MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fad781290e1db5165942e6d7254edf797efcb2dc7712963286e054065be4ec1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0fad781290e1db5165942e6d7254edf797efcb2dc7712963286e054065be4ec1
SHA3-384 hash: 39c379621b9b6dddf0e236631f4fca53da1420a9e9c053f15f9f48818b3517faa84d1475c068508530f0e3f78b6a0db4
SHA1 hash: 58c1e7b03f2c8f29935d3361a3ad7bfdc82bc333
MD5 hash: 5f18e70118eb5dfe228a1eb0d790d48e
humanhash: diet-missouri-illinois-grey
File name:order confirmation_83783667367636.com
Download: download sample
Signature Loki
Create hunting rule
File size:718'336 bytes
First seen:2020-07-16 18:31:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:0fkI3K4NhJlw2q58uFixHLVDzTIroIJXWueQbXhWA+x+Fv0nqfzUBe3ZLxM5m6m4:ykI3K4NhXw35vgHLVsrH9L8x+Q4SX
Threatray 1'538 similar samples on MalwareBazaar
TLSH 46E4BF10D6284CE7EEDD66BAC4949284E6F98C968C0FE64B9B413CD5DE373A1E9031C7
Reporter abuse_ch
Tags:com Loki


Avatar
abuse_ch
Loki C2:
http://asatechw.ga/obama/five/five/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26938/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Reading critical registry keys
Launching a service
Changing a file
Replacing files
DNS request
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Moving a system file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/388722
Signature
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 246535 Sample: order confirmation_83783667... Startdate: 18/07/2020 Architecture: WINDOWS Score: 100 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 6 other signatures 2->66 7 order confirmation_83783667367636.exe 1 6 2->7         started        11 wscript.exe 1 2->11         started        13 wscript.exe 1 2->13         started        process3 file4 34 C:\302494\gmLzZZ\gmLzZ.exe, PE32 7->34 dropped 36 order confirmation...83667367636.exe.log, ASCII 7->36 dropped 38 C:\302494\gmLzZZ\gmLzZZNIT.vbs, ASCII 7->38 dropped 40 C:\302494\gmLzZZ\gmLzZ.exe:Zone.Identifier, ASCII 7->40 dropped 68 Creates autostart registry keys with suspicious values (likely registry only malware) 7->68 70 Maps a DLL or memory area into another process 7->70 15 RegSvcs.exe 55 7->15         started        20 gmLzZ.exe 1 11->20         started        22 gmLzZ.exe 13->22         started        signatures5 process6 dnsIp7 44 104.27.132.213, 49734, 49740, 49743 CLOUDFLARENETUS United States 15->44 46 asatechw.ga 104.27.133.213, 49731, 49732, 49733 CLOUDFLARENETUS United States 15->46 32 C:\Users\user\AppData\Roaming\...\AA2F06.exe, PE32 15->32 dropped 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->48 50 Tries to steal Mail credentials (via file registry) 15->50 52 Tries to steal Mail credentials (via file access) 15->52 54 Multi AV Scanner detection for dropped file 20->54 56 Machine Learning detection for dropped file 20->56 58 Maps a DLL or memory area into another process 20->58 24 RegSvcs.exe 1 53 20->24         started        28 RegSvcs.exe 22->28         started        30 RegSvcs.exe 22->30         started        file8 signatures9 process10 dnsIp11 42 asatechw.ga 24->42 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->72 74 Tries to steal Mail credentials (via file access) 24->74 76 Tries to harvest and steal ftp login credentials 24->76 78 Tries to harvest and steal browser information (history, passwords, etc) 24->78 signatures12
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0fad781290e1db5165942e6d7254edf797efcb2dc7712963286e054065be4ec1/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 18:33:05 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b6wxqeuq4hnvczmufzwxevhn66l67szny5yssyzinycuazn6j3aq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
1f1745eb2812b5c0cc6c26b69661ea1d8ab78a541271950e7b97d0cd2b502db1
Loki
2b419f986ea266fa5826fbb6858782f7c2acfda73aa5ec5cb21d64537d6a4ea1
Loki
2c64af2b995ad6b33bc90f4103e1ae990db77c9c341279c0ab0af1c38d414405
Loki
6b95bdd0d0a511eb1fb20709941e92eb049f4e246b5615554090520a9a509799
Loki
77777da436f12d38fe7834a137bc2bf51c1f09324a1e274d22e51c2ee0b4b8c3
Loki
894a27ced4c36d822d725c58c772cf092cc61cfdfa049c935bf09e83fae6de56
Loki
be64654bb507094ad7ace4a1da27dfe42dd6451d9dadb24b8310aa50e8ff5f34
Loki
ceeffdff4b0af45c77f3923e47c03a529c87dd4e0e92fdc88b0551857df53239
Loki
cf60dd8e927a419d76dfb060c649c888dacc338cc14b5e3abf5e388213fec520
Loki
e336780f3321d06dfea57c94467d65e0ab2ab92d77c0267cf17b8d51359a5e38
Loki
+ 1'528 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
persistence spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/200716-y2bh7tx6gx/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Adds Run key to start application
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://asatechw.ga/obama/five/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 0fad781290e1db5165942e6d7254edf797efcb2dc7712963286e054065be4ec1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26938/

Comments