MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fdb9539c14e35356bc932a782c37005f15e214910b163ef0b3ea4ddb631693d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0fdb9539c14e35356bc932a782c37005f15e214910b163ef0b3ea4ddb631693d
SHA3-384 hash: ec0668d5d1c5b370c407d75b0256caf62377e3d65b40b163ab3f55640a371d083e4d97c1d3d7e01fe0829624bf3ce2ab
SHA1 hash: 399299519229a093d7ba27705e2bae5f2f2c4c3b
MD5 hash: c8e119d5b2581a77d8ac0827bb977586
humanhash: winter-alaska-vegan-november
File name:UBL e-statement.exe
Download: download sample
Signature Loki
Create hunting rule
File size:327'093 bytes
First seen:2022-02-16 10:55:55 UTC
Last seen:2022-02-16 13:27:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 6144:LwaL/AIlIXdJWBLobiJ5k00WLz5nYWwKOIa97+nh6bqauCmEEp8sk+:FL4VdJWhqiEWX5nLY+nobrHTsd
Threatray 6'419 similar samples on MalwareBazaar
TLSH T1A364128B10C1C0D7CC1A1972DB93A77FC3B75D510EE704978FC93EEA183768669269A8
File icon (PE):PE icon
dhash icon 00b28ae6e69ab000 (1 x Loki)
Reporter pr0xylife
Tags:exe Loki

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://164.90.194.235/?id=1858379398280910 https://threatfox.abuse.ch/ioc/388135/

Intelligence

File Origin
# of uploads :
2
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241884/
Detection(s):
SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/620cd848ac8ad0468b467c39/reports/5d0763d4-1f52-481c-9e4a-53acd6920935/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6de6583d-7047-450e-a4a6-86ad816b2747
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/940745
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0fdb9539c14e35356bc932a782c37005f15e214910b163ef0b3ea4ddb631693d/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2022-02-16 10:56:13 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b7nzkoobjy2tk26jgktyfq3qaxyv4ikjccywh3ylh2sn3nrrne6q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
10a06f1650a8c3e527908b4cf0bb311b21883de6d5aa541907243f4788748704
Loki
132ab6bad9a67e89e621caa83db4baa17664e89d8d13a12fba8f2e8a1e72e48e
Loki
13c9e72370631d555cab3bd6ba12339252fa26915a6a60741668aea478a17cbb
Loki
3b0ea9fb4bcc9cebe136e3d53d6da997fcbc00ac690f5ec9381d75941be38875
Loki
41d5c1e02c1b4a694660a1c8759ffd46569f5b9574ed99a08d3f00cd2765d2d0
Loki
6dd1c29a05cc6e24d9b0cad1cf09b31f71119a890fbcede2319a88764fe0bf5a
Loki
72b3a21dff08038b8e3e3a8eeca4495de6e0a782cdd2dac8e3a42171e208fbcc
Loki
990f9670fa7d9b45b44f6f4e9de0ad9a71c2f519d4b654ada06464f742d5899a
Loki
b20256d1444836e3b99830ad0e6039478db5252eaf692c968f5e0ff76151d89f
Loki
bc0e16211a99339ba627f993e0dbeb0009fe65a2fd37f0e8153ef7c12dfef263
Loki
+ 6'409 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220216-m1ptwachbm/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://164.90.194.235/?id=1858379398280910
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
5f77817aaf6d94eb7ffadbebbc43fc5a73577b29b87e9dd0efd356cc4d9b4f08
MD5 hash:
08e98fefa86723597e3634b71a6d566b
SHA1 hash:
121cc344b12bf1986793cfa2ed05223481ccd329
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/ad039c20-b4b4-452d-bb11-9570a005ee4f/
SH256 hash:
950046e65cbb095641a5ddd179317ca8c9b272381a2a94c570f0a6ee96441bcf
MD5 hash:
9393236026ee52ecd08a86ea04dc45b0
SHA1 hash:
bea9094d657fa424597a7f59b8e744bc04074bfb
Link:
https://www.unpac.me/results/ad039c20-b4b4-452d-bb11-9570a005ee4f/
SH256 hash:
0fdb9539c14e35356bc932a782c37005f15e214910b163ef0b3ea4ddb631693d
MD5 hash:
c8e119d5b2581a77d8ac0827bb977586
SHA1 hash:
399299519229a093d7ba27705e2bae5f2f2c4c3b
Link:
https://www.unpac.me/results/ad039c20-b4b4-452d-bb11-9570a005ee4f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/0fdb9539c14e35356bc932a782c37005f15e214910b163ef0b3ea4ddb631693d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/241884/

Comments