MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13b7f376d27ce6de51165613f7faf54350e0fbd2c50b509df1bdc3704e26808f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	13b7f376d27ce6de51165613f7faf54350e0fbd2c50b509df1bdc3704e26808f
SHA3-384 hash:	1d4f6ae5a2acd24d50fe430807b44dd0897be485b9c1d3fd7359a8a29d6cefd4c37b736c30a88349289873822d972061
SHA1 hash:	1a2e35d2e7995fbfef439de6b6b19c8bd92f6be1
MD5 hash:	abfb37bce2754cc41908cf5b7de010a7
humanhash:	quiet-river-nevada-neptune
File name:	13B7F376D27CE6DE51165613F7FAF54350E0FBD2C50B5.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	712'704 bytes
First seen:	2023-02-11 21:10:21 UTC
Last seen:	2023-02-11 22:28:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b7082d2ef50ad9c72d019e1ed569c4d8 (1 x Loki)
ssdeep	12288:xkpU/KVU3rXqfhRg5sPK2b4U4a4/1IJGL5aML8QmRuoJWAajyHucbNtixdiViVi:eGkU3rX9GpLS9hY88Qm13H
TLSH	T11FE47C22B3E08432F227153ADC1B57F4D935BD10AA29589B2BE47E4CAF3768037652D7
TrID	33.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 30.5% (.SCR) Windows screen saver (13097/50/3) 10.5% (.EXE) Win32 Executable (generic) (4505/5/1) 6.9% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	13234b1b63595965 (1 x Loki)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://62.108.40.64/queloki/fre.php

Intelligence

File Origin

# of uploads :

# of downloads :

228

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

13B7F376D27CE6DE51165613F7FAF54350E0FBD2C50B5.exe

Verdict:

No threats detected

Analysis date:

2023-02-11 21:12:26 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/383d737f-2356-4579-bfc4-29ba04f3d119

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/364154/

Detection(s):

SecuriteInfo.com.Trojan.Delf.FareIt.Gen.RGW@ceQHn3ci.18481.25041.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for analyzed file

Stealing user critical data

Moving of the original file

Sending an HTTP POST request to an infection source

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/68284/overview

Behaviour

MalwareBazaar

CheckCmdLine

Gathering data

Verdict:

Malicious

Labled as:

Trojan.NanoBot

Link:

https://www.hybrid-analysis.com/sample/13b7f376d27ce6de51165613f7faf54350e0fbd2c50b509df1bdc3704e26808f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/82f08a32-c010-4274-816a-0d7f99929f99

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1172266

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/13b7f376d27ce6de51165613f7faf54350e0fbd2c50b509df1bdc3704e26808f/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2018-10-17 23:13:04 UTC

File Type:

PE (Exe)

Extracted files:

124

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=co37g5wspttn4uiwkyj7p6xviniob66syufvbhprxxbxatrgqchq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230211-z1kw5saf98/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://62.108.40.64/queloki/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

c98eb2cf409d7dea5088ea0286f463912706ef2a78c08e2323e37ad406e97d06

MD5 hash:

e6d416adf60a93d1e8936f23f0c97975

SHA1 hash:

8c07b7787a07eddf91ef9918684c70264a987a7e

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/9b6b7326-cc5c-4ebe-867e-e7562b4fddeb/

SH256 hash:

13b7f376d27ce6de51165613f7faf54350e0fbd2c50b509df1bdc3704e26808f

MD5 hash:

abfb37bce2754cc41908cf5b7de010a7

SHA1 hash:

1a2e35d2e7995fbfef439de6b6b19c8bd92f6be1

Link:

https://www.unpac.me/results/9b6b7326-cc5c-4ebe-867e-e7562b4fddeb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/13b7f376d27ce6de51165613f7faf54350e0fbd2c50b509df1bdc3704e26808f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/364154/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample