MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0dcebcbff7b84930e0796b27a4f795480423a122d6d201e45073678832b0961f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0dcebcbff7b84930e0796b27a4f795480423a122d6d201e45073678832b0961f
SHA3-384 hash: dea4bc094745304d15b24de419f7fb7eabba59021247a2b9bad5f864dd53fca5db39cb22698bf9625ddfd920bb3210bf
SHA1 hash: a0ce76e9fd8b5b568848f8dc0bcad09e975aee3f
MD5 hash: 2647d573fae68ef407dec78e9c63367a
humanhash: winner-hawaii-finch-sink
File name:MV. RISING HIMEJI.exe
Download: download sample
Signature Loki
Create hunting rule
File size:649'728 bytes
First seen:2021-05-10 02:20:33 UTC
Last seen:2021-05-12 19:01:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:FHFMw7Y9MA59CyMAn0D2wx47BDKiuKuQcV1kCi8AORcWAB00+R7dx/:FH+w09tVhwxQuscTa4Rczh+R
Threatray 226 similar samples on MalwareBazaar
TLSH 6ED412813A451499CD73F6B385D387B243221EBDA832AA173ACC7F53377F645A923612
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://ewatersystems.com.au/.inx/need/work/Panel/five/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://ewatersystems.com.au/.inx/need/work/Panel/five/fre.php https://threatfox.abuse.ch/ioc/34162/

Intelligence

File Origin
# of uploads :
3
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/153664/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.7381.3768.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/720907
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 409383 Sample: MV. RISING HIMEJI.exe Startdate: 10/05/2021 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 8 other signatures 2->44 8 MV. RISING HIMEJI.exe 6 2->8         started        process3 file4 26 C:\Users\user\...\MV. RISING HIMEJI.exe, PE32 8->26 dropped 28 C:\...\MV. RISING HIMEJI.exe:Zone.Identifier, ASCII 8->28 dropped 30 C:\Users\user\...\MV. RISING HIMEJI.exe.log, ASCII 8->30 dropped 32 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->32 dropped 11 MV. RISING HIMEJI.exe 54 8->11         started        15 AdvancedRun.exe 1 8->15         started        17 AdvancedRun.exe 1 8->17         started        process5 dnsIp6 36 ewatersystems.com.au 166.62.28.93, 49732, 49733, 49734 AS-26496-GO-DADDY-COM-LLCUS United States 11->36 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->46 48 Tries to steal Mail credentials (via file access) 11->48 50 Tries to harvest and steal ftp login credentials 11->50 52 Tries to harvest and steal browser information (history, passwords, etc) 11->52 19 AdvancedRun.exe 15->19         started        22 AdvancedRun.exe 17->22         started        signatures7 process8 dnsIp9 34 192.168.2.1 unknown unknown 19->34 24 conhost.exe 19->24         started        process10
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0dcebcbff7b84930e0796b27a4f795480423a122d6d201e45073678832b0961f/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2021-05-10 02:16:26 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bxhlzp7xxbetbydznmt2j54vjacchijc23jadzcqontyqmvqsypq._file
Verdict:
malicious
Similar samples:
0024c03b214910f21e99a8444a63a33f07ee1fb54aa63a9d88e4cc97e00d0bb7
Loki
492823289d0cbc07c789546fda1d7bbee05327c29964f5738f70e82ae7c4f4ad
Loki
5a098ce0200bbbbe0da398c577353e6c4838da7bb2bd55d62f032211125ab92a
Loki
84858fb9b1e2533886a654de52671d91b9d9d7f77ecc7a883d6f03821376b3c3
Loki
adbfaef61c436d79f0ab2c890570f73ae979609feafd21d9932e86641aac05dd
Loki
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
Loki
c8d3f11a26166f4c493d3160f23ff04bfc500895c3d644773006536d8f647189
Loki
cb6b64368f82e2596852532158f265a5b5d889abfce8d3025f5c8177f3462e33
Loki
cfd58b76ee10d732160ae05b4cb87e95713ad0ef8b17d77f0bb33b31ac4e6e18
Loki
e111f6f2fa1deba59df581d3c6ef269c3e3628b2649cb728e30092d8d30e258c
Loki
+ 216 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210510-7f3x936cps/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Nirsoft
Lokibot
Malware Config
C2 Extraction:
https://ewatersystems.com.au/.inx/need/work/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/489dd7ff-45aa-4785-b4ff-f4a7b2dbaef0/
SH256 hash:
4761caab18a26abfe27231a97f38e35e2bb9495117aa3da0035b3c74f822edce
MD5 hash:
ee641aec980db49e79376c77767567af
SHA1 hash:
1620aecf50970b178b28b8fba05ad72a4e447e40
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/489dd7ff-45aa-4785-b4ff-f4a7b2dbaef0/
SH256 hash:
ef3b3b15d3dbe96112c03b48ce38f4fe02b2306c965dcf2de5aa7b1bd6fcd202
MD5 hash:
659282dc5924bf1a90e9c7d133ffa5ab
SHA1 hash:
caeb11e1f433ba57aa27922ec671df839688cd5e
Link:
https://www.unpac.me/results/489dd7ff-45aa-4785-b4ff-f4a7b2dbaef0/
SH256 hash:
d68a52be6554fc1fb04305a409d67656c195a597e88034783dac141a42d78953
MD5 hash:
e14d84ed514878ef09a045ba7556efab
SHA1 hash:
61cc3373668fbad288659ab422eccac47ee9e24c
Link:
https://www.unpac.me/results/489dd7ff-45aa-4785-b4ff-f4a7b2dbaef0/
SH256 hash:
0dcebcbff7b84930e0796b27a4f795480423a122d6d201e45073678832b0961f
MD5 hash:
2647d573fae68ef407dec78e9c63367a
SHA1 hash:
a0ce76e9fd8b5b568848f8dc0bcad09e975aee3f
Link:
https://www.unpac.me/results/489dd7ff-45aa-4785-b4ff-f4a7b2dbaef0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0dcebcbff7b84930e0796b27a4f795480423a122d6d201e45073678832b0961f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/153664/

Comments