MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f24fb2458d39329f2ab4e433fbcfa415667de0123004c023e923e7ef35de603. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 17

Intelligence 17 IOCs YARA 15 File information Comments

SHA256 hash:	0f24fb2458d39329f2ab4e433fbcfa415667de0123004c023e923e7ef35de603
SHA3-384 hash:	b59c074ce6357a523f7afbc34713680cc21ed2f9f5f2cb32e3fc9113e96f828a58b99f5dabad44738679b115683c5ae2
SHA1 hash:	a1469f8814bd3dcc4ccfe890aadb45995ca32e17
MD5 hash:	990a71ba6deae9f8fd91ee813295b970
humanhash:	sierra-juliet-march-oregon
File name:	990a71ba6deae9f8fd91ee813295b970.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	597'504 bytes
First seen:	2023-03-30 18:12:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:NGFyY6lYeY6dIqvcjnJ9MvE2ztQk8+Commh3imOMt+:N4yPlvcjJkJQk8simX
Threatray	4'008 similar samples on MalwareBazaar
TLSH	T144D4F12836ECC919D02A977D80E5D2F053BACDA8E563C7130FC8BCD7B38E356656518A
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter	abuse_ch
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

279

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

990a71ba6deae9f8fd91ee813295b970.exe

Verdict:

Malicious activity

Analysis date:

2023-03-30 18:15:17 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/f4648a13-65b3-431f-b393-dbba69f7efd1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/378919/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Changing a file

Sending an HTTP POST request

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for analyzed file

Stealing user critical data

Moving of the original file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook lokibot packed

Link:

https://www.filescan.io/uploads/6425d13184fe7631c302fcdc/reports/ee964c67-aea4-4146-b2c4-f738acdbd700/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/0f24fb2458d39329f2ab4e433fbcfa415667de0123004c023e923e7ef35de603

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f4602e13-82ac-48e2-b4ec-55b5e3729d0f

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1205483

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/0f24fb2458d39329f2ab4e433fbcfa415667de0123004c023e923e7ef35de603/

Threat name:

Win32.Infostealer.PrimaryPass

Status:

Malicious

First seen:

2023-03-30 15:51:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 35 (48.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=b4spwjcy2ojst4vljzbt7ph2iflgpxqbemaeyar6si7h54254ybq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

0f6a0c8f4c9d3fa419bd22b2687328e7a721ad0b1ef504a64166b1c630997cee

Loki

26cfdd614196dd8f128f01480c55504960ecafad60991455a030cc5c73130f2a

Loki

4e12ca0674f72503e00f35b8b27aa98da0855baa9e25264b357bb934e31a2217

Loki

594a574211cffc47d78817221315092ab978403b71e1ff43922286ec9f60e188

Loki

7f0fcb4f3651ec6a3b273322857afe8aa8373f77964afd0bb592378a4a97fe1a

Loki

83ce4d12583639df7dcbe4d13b6e608bca3c42a58dc4fbb18c352fa93dec7800

Loki

a1f8dd874a1d63dfbd2cc504fbe6d5784eb00610b02fef44b606b7a127f41bc4

Loki

+ 3'998 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230330-wtqx2adg42/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://185.246.220.85/luna/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

e9a3571e33b0eccbdd5770a3d56a6fc1e04f6b42bf32c1ad6add74f9084a6a71

MD5 hash:

c92fb45c8ae5221fb7cf379853152158

SHA1 hash:

f01c4577d1115c4fc5dae54f5030464566f78ce5

Link:

https://www.unpac.me/results/0de07c1f-4926-4a42-863d-55748493a553/

SH256 hash:

7a98d55a8bf4bb08996522ccaea236d1b56a8161bfe932c4044c26f1cc6a01ef

MD5 hash:

57f6d057958391193bdd92d3dc21d14b

SHA1 hash:

d4afee0a6a81908627b27bd54138f84ca1886bc1

Link:

https://www.unpac.me/results/0de07c1f-4926-4a42-863d-55748493a553/

SH256 hash:

bc848132c53e245bbcf144a56351dff4c68e424ad4eca60ffde9c2915237b9c2

MD5 hash:

7f31a6e5697f8b91279d363818c5901e

SHA1 hash:

a812ffb461f557bbc6b55f3e2753ab6180b451f2

Link:

https://www.unpac.me/results/0de07c1f-4926-4a42-863d-55748493a553/

SH256 hash:

715657d21d42634ec1f595fe36ec12b0610702f2d9e03c05de893f848b97ef20

MD5 hash:

cd3bb7c368e463fbcef58ff4826d092c

SHA1 hash:

76172096a46be0c2e35e48dc4a7dbda4c91f0cd0

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/0de07c1f-4926-4a42-863d-55748493a553/

Parent samples :

ca0fd5d6fc1acca00e8124493c9586bbeee3fb8c0a1bfd2e835e05f39d4e185c
512c02ea092713ae33b44e5074b6d0e35d934fc9dc3b1c7a6f789ec010d77f71
4526f94530978413010ef4567c6e093679aad9d0451d0d74400426104f24a0b9
ac4ac969409616f3fcbe4983cf7ef19728dbfb8ffc34e2ee39943027e1bf37ef
95c636b2d4788b417cf77e95d31c22feeb7954f362e1db3e4edbe728d4484467
401d220261ff30836ab09ad1300284fa829c9be5a1c80eb6faad895c10f69a46
fa3e5f3e92113edc46947e33ba2f42b48bae7bc2a3e3be6de5c03a3faddd5bc3
0f24fb2458d39329f2ab4e433fbcfa415667de0123004c023e923e7ef35de603
0a0bd0cd5811edb28b920334d242531fe420a9485a38db7c89bd870ec1926602

SH256 hash:

2dcdcc7ea3bd4f757382ec993bf4dbf5f6e97d700a4e8d62cc6e1d32a877cc1d

MD5 hash:

63d25b062df90ffd87da0b71b29b4b25

SHA1 hash:

69365a40898849392ff92b587ea4ca6d52b2ebf9

Link:

https://www.unpac.me/results/0de07c1f-4926-4a42-863d-55748493a553/

SH256 hash:

0f24fb2458d39329f2ab4e433fbcfa415667de0123004c023e923e7ef35de603

MD5 hash:

990a71ba6deae9f8fd91ee813295b970

SHA1 hash:

a1469f8814bd3dcc4ccfe890aadb45995ca32e17

Link:

https://www.unpac.me/results/0de07c1f-4926-4a42-863d-55748493a553/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0f24fb2458d3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/0f24fb2458d39329f2ab4e433fbcfa415667de0123004c023e923e7ef35de603

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	infostealer_loki Create hunting rule

Rule name:	infostealer_xor_patterns Create hunting rule
Author:	jeFF0Falltrades
Description:	The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.

Rule name:	Loki Create hunting rule
Author:	kevoreilly
Description:	Loki Payload

Rule name:	LokiBot Create hunting rule
Author:	kevoreilly
Description:	LokiBot Payload

Rule name:	malware_Lokibot_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	Windows_Trojan_Lokibot_0f421617 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Lokibot_1f885282 Create hunting rule
Author:	Elastic Security

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

exe 0f24fb2458d39329f2ab4e433fbcfa415667de0123004c023e923e7ef35de603

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2568450/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/378919/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample