696853007ad648c156a881514f517b56667c2e953ba04ffb219f9
fd5030b33e9f626dceea517a8ff935dcd2f9d9d8d6ff9ded6f998ecee7de7e52
e9c141cc8f4535f2abc77198d303fb533cd4acedb9b1aef39d57529dd6bafe65
3605daef92fa748c72ee75acc49d93ba9b42bb92586c9fb515d327bae2d34287
59bfe87a4f70ad80b96e5d135d9688324b18009f800b7001c6efa116fb780d2f
121bea26acd46a7ce020d48ea79216f4119474fb6dd9895baf1d9dfdf6dc8fcd
f03390fa3307e28389f6581e930065b810892ddb2cd0b12f59ccf896e1852681

SH256 hash:

d6a8863ca54aa27981156704ea218ef221908c775aa4c7ba66ceaf97efdac003

MD5 hash:

b6625862871133166c326eecd8b10551

SHA1 hash:

32a5e0e69ea30fa2783b47bfc8a28a386de1489b

Link:

https://www.unpac.me/results/469a0e76-0b77-4047-9a5b-4965f51e98d2/

SH256 hash:

f8ac5bda091ed08249b271e141f674ad8c6e618bd6ec193114651b55c290f5cc

MD5 hash:

ce418d5a94484bcb61a33e216e42e8f6

SHA1 hash:

23533cbd21597813ab1194961c384098431bcb1b

Link:

https://www.unpac.me/results/469a0e76-0b77-4047-9a5b-4965f51e98d2/

SH256 hash:

ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747

MD5 hash:

89ac57478044c57c7195943116a521e0

SHA1 hash:

1ff2bafeed795423e3538d810bda8e1e3fcdcfa5

Link:

https://www.unpac.me/results/469a0e76-0b77-4047-9a5b-4965f51e98d2/

SH256 hash:

0b31e3396946781f4215290726981f96511ebc2d286a56d911e102ee7145c6ee

MD5 hash:

2d9d9dc24b22cccd2ca8ca4d2975115d

SHA1 hash:

1fc2da1c1c87af9637bfb4858fee4037cd5e60ab

Link:

https://www.unpac.me/results/469a0e76-0b77-4047-9a5b-4965f51e98d2/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0b31e3396946/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/0b31e3396946781f4215290726981f96511ebc2d286a56d911e102ee7145c6ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	infostealer_loki Create hunting rule

Rule name:	infostealer_xor_patterns Create hunting rule
Author:	jeFF0Falltrades
Description:	The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.

Rule name:	Loki Create hunting rule
Author:	kevoreilly
Description:	Loki Payload

Rule name:	LokiBot Create hunting rule
Author:	kevoreilly
Description:	LokiBot Payload

Rule name:	malware_Lokibot_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	Windows_Trojan_Lokibot_0f421617 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Lokibot_1f885282 Create hunting rule
Author:	Elastic Security

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/2259322/

Cape

https://www.capesandbox.com/analysis/359922/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample