MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d4ba406af8e0f931a08aa23385de16329ccbe53f639e525c10f883020822dc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 16

Intelligence 16 IOCs 1 YARA 2 File information Comments

SHA256 hash:	0d4ba406af8e0f931a08aa23385de16329ccbe53f639e525c10f883020822dc9
SHA3-384 hash:	686a808c0ede4a304c0cea95b7d062a4efab8d0c3b011404cf7660fe0e05fc40fc474d584c9a04d7b7cdbf6c86bb0fac
SHA1 hash:	071dfd76dab7308956c6423f080aa1721498f28a
MD5 hash:	b06c27302fa85f9793a8fa6cbd7fa644
humanhash:	happy-london-april-december
File name:	b06c27302fa85f9793a8fa6cbd7fa644.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	732'160 bytes
First seen:	2022-03-11 23:46:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:57c9gSuJU13Pv4FCUY9hGfqAtiDW29KWWAbpk1iR2hHE2GFkPrqZiAb:eSSfGFCf9DsiaST/t+i8hHzHq8Ab
Threatray	8'048 similar samples on MalwareBazaar
TLSH	T1E6F4AE20AEAA103BF27E8A791BC5F96749DBF1661504E1BE1C2CCA490FE153DDD81D32
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://164.90.194.235/?id=799170398074856

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://164.90.194.235/?id=799170398074856	https://threatfox.abuse.ch/ioc/394367/

Intelligence

File Origin

# of uploads :

# of downloads :

219

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

March_072022.exe

Verdict:

Malicious activity

Analysis date:

2022-03-07 01:52:43 UTC

Tags:

trojan lokibot stealer

Link:

https://app.any.run/tasks/cec42a01-5333-4f07-8470-713af531b9b2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/249752/

Detection(s):

Win.Dropper.Nanocore-9941259-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Changing a file

Sending an HTTP POST request

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for analyzed file

Stealing user critical data

Moving of the original file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fareit lokibot nanocore obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/622bdf78b94fb38cb460f889/reports/c5afb2c7-fee3-4bb2-bf6c-d2f4633eeab8/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3ed23bdd-4106-434b-af0a-0f3d9549d09e

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/955335

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/0d4ba406af8e0f931a08aa23385de16329ccbe53f639e525c10f883020822dc9/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-03-07 12:24:32 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

28 of 42 (66.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bvf2ibvpryhzggqivirtqxpbmmu4zpst6y46kjobb6edaiecfxeq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

56d93ce901fa9fad7422168dc459690a33c397ecb3ca1e22524f477494cbad2d

Loki

63f9ffef412f84bc98dc622d7cfd7ae0881b8f330b976826faa9071599d6b5c6

Loki

bf8d460fe122426a6ad8a28e5dbecaff0c8b48a4eb64f60b95d9373a29416079

Loki

c921fbd6370ff582576be23c6bd4e122fd2e4d743c014b41201a6b1b3f3a4521

Loki

d3b608e9449f557154d4b1d1e8aac380a6c00233a232c6a123b7c3234dc387e5

Loki

+ 8'038 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/220311-3svyxscgh2/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://164.90.194.235/?id=799170398074856
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

a99f6bfac7aef10730e5111b966722e1baac6b40251973feb90f02efa4fa89af

MD5 hash:

6e7dc5c7dcb8c5a687405ba09c33a1e9

SHA1 hash:

f6d79cb5233682cbd5c4c5fbb2ce787e5acc09b3

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/c686d13a-986b-4414-bfb3-af76fa42859e/

SH256 hash:

175285bfa8a73b3990f54994b8825c1f3396635bc344939cd8d9fc60b9569b46

MD5 hash:

f26eb90c6addfc99fa0c2e63896216d2

SHA1 hash:

77e01b96d8c211d4d24fc0a1aae91122caf5f668

Link:

https://www.unpac.me/results/c686d13a-986b-4414-bfb3-af76fa42859e/

SH256 hash:

9dfbed142065e066ab90910f4fdcc0f379ff236d384ad021037b38285b8e7204

MD5 hash:

6a69ee97ad19a69e442768a4180bcefd

SHA1 hash:

5d66437dcf85d23d94152753d57a397f3c9802d1

Link:

https://www.unpac.me/results/c686d13a-986b-4414-bfb3-af76fa42859e/

SH256 hash:

c1226ca92c46419cf84debec56ce30e2186770dd888931033eec85100761c01a

MD5 hash:

419c479c059889972d76d0b91e08ca65

SHA1 hash:

3fa3a6b89d29b8eb5508611999c7903c9c2e27b6

Link:

https://www.unpac.me/results/c686d13a-986b-4414-bfb3-af76fa42859e/

SH256 hash:

0d4ba406af8e0f931a08aa23385de16329ccbe53f639e525c10f883020822dc9

MD5 hash:

b06c27302fa85f9793a8fa6cbd7fa644

SHA1 hash:

071dfd76dab7308956c6423f080aa1721498f28a

Link:

https://www.unpac.me/results/c686d13a-986b-4414-bfb3-af76fa42859e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/0d4ba406af8e0f931a08aa23385de16329ccbe53f639e525c10f883020822dc9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/249752/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample