MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1098c30f8d02c4acabc58ffabc34f30e2a234c702851e1c6c88a072d795a2ef1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1098c30f8d02c4acabc58ffabc34f30e2a234c702851e1c6c88a072d795a2ef1
SHA3-384 hash: f5684631c5019d3ba5469f5c3218802b3f654827b0d284b94634dfd716aa218a6231b14e339648d520465fd67cf37026
SHA1 hash: 5f269b13e27f52e4b52a3be14c6bb0dc17ce3186
MD5 hash: c12f709034765d3b019c3b0b3fd46888
humanhash: oklahoma-jupiter-johnny-mountain
File name:REqAO25caeLL49E.exe
Download: download sample
Signature Loki
Create hunting rule
File size:492'032 bytes
First seen:2023-05-08 06:56:34 UTC
Last seen:2023-05-13 22:56:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:gE8omwPF0bwIBuYp/lJIl/9UBEM20LdK6:gEowPmJuxTE1ZK
Threatray 4'301 similar samples on MalwareBazaar
TLSH T1E2A41285B2F6CAA7F81E85F5063CB14023B270A791D0DBD44E726E885FDAB40AF4495F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 285430d4d0305428 (10 x Loki, 7 x AgentTesla, 6 x SnakeKeylogger)
Reporter lowmal3
Tags:exe Loki

Intelligence

File Origin
# of uploads :
4
# of downloads :
255
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
REqAO25caeLL49E.exe
Verdict:
Malicious activity
Analysis date:
2023-05-08 06:57:26 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/2c1855f5-2d27-4693-9aa3-e46cd21ceb83

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/387409/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet lokibot packed
Link:
https://www.filescan.io/uploads/64589d4128594fea9adf5425/reports/63699cb3-f057-4365-9a14-31d76b80d847/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1098c30f8d02c4acabc58ffabc34f30e2a234c702851e1c6c88a072d795a2ef1
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/68d3084e-572e-40b7-b33a-b96bfba12f41
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1228021
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1098c30f8d02c4acabc58ffabc34f30e2a234c702851e1c6c88a072d795a2ef1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-08 02:46:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ccmmgd4nalckzk6fr75lynhtbyvcgtdqfbi6drwirids26k2f3yq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
099dfc4278cbcfc8c1e84bd46bde0b5ddbdc86b20d95b8ba6b98b66b4436a345
Loki
1aa1a9e5b07f7e5a5d4cfb16aaadd4a68e2bd76c42f96e932396ccc8d5f18785
Loki
3a7511034e72aa8874f3763cb01604464c74571237bc08906578ed9dcf2c137f
Loki
45ecfd36d97932c3c4fb1548684eaa696d4288cb373d95bae9010e057291611b
Loki
82faa2430877999d6998765647feeb8a474a5672736637d8278efa9e2425ca83
Loki
878f78260ff0cc10af5b6aef90f7352b83dd20db8394db7ba06bb3230a54e674
Loki
ad9510ceea49f6f5b37d1310869d7d1d09ce0366833197c55fa83bbfa95d52ee
Loki
d45f5ad41b7903babda50ffd7511660f1a092699c0ec56ca0dc347fccfe0f208
Loki
f36afdc4b01e349a83cd54619dcc3864d800c328c784c79ccce271ff48742523
Loki
f79a80b0ff4dd1066e5c4844882278b420c591a05c73838a1c69190f0d145826
Loki
+ 4'291 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230508-hqx1aahd45/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://104.156.227.195/~blog/?p=369572314317708
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
6edb1c610ce66ff00516645c5a1022c39b326ebacf05136d51c1dc189503a291
MD5 hash:
fdfcec05c0201b1bce852af9b7be06e7
SHA1 hash:
f4db5c12d2513cdb930bce6d84320d3b1df24c82
Link:
https://www.unpac.me/results/35dc1673-7264-47db-9597-fa3e10484a63/
SH256 hash:
1260ac1b8623f668397c4bf2b909a906c67690355c4f2bb353180ac84f01b114
MD5 hash:
c6f35d0dceba8fb7443bdef9478ae7d0
SHA1 hash:
f2e5858b27711e3db7edf016f4256680a514369f
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/35dc1673-7264-47db-9597-fa3e10484a63/
Parent samples :
1ecc2a4139ce825a85a02bef3426dbcb6a37cc2577dd665fe7c41a73fdd58370
d45f5ad41b7903babda50ffd7511660f1a092699c0ec56ca0dc347fccfe0f208
d648b91e497bc62670602ae9cf08df7d4bab7bdee902b0db3b6e308b91ad34a1
1098c30f8d02c4acabc58ffabc34f30e2a234c702851e1c6c88a072d795a2ef1
4920cdf96db967e0df5414de0d8318d018be7af985158dddd3a4cf77af565bf9
108ad52223146f11df1f746b5b2fa805905c183d0fab1ed35cabaa0226df91de
661f0077a13a392c0858af2bae3847217f79dc8a95b01a025692b5cf5c96ceb5
f9dbe1921bff42503418284402eedad115506b454ffa177d32d25802d1a9890d
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/35dc1673-7264-47db-9597-fa3e10484a63/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
264ee3c3600e481b6e87c0032d84f2cced8f7ab95a7335eb7b0820c53f86d4df
MD5 hash:
84bf14a40135917569cbe6fddee167d2
SHA1 hash:
5c184e6d67769cc2f29bad71c9e036037f2609b6
Link:
https://www.unpac.me/results/35dc1673-7264-47db-9597-fa3e10484a63/
SH256 hash:
124130d92fa8b408174b9091c4d78c53f20a0442c02b13f3a71e081f34299ded
MD5 hash:
7c2f69fab67f6b47f78d39f1619eee9b
SHA1 hash:
5131f61a0f05333ae0cde0e4325a983c74f1d36c
Link:
https://www.unpac.me/results/35dc1673-7264-47db-9597-fa3e10484a63/
SH256 hash:
1098c30f8d02c4acabc58ffabc34f30e2a234c702851e1c6c88a072d795a2ef1
MD5 hash:
c12f709034765d3b019c3b0b3fd46888
SHA1 hash:
5f269b13e27f52e4b52a3be14c6bb0dc17ce3186
Link:
https://www.unpac.me/results/35dc1673-7264-47db-9597-fa3e10484a63/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1098c30f8d02/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:LokiBot
Create hunting rule
Author:kevoreilly
Description:LokiBot Payload
Rule name:malware_Lokibot_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:Windows_Trojan_Lokibot_0f421617
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Lokibot_1f885282
Create hunting rule
Author:Elastic Security
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

rar 2f7e808c9d3b349dee6bd9562cd2a52db31f71e3cfd649132b34e6085e543634

Loki

Executable exe 1098c30f8d02c4acabc58ffabc34f30e2a234c702851e1c6c88a072d795a2ef1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/387409/
  
Dropped by
SHA256 2f7e808c9d3b349dee6bd9562cd2a52db31f71e3cfd649132b34e6085e543634
  
Dropped by
MD5 13b4c5877be8f4e63887544f62d79031

Comments