MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10f675a780a5814df0a79b673213a2ed2989816a517797df5656551b0819789c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10f675a780a5814df0a79b673213a2ed2989816a517797df5656551b0819789c
SHA3-384 hash: 01b27ab281e4dbfedcd9b7c70f4c1f4fbd1f7c1a66006e4cbc7f06318384e244d9a64e8a8cf2accac1b5f94e3f9376d0
SHA1 hash: dc5fefda3c4c080ce976c6938cc9bb097ffded63
MD5 hash: 52db97007f406b46ae0cc4b82ad882be
humanhash: texas-sierra-charlie-robin
File name:OrderRequest.exe
Download: download sample
Signature Loki
Create hunting rule
File size:892'416 bytes
First seen:2021-07-28 07:50:34 UTC
Last seen:2021-07-28 08:52:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b0314ee479bdc63de5d9ecc103e236bf (1 x Loki)
ssdeep 12288:Y3oqJEnEbvGCokzsd73125zTkaP47dMfrGoa59YDcX6lGXC6+1G6w:Y3X/VzG7oTP47dWiLYDcXpCt
Threatray 4'077 similar samples on MalwareBazaar
TLSH T165158E23A69794BBEC721A389C075294BC1EBDC03B2465C56BF43CC89F3A69139357C6
dhash icon 35f0e4808c9288e5 (1 x Loki)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://ibmcloudstorage.ml/prof2/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://ibmcloudstorage.ml/prof2/fre.php https://threatfox.abuse.ch/ioc/163328/

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
OrderRequest.exe
Verdict:
Malicious activity
Analysis date:
2021-07-28 07:53:14 UTC
Tags:
installer trojan lokibot stealer
Link:
https://app.any.run/tasks/fe4f4809-4b52-4903-9997-dec53f77a99b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174590/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.16723.23459.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b294562-307a-40a4-9124-7130a9c94c43
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/822946
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Sigma detected: Execution from Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 455358 Sample: OrderRequest.exe Startdate: 28/07/2021 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 6 other signatures 2->52 6 Wuiojpj.exe 13 2->6         started        10 OrderRequest.exe 1 19 2->10         started        13 Wuiojpj.exe 13 2->13         started        process3 dnsIp4 26 162.159.134.233, 443, 49766 CLOUDFLARENETUS United States 6->26 54 Detected unpacking (changes PE section rights) 6->54 56 Detected unpacking (overwrites its own PE header) 6->56 58 Injects a PE file into a foreign processes 6->58 15 Wuiojpj.exe 53 6->15         started        28 cdn.discordapp.com 162.159.133.233, 443, 49745, 49746 CLOUDFLARENETUS United States 10->28 24 C:\Users\Public\Libraries\...\Wuiojpj.exe, PE32 10->24 dropped 60 Tries to steal Mail credentials (via file registry) 10->60 20 OrderRequest.exe 54 10->20         started        30 162.159.130.233, 443, 49772 CLOUDFLARENETUS United States 13->30 file5 signatures6 process7 dnsIp8 22 C:\Users\user\AppData\...\B52B3F.exe (copy), PE32 15->22 dropped 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->38 40 Tries to steal Mail credentials (via file access) 15->40 42 Tries to harvest and steal ftp login credentials 15->42 44 Tries to harvest and steal browser information (history, passwords, etc) 15->44 32 104.21.12.232, 49752, 49779, 49780 CLOUDFLARENETUS United States 20->32 34 ibmcloudstorage.ml 172.67.153.185, 49751, 49753, 49754 CLOUDFLARENETUS United States 20->34 36 192.168.2.1 unknown unknown 20->36 file9 signatures10
Gathering data
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-28 07:51:06 UTC
AV detection:
13 of 46 (28.26%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cd3hlj4auwau34fhtnttee5c5uuytalkkf3zpx2wkzkrwcazpcoa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
02944dc72a15e92ec94c453c74c9564cb59ac7717dffcb25fa854a2e587fb737
Loki
4cadcc2d7a8ecf067470f99305eca7473fb339936290259643ece74a8502dfb3
Loki
4eec9ac382b6fcbf861641137d9a597a04a891a47983252137a7b0fdbbeb842b
Loki
59e89b6c82dadac498290fd0e2cb01cd1f4e3808cea501aaea5ed814a604b0fd
Loki
7a192e61d40bed06f4bad4e004d2a1152f3c1955c4cbe6dcbe4076f400670374
Loki
99a2d4cae6d4e47b8eb87e544b01beb80c5bf1cd399e3d9bdbf51ac96747bbaa
Loki
aa9570887695577e03ee3b6dc119e2776ad158e0b9654505cd59d9ed86b61cb0
Loki
e01d70a2ddf0c706a1f5e4847f8c099ffdc821b188f98dc15f528c8bf34a6630
Loki
eaa14ff5cdf3ec428bd1b0c2689272996741a4c93f3c1289934057c3c5cafc78
Loki
+ 4'067 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/210728-cy56vkwxd2/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://ibmcloudstorage.ml/prof2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
d174ea83359cec0b0a35da88fa2a1791a1308e35a5e36e83f51a2723e48582a6
MD5 hash:
5c63077607b089e7045eb5e93d8324d9
SHA1 hash:
9ca12c4d6e4a97269d26fe6755aae441276bff42
Link:
https://www.unpac.me/results/2625e5cb-1be5-47ca-b464-ce42e82908a0/
SH256 hash:
10f675a780a5814df0a79b673213a2ed2989816a517797df5656551b0819789c
MD5 hash:
52db97007f406b46ae0cc4b82ad882be
SHA1 hash:
dc5fefda3c4c080ce976c6938cc9bb097ffded63
Link:
https://www.unpac.me/results/2625e5cb-1be5-47ca-b464-ce42e82908a0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/10f675a780a5814df0a79b673213a2ed2989816a517797df5656551b0819789c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/174590/

Comments