MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16cb8d68c27acf7882ac19e88947994d1d4029d2548a50bc5af6aadb78540f59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 16


Intelligence 16 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16cb8d68c27acf7882ac19e88947994d1d4029d2548a50bc5af6aadb78540f59
SHA3-384 hash: 6ba38b48053106d678f09cb11d890eba766920255bb185a515cf3402389cdc213bcdaab840d4be8168f24b0220f1df90
SHA1 hash: 1e0feee7824020b2f81142a6457cb642f7577019
MD5 hash: ffd19223337b5065575b644ac78728d6
humanhash: earth-sierra-mountain-oregon
File name:SwfitCopypdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:599'040 bytes
First seen:2023-09-18 06:10:18 UTC
Last seen:2023-09-18 06:43:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:3BBMR521QtNaCBqO+AbFy5c0ImCAdazhLl+3FIsphDzj7jrAbxprZZ:3fXWFY6PXuaMPpZzj7XA
Threatray 4'012 similar samples on MalwareBazaar
TLSH T14ED4BE68326171DFC827CE768E691CA0AA71747B670BC21BA057129DDE0E693CF106F7
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://moore.meyervanderwalt.top/_errorpages/moore/five/fre.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
358
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/449245/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Crypt.3224.28962.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Launching a process
Restart of the analyzed sample
Enabling the 'hidden' option for analyzed file
Moving of the original file
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6507e9f7f1b40cb0d61dc5ef/reports/b70dd283-75c6-458e-9f32-3057afbb5a57/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/16cb8d68c27acf7882ac19e88947994d1d4029d2548a50bc5af6aadb78540f59
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f602e604-0d37-4e12-b8bf-3b2c15117e1c
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1309781
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1309781 Sample: SwfitCopypdf.exe Startdate: 18/09/2023 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Multi AV Scanner detection for domain / URL 2->47 49 Found malware configuration 2->49 51 11 other signatures 2->51 7 SwfitCopypdf.exe 7 2->7         started        11 pPFEZOHZKrHfp.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\pPFEZOHZKrHfp.exe, PE32 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp7078.tmp, XML 7->37 dropped 53 Detected unpacking (changes PE section rights) 7->53 55 Detected unpacking (overwrites its own PE header) 7->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Adds a directory exclusion to Windows Defender 7->59 13 SwfitCopypdf.exe 54 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 21 7->19         started        21 schtasks.exe 1 7->21         started        61 Antivirus detection for dropped file 11->61 63 Multi AV Scanner detection for dropped file 11->63 65 Tries to steal Mail credentials (via file registry) 11->65 67 Machine Learning detection for dropped file 11->67 23 schtasks.exe 1 11->23         started        25 pPFEZOHZKrHfp.exe 11->25         started        signatures5 process6 dnsIp7 39 moore.meyervanderwalt.top 104.21.31.243, 49711, 49712, 49713 CLOUDFLARENETUS United States 13->39 41 172.67.180.247, 49714, 49715, 49716 CLOUDFLARENETUS United States 13->41 43 192.168.2.1 unknown unknown 13->43 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->69 71 Tries to steal Mail credentials (via file / registry access) 13->71 73 Tries to harvest and steal ftp login credentials 13->73 75 Tries to harvest and steal browser information (history, passwords, etc) 13->75 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        signatures8 process9
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/16cb8d68c27acf7882ac19e88947994d1d4029d2548a50bc5af6aadb78540f59/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-09-18 00:00:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c3fy22gcplhxravmdhuisr4zjuouakosksffbpc262vnw6cub5mq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
05360352816fd2dfd09c05a57131f86c59fd38f7153c5261973216cf596ad077
Loki
08ee24a724926d938d89f5c7c7650eaf67512a64386dd3d3aea068ba1157c0bf
Loki
142b5c747f40768652455670aa1050e6b2cbd7cb1517c3ab0b958007ddc9e692
Loki
421a2cdb38bab8dbe89a27d19656ac41518049efc0018e1dfe7580b93db7102d
Loki
5d200010b1e304c628c669df531476f099b0ca944a1c52e5025f6fc1af16ad1b
Loki
75a9fc79b2513a8964a0dcf3a0749a399a857d3feb2fa3c0d62de6f51ea5971f
Loki
ab38780451a464e6a292bedd185cfebae8032e19437f01a1e877f87e33bf4ac7
Loki
c66d4b72b5c5e730f5ad11169a86e3b51f4e7d7b4a83c5041a0bf41218870eca
Loki
d2e1eead980699faad8218e03f34a2a6309f4fa40c43126f752a8e759a1c1fbd
Loki
fe36ee5707daa891a4902579d1ef2a98d681bf50d87982a1a331432277924365
Loki
+ 4'002 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230918-gx614afd2v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://moore.meyervanderwalt.top/_errorpages/moore/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
0cc2d545cdbc9aca7ac5732fc2e1858bae1b8c575e67f0b4b8077610c5597806
MD5 hash:
604ba9fe5293c6b09155e9593e5fe8b4
SHA1 hash:
c9ca531c5c50091dcdeabea6af26643e897fe3f8
Link:
https://www.unpac.me/results/4f9cc652-93ff-45cc-898a-6f12547f151b/
SH256 hash:
4ec626901c2cc17a968bcb40551e5383335ffd3c834b89020498319d623553f6
MD5 hash:
79c7ae10e17773957c0d0afe14fc61e4
SHA1 hash:
588ebdbee019723ec6c32218403c205247c833c0
Link:
https://www.unpac.me/results/4f9cc652-93ff-45cc-898a-6f12547f151b/
SH256 hash:
90d05de22d370244a60624a95b17ea400116906f7791a1fcdf4f6efa57afedf1
MD5 hash:
9c32e3c7c7b6fafab1095d26b341dd5d
SHA1 hash:
2d613f623acb8634e2f4283087872a27fad3ebdc
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/4f9cc652-93ff-45cc-898a-6f12547f151b/
Parent samples :
cc78351177d3f5c8044dc5fd912c94c0149ac90af40f62ca059ce78f96fc9ab0
16cb8d68c27acf7882ac19e88947994d1d4029d2548a50bc5af6aadb78540f59
994dc036815301e1dc941170900f527cea3db5a51ccbbcdd58863a9914d5d1f7
987bb2748cb98b169046adc19157f2225896231e547d55298efaea4cc19331ab
SH256 hash:
a93ab27d9bd9aa5b52288ff259e1dd2e8de2c873ee8fd5bbae64bca6f7624ce0
MD5 hash:
f2a2d829d920d375609a49544173df5a
SHA1 hash:
2af0e17de7935177d0a503ec980836fae9e17920
Link:
https://www.unpac.me/results/4f9cc652-93ff-45cc-898a-6f12547f151b/
SH256 hash:
16cb8d68c27acf7882ac19e88947994d1d4029d2548a50bc5af6aadb78540f59
MD5 hash:
ffd19223337b5065575b644ac78728d6
SHA1 hash:
1e0feee7824020b2f81142a6457cb642f7577019
Link:
https://www.unpac.me/results/4f9cc652-93ff-45cc-898a-6f12547f151b/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/16cb8d68c27a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/16cb8d68c27acf7882ac19e88947994d1d4029d2548a50bc5af6aadb78540f59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:LokiBot
Create hunting rule
Author:kevoreilly
Description:LokiBot Payload
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_Lokibot_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:Windows_Trojan_Lokibot_0f421617
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Lokibot_1f885282
Create hunting rule
Author:Elastic Security
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/449245/

Comments