MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 156b8eeeaed97f542da5218c8c0a4117b5fb5865ff6094b5546442d912f5366e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 156b8eeeaed97f542da5218c8c0a4117b5fb5865ff6094b5546442d912f5366e
SHA3-384 hash: c47cfd0ed338eb214bed962aa228399c9ac86b7855fe7fd9d990fee8f7223da69ce00e8350e04b67ae94bd818cdeb4a3
SHA1 hash: 7a99f00c1c1591cec289575c51cc7f0768025f0c
MD5 hash: 89a84e0e14ffe871c73cd121ab13b6d5
humanhash: fanta-william-sodium-berlin
File name:SDJ-0488.exe
Download: download sample
Signature Loki
Create hunting rule
File size:265'728 bytes
First seen:2020-11-17 08:34:57 UTC
Last seen:2020-11-19 14:43:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:88rDbcjb4X7L78Fri/R4fsXqDDu3ztHx:88rEjbUL/R2Uqof
Threatray 467 similar samples on MalwareBazaar
TLSH ED44BF723D92586ECA7A077514AA85C1FAB627C73FA18B0DB19F430C0F11A1FAB53647
Reporter ffforward
Tags:exe Loki Lokibot

Intelligence

File Origin
# of uploads :
4
# of downloads :
795
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.dc.22062.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Running batch commands
Launching a process
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/539186
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Creates an autostart registry key pointing to binary in C:\Windows
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Add file from suspicious location to autostart registry
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 318686 Sample: SDJ-0488.exe Startdate: 17/11/2020 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Yara detected Lokibot 2->59 61 4 other signatures 2->61 7 SDJ-0488.exe 8 2->7         started        11 pcalua.exe 1 2->11         started        13 pcalua.exe 1 1 2->13         started        process3 file4 31 C:\Users\user\AppData\Roaming\yihg.exe, PE32 7->31 dropped 33 C:\Users\user\...\yihg.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\...\SDJ-0488.exe.log, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\Temp\...\e.dll, PE32 7->37 dropped 63 Tries to detect virtualization through RDTSC time measurements 7->63 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->65 15 yihg.exe 3 7->15         started        19 cmd.exe 1 7->19         started        21 yihg.exe 3 11->21         started        signatures5 process6 file7 39 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 15->39 dropped 43 Writes to foreign memory regions 15->43 45 Allocates memory in foreign processes 15->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->47 49 Injects a PE file into a foreign processes 15->49 23 AddInProcess32.exe 54 15->23         started        27 reg.exe 1 1 19->27         started        29 conhost.exe 19->29         started        51 Machine Learning detection for dropped file 21->51 53 Tries to detect virtualization through RDTSC time measurements 21->53 signatures8 process9 dnsIp10 41 185.239.242.195, 49717, 49718, 49719 CLOUDIE-AS-APCloudieLimitedHK Moldova Republic of 23->41 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->67 69 Tries to steal Mail credentials (via file registry) 23->69 71 Tries to steal Mail credentials (via file access) 23->71 75 2 other signatures 23->75 73 Creates an autostart registry key pointing to binary in C:\Windows 27->73 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/156b8eeeaed97f542da5218c8c0a4117b5fb5865ff6094b5546442d912f5366e/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 08:35:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
59e6e153c09dcb84b6b55416a9168208c49d376eb9ce8b7b7d27b81937128a3c
Loki
824db89a974de2fdd2bab3b28897ebe67bc4efc7cd2dea9245ac4317c35cb909
Loki
83a00cced5b83593db2ff0ce7f23937ba5b836b28969c1a0d481a6e9fbea5f53
Loki
8c6c41d8e0f478b1be11b938bf83066e8cf7a8b294c18c91e0b2570f464bc6d2
Loki
91de70857ce9dbf596a67b2abad7552a467fcc2a155d349799261fb8585e6c18
Loki
ac9239da18d97131d83ae2d9a24cbdfc0c4f5c232bb04bbeb0e6931e9ac5cc98
Loki
b511fbc6adf655af3e693e7a7081e62f26eacd616273f625a8e9c3568420e1fc
Loki
bfe1e40c9ca65dbaee9d648bb9f577e1791d4ab8feeff95758e7604bbcfbe639
Loki
cf68e1b1e8e89cf03b0d721957c794936947c8cf5f8c30401c20e075e4b37c6e
Loki
f332ebde8b3dc026728bf80e7edd9b0c0809e8df2e28f6baabaaa3327a295dca
Loki
+ 457 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot persistence spyware stealer trojan
Link:
https://tria.ge/reports/201117-n1fnr9gk8j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Lokibot
Malware Config
C2 Extraction:
http://185.239.242.195/os/2b/cgi.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
156b8eeeaed97f542da5218c8c0a4117b5fb5865ff6094b5546442d912f5366e
MD5 hash:
89a84e0e14ffe871c73cd121ab13b6d5
SHA1 hash:
7a99f00c1c1591cec289575c51cc7f0768025f0c
Link:
https://www.unpac.me/results/1e6373c6-3d25-4391-bd7c-3812054891bd/
SH256 hash:
08e20f0ace90cdd42477ba452249dd8e96f21bbb911168bae658c8771e6558e3
MD5 hash:
551278467b3910d7b8113eb0c970bc7c
SHA1 hash:
22a450059a38a43e3bacab5654eb54cff3bfcf5e
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/1e6373c6-3d25-4391-bd7c-3812054891bd/
SH256 hash:
281374814e1b78913103bd8b1fd5b0a74ad94465dc91fc7d277fec45e95eb6b2
MD5 hash:
e220b7a94d989fb5a4ee4c0e204a64c6
SHA1 hash:
76e68808407b0184950536eab1fdebf5b98abcd4
Link:
https://www.unpac.me/results/1e6373c6-3d25-4391-bd7c-3812054891bd/
SH256 hash:
6e7156ff4287bf6a83d88eaff1c4e9ff586b2ed9a6265d6e98c5e074eb025282
MD5 hash:
8778cdc547a743aed714afea5d1227af
SHA1 hash:
b12215c2b847aea0aa5e1158fa69072bad2a985d
Link:
https://www.unpac.me/results/1e6373c6-3d25-4391-bd7c-3812054891bd/
SH256 hash:
322812b23e3db07f2c7af5dfe0147d23362623233894479a7d07e64bd794b52d
MD5 hash:
0c5408623a9340761f2b0e47959b12e5
SHA1 hash:
b50741fc15fe1afe874778915532a536c42bf73d
Link:
https://www.unpac.me/results/1e6373c6-3d25-4391-bd7c-3812054891bd/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/1e6373c6-3d25-4391-bd7c-3812054891bd/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Excel file xls 2310c9985e7434fdac9fab92a88e8f916bb079761a4ae354888533610ef48944

Loki

Executable exe 156b8eeeaed97f542da5218c8c0a4117b5fb5865ff6094b5546442d912f5366e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/825808/
  
Dropped by
SHA256 2310c9985e7434fdac9fab92a88e8f916bb079761a4ae354888533610ef48944
  
Delivery method
Distributed via web download

Comments