MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ca92ca94e8cee6d8867a9013fbb90ec9a322b39300b189e49cacbec15307b38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ca92ca94e8cee6d8867a9013fbb90ec9a322b39300b189e49cacbec15307b38
SHA3-384 hash: 6ae3a634c40a1c67603267164174d30c4db006c08d1d5d8a2446cb4c4f6669d062e80847d31a243e9ef4852aa9290fa7
SHA1 hash: 48f229afb963a5bfaf52d456265b9e7776a86ff3
MD5 hash: 0d7486b187950b8ceb9aa40a9c9d554c
humanhash: idaho-salami-april-seven
File name:SecuriteInfo.com.Win32.PWSX-gen.298.11432
Download: download sample
Signature Loki
Create hunting rule
File size:753'152 bytes
First seen:2022-12-05 04:27:31 UTC
Last seen:2022-12-13 23:53:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:XoQcikS/1Pl+aJuQT7v4zGZHVlMqyaw+1Tj3WMdOgkg586aWHff:4QZX1Pl+aJLj4zGN7MqK+1n1dFB5O8f
Threatray 14'105 similar samples on MalwareBazaar
TLSH T160F4094CF3089D36FDA983FD3691409E629E148D7470F7D08A89E0ED7234E9E1AEB515
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.298.11432
Verdict:
Malicious activity
Analysis date:
2022-12-05 04:30:30 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/cad2cf1d-fead-4ad9-b336-f4647e3cc8f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/342717/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.298.11432.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/638d7355d4d7598ad9047ff7/reports/29a47182-293e-4a1e-b2ec-bb870521f101/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8896ad05-4b6f-4438-8934-7a4822bd216c
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1127707
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ca92ca94e8cee6d8867a9013fbb90ec9a322b39300b189e49cacbec15307b38/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-12-05 02:38:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
21 of 40 (52.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bsuszkkortxg3cdhveat7o4q5sndekzzgafrrhsjzlf6yfjqpm4a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
30c61449c317a93868125e8fb38ba229abfafeeadaac71737b18271cd44faa00
Loki
32e9a20cc88105e0bd153a8461f56d70e4e4529988a14b961d095019358fe827
Loki
4b89267832125c432812fa3f7bc1953ccdf0f23d1f9dcaea37a5a53ea3169e67
Loki
78a5a0b0bed684217ba65ee4f92daebaa0ef82c9f95d9a5999e0b3755e2ba823
Loki
7e44c6fb6963620960fe0f8574af42ec032aaff7238bf470cba2c4af3a9da77d
Loki
823a3ef9755e5c604c26746462e5c3edd55b21951918ff458ba283f3679d8911
Loki
9f2bf9f08f9bf9ec6e6043a7de37093c1b2e64667b87cbff6e4bdee5f994f9fb
Loki
aa5db1e76d992d81c9b6f368bc705f4240512bc4aa193cc23fa3ba50ce48d1fc
Loki
b29c32eaed48b900408cb17dbf66d4f120229bdd76f9ec66ec2d43fd5ad61c18
Loki
cbeb5d319e3a34043bd299b9615a76867f9a94372dc9cf46de82da74a07009c3
Loki
+ 14'095 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/221205-e3netseh73/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://sempersim.su/gm11/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
329aa68889575cdaf9d702349460c68c3e9cdd24a8e19a15f7e4ffbefa6f6b2a
MD5 hash:
6af1fa2167e16000639fa8cab37e0fc2
SHA1 hash:
f7bf6abc9f95d557df8d9eee921ddd5b353b7e3e
Link:
https://www.unpac.me/results/1baadf8b-cc1b-411f-a83d-c351f9c3b572/
SH256 hash:
7f7c0b2a2b834665f169e92b8ef3527bee6942735e863b7210ceda3a261bed19
MD5 hash:
578948cde868409762f6fb8719c6d9b0
SHA1 hash:
c36efaeadec1f0f25b1f84b022f7d3657657ea9f
Detections:
lokibot
Create hunting rule
Link:
https://www.unpac.me/results/1baadf8b-cc1b-411f-a83d-c351f9c3b572/
SH256 hash:
bdffcb8fe710c174a80e645872a7fb4aab8eca8031083ffb2777ee8725261307
MD5 hash:
cc6f961e1fe91292a5aa260513ded4c1
SHA1 hash:
6cf3242cf5d51e3e4f8d78c996cd62fe6a220281
Link:
https://www.unpac.me/results/1baadf8b-cc1b-411f-a83d-c351f9c3b572/
SH256 hash:
88f1607f10158969999f758a64a9c7543f267c4f90517c355e7e9aeaa8dd6983
MD5 hash:
b701cd2432dda77c8ab19dc20a640f81
SHA1 hash:
3998a4cc10e9a4c876300fb0f41c656d3eaeb878
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/1baadf8b-cc1b-411f-a83d-c351f9c3b572/
Parent samples :
20d3073814656292b0e0604dcc4ff918ec607af69c41a0d8400376cdeea6c236
95a1460cc5234be6e73249c8300e11caed618795efde6a39064990ab44c6df74
bfd4c6e93569ce5fb18f0196d8d9a15dba7d080d7881f1faf71e43f4fc543941
ef1448decefb015f11301f421e12c1720da209931757761a31c89e969fbc9885
57520e51bb0820741b7883926800223886c491a8a5ddd517a49b0e2cc752fb18
0ca92ca94e8cee6d8867a9013fbb90ec9a322b39300b189e49cacbec15307b38
SH256 hash:
340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3
MD5 hash:
85f9290aa8900e9fd74b01ee23125706
SHA1 hash:
310eb5e4aea5471b74a6385f1da283b9d8e3d698
Link:
https://www.unpac.me/results/1baadf8b-cc1b-411f-a83d-c351f9c3b572/
SH256 hash:
0ca92ca94e8cee6d8867a9013fbb90ec9a322b39300b189e49cacbec15307b38
MD5 hash:
0d7486b187950b8ceb9aa40a9c9d554c
SHA1 hash:
48f229afb963a5bfaf52d456265b9e7776a86ff3
Link:
https://www.unpac.me/results/1baadf8b-cc1b-411f-a83d-c351f9c3b572/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0ca92ca94e8c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/0ca92ca94e8cee6d8867a9013fbb90ec9a322b39300b189e49cacbec15307b38

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:LokiBot
Create hunting rule
Author:kevoreilly
Description:LokiBot Payload
Rule name:malware_Lokibot_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:Windows_Trojan_Lokibot_0f421617
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Lokibot_1f885282
Create hunting rule
Author:Elastic Security
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/342717/

Comments