MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f72ef00ac57fe6c45d309595fd9524682e1821cb932d60f2b3e4658f763e04e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f72ef00ac57fe6c45d309595fd9524682e1821cb932d60f2b3e4658f763e04e
SHA3-384 hash: 0008313209894153c16eb96e812e21df39a366b2568b6533b68d7cf8c8ed355a31d6f0ed420fbd63e354cb2ded0dd992
SHA1 hash: acbe2ba144e00f9edb946ce59ebe9745ba5ed31e
MD5 hash: 004033a7aa6788d105655cbc3bec1655
humanhash: xray-glucose-pip-delaware
File name:RFQ FILE-LLC.image.jpg.json.exe
Download: download sample
Signature Loki
Create hunting rule
File size:859'136 bytes
First seen:2021-01-06 08:02:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:tGOCWPU3ZXVcO0DDkENJJUEAkTinQBSmJtvUz811Xxcfzim5cYCgLtJ79ME:oS4t2O0XkU7KLLA112bim5Np
Threatray 2'223 similar samples on MalwareBazaar
TLSH AC05CF22B38A3FA9E53C57F661684101A3F5F40EC765F6BB7CA540DE04A5B508AF1E32
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: jktd3khmail02v.cloudkilat.me
Sending IP: 103.43.47.239
From: Madiha Rasheed <buroil@cyber.net.pk>
Reply-To: Madiha Rasheed <buroil@cyber.net.pk>
Subject: Request for quotation.
Attachment: RFQ FILE-LLC.image.jpg.json.zip (contains "RFQ FILE-LLC.image.jpg.json.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ FILE-LLC.image.jpg.json.exe
Verdict:
Malicious activity
Analysis date:
2021-01-06 08:08:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1cb15795-8c4e-4726-9245-f04903277572

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110712/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Launching the default Windows debugger (dwwin.exe)
Enabling autorun by creating a file
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/574935
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0f72ef00ac57fe6c45d309595fd9524682e1821cb932d60f2b3e4658f763e04e/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-01-06 08:03:09 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b5zo6afmk77gyrotbfmv7wksi2bodaq4xeznmdzlhzdfr53d4bha._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
48e91aaa4b96fa73dbc3bdb98ca784031bb6bed5aa790acfb85d258e7738044a
Loki
5cf8e944ea54195e221343dec2bb3728c5faecc2b55be781b597503a7ae2fd39
Loki
625f7252c720ee24a5c784de6b660e72acf1686931f18b6dcb68cf891201002e
Loki
62e4849bf2b02dd9508f6db60bc9f0d0e982ddfb607b9816e4a777c8cf5542ec
Loki
6a552b03353efc74c7871b59d8844ee8990a224de336ca893e1b74d10cd4b16b
Loki
a2267c6724ab4e4a965938b0ee2c926ffa2df8b81ed582c1424d224f35eec2e0
Loki
d0c990414b2cde20ae0d9626766663a2287a454121786158644123abf5870d89
Loki
fb12f7fd941118a189b835a29b6e49bd10da3e89ba8c1953cc96e5d1a2624cde
Loki
fddfec9969308b3c56c582a490eae81ff859a962f055bbef69447e8e50ba317c
Loki
fec73f9e948fb30fe01a715018c44268d64baead13d519e8e0065a844584f920
Loki
+ 2'213 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210106-bnzehmdas6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
ServiceHost packer
Lokibot
Malware Config
C2 Extraction:
http://tuandat-vn.com/llz/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
0f72ef00ac57fe6c45d309595fd9524682e1821cb932d60f2b3e4658f763e04e
MD5 hash:
004033a7aa6788d105655cbc3bec1655
SHA1 hash:
acbe2ba144e00f9edb946ce59ebe9745ba5ed31e
Link:
https://www.unpac.me/results/fbe172d7-8bcc-40bb-9dfa-97f222309b00/
SH256 hash:
78cc69e2bac1d1082fdcd12ab9f73c8fbe177d4c77c3741a1f675afc19fde7df
MD5 hash:
0d89407b450dd157f3eac8a3a3850a07
SHA1 hash:
ae3cd291f2a022360896d4fae4f005f2b50a8364
Link:
https://www.unpac.me/results/fbe172d7-8bcc-40bb-9dfa-97f222309b00/
SH256 hash:
c1961849aed628a546f665ba6eb2f9f6e195d3c3ac3f5cd5d0c76df92c7b7158
MD5 hash:
d7583d1ed4d680740e58768df9cef1aa
SHA1 hash:
b2c96b52924268b848f47b142f909ee4eda2bfb5
Link:
https://www.unpac.me/results/fbe172d7-8bcc-40bb-9dfa-97f222309b00/
SH256 hash:
7dbb641746725954cc3835cbeb4bb9ce0ef204c4aedb975ec357c32e68a8c240
MD5 hash:
d2102c78f333e4b452b25a73bf9ee3a2
SHA1 hash:
bf37d01b90681f05272e4af8db1115892c1c3c3d
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/fbe172d7-8bcc-40bb-9dfa-97f222309b00/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f72ef00ac57fe6c45d309595fd9524682e1821cb932d60f2b3e4658f763e04e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:Malware_Floxif_mpsvc_dll
Create hunting rule
Author:Florian Roth
Description:Malware - Floxif
Reference:Internal Research
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_lokipws_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

zip 384bb63f5b173cd5d0d979676ccc1adf921a9e23fd29fdbc1a089f0814f638d3

Loki

Executable exe 0f72ef00ac57fe6c45d309595fd9524682e1821cb932d60f2b3e4658f763e04e

(this sample)

  
Dropped by
MD5 08f9fe50268bf9ea42f1b923732e4d78
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/110712/
  
Dropped by
SHA256 384bb63f5b173cd5d0d979676ccc1adf921a9e23fd29fdbc1a089f0814f638d3

Comments