MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f9c3e416adf7eb5bc46937d77ab2944dc8e336b98dba2133502f7b1e053f7d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 13


Intelligence 13 IOCs YARA 10 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f9c3e416adf7eb5bc46937d77ab2944dc8e336b98dba2133502f7b1e053f7d5
SHA3-384 hash: 0246e6738226ad395fd49a96e264d5675bef705532a4fc34611107376af794b6ed3dfae5b55497784f62e170efef25b2
SHA1 hash: c0b4ecbf22fa12b7f335e7fc1d3a41dfbcc0bb56
MD5 hash: 68f65c31be24384aa71bc65f663d2f44
humanhash: montana-orange-wisconsin-timing
File name:68f65c31be24384aa71bc65f663d2f44
Download: download sample
Signature Loki
Create hunting rule
File size:308'091 bytes
First seen:2022-03-11 18:16:28 UTC
Last seen:2022-03-11 20:18:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:rGiZ4atutdEFVU0EEw/H4RM/TyTmoVN1osMIt73Y68ye3xrW+sGuTin+k:qxzE80EEsH4ReyHNu0Du9ZsGuO
Threatray 6'785 similar samples on MalwareBazaar
TLSH T12764232D54DC97FBE9111A7029B2F252E7FEDB8E04B6101383582E3FEE156D1D92A213
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/249652/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.22812.17646.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/622b92270cd58dbd927fff4a/reports/d9c2eba0-0507-4423-972e-ca3d12630173/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/99ccca8b-38dc-4b07-9473-9f79ec25d733
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/955111
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0f9c3e416adf7eb5bc46937d77ab2944dc8e336b98dba2133502f7b1e053f7d5/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-11 18:17:11 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b6od4qlk357llpcgsn6xpkzjitoi4m3ltdn2eezval33dyct67kq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
06560f67b709f2186f41152b7f45927fdb92863a33b7cf0a72f826bb931bd1c5
Loki
3cb688ffa18d62a78e9c4288e2acf85b37b7749b512a17ca0755e0462a1ffe91
Loki
59b06069ea18c6dbbd1e31391c841edf48d9baa0cf8bb58e2dbed3e14dc0acad
Loki
6e3534b492756965a0251338cd6bdcfb9db67fc74d041268c02ba15f7d2f5d80
Loki
abdaf66ee5e02f9a9f181c3807b4e04c221fb82f877c2657640b78b818245e73
Loki
b5fb749600eaef62ea05186a048876814e4229b98b36b6c6f285b4d027782248
Loki
fcaf64793f2f08f4ba32bc62662817ec393d4dfd16393ae3cb115861f1f281b3
Loki
+ 6'775 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/220311-ww4a5safe5/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
Malware Config
C2 Extraction:
http://hstfurnaces.net/gc20/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
0f9c3e416adf7eb5bc46937d77ab2944dc8e336b98dba2133502f7b1e053f7d5
MD5 hash:
68f65c31be24384aa71bc65f663d2f44
SHA1 hash:
c0b4ecbf22fa12b7f335e7fc1d3a41dfbcc0bb56
Link:
https://www.unpac.me/results/2059bc04-3d08-433f-a3ca-08b3d8128ebd/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0f9c3e416adf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/0f9c3e416adf7eb5bc46937d77ab2944dc8e336b98dba2133502f7b1e053f7d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:LokiBot
Create hunting rule
Author:kevoreilly
Description:LokiBot Payload
Rule name:malware_Lokibot_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 0f9c3e416adf7eb5bc46937d77ab2944dc8e336b98dba2133502f7b1e053f7d5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2090618/
Cape
Cape
https://www.capesandbox.com/analysis/249652/

Comments


Avatar
zbet commented on 2022-03-11 18:16:30 UTC

url : hxxp://192.3.13.5/spacesave/.csrss.exe