MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1844d9684eaed87d1549686887b88eb1f7fea807ce3348d6d5d9d41b77f69c57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1844d9684eaed87d1549686887b88eb1f7fea807ce3348d6d5d9d41b77f69c57
SHA3-384 hash: ac5cdd6e14fe7d89653acb6bb75c6c1a510a1a32725db02680b536808887dc187b37d119eba049759bb0ccf86d9e7a59
SHA1 hash: 7394a7711473bf2d3506d389c8d3c28e7a206565
MD5 hash: 335410b731381c91ed5629fed903ed50
humanhash: oscar-helium-sierra-michigan
File name:win32.bin
Download: download sample
Signature Loki
Create hunting rule
File size:373'491 bytes
First seen:2020-08-25 08:38:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 24f4223e271413c25abad52fd456a9bc (21 x GuLoader, 15 x Loki, 10 x AgentTesla)
ssdeep 6144:LHfYbhOH4giIzFeuYczyp+X4asJpCC95Rt3CwWjy2eMrV9rOV1Gy:LmOHfFeuYtpZPJ/DterV9rOVoy
Threatray 253 similar samples on MalwareBazaar
TLSH 2C841207E2B7E517EE654AB8097117713EAEAE011099AB0F4B603E6D3C3A2D3563D31D
Reporter JAMESWT_WT
Tags:Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/50448/
Detection(s):
PUA.Win.Adware.Browserio-6725861-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.ObfusRansom.bc.6542.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Creating a file
Launching a process
Sending a UDP request
Launching cmd.exe command interpreter
Reading critical registry keys
Changing a file
Replacing files
DNS request
Sending an HTTP POST request
Deleting a recently created file
Enabling the 'hidden' option for recently created files
Creating a window
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a process with a hidden window
Forced shutdown of a system process
Unauthorized injection to a system process
Stealing user critical data
Result
Threat name:
FormBook Betabot Lokibot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/448581
Signature
Contains functionality to create processes via WMI
Creates an undocumented autostart registry key
Detected FormBook malware
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Found C&C like URL pattern
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Hijacks the control flow in another process
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Internet Explorer zone settings
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Overwrites Windows DLL code with PUSH RET codes
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Betabot
Yara detected FormBook
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 276622 Sample: win32.bin Startdate: 25/08/2020 Architecture: WINDOWS Score: 100 99 www.cnxianhuo8.com 2->99 101 joovy.ga 2->101 129 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->129 131 Multi AV Scanner detection for domain / URL 2->131 133 Malicious sample detected (through community Yara rule) 2->133 135 12 other signatures 2->135 14 win32.exe 62 2->14         started        signatures3 process4 process5 16 rundll32.exe 14->16         started        signatures6 117 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->117 119 Hijacks the control flow in another process 16->119 121 Maps a DLL or memory area into another process 16->121 19 cmd.exe 73 16->19         started        24 cmd.exe 16->24         started        26 cmd.exe 16->26         started        process7 dnsIp8 103 joovy.ga 80.249.146.179, 49714, 49715, 49716 SELECTELRU Russian Federation 19->103 105 tommysvoetbalschool.nl 95.170.70.96, 443, 49718 TRANSIP-ASAmsterdamtheNetherlandsNL Netherlands 19->105 77 C:\Users\user\AppData\Roaming\hS8GPQ8.exe, PE32 19->77 dropped 79 C:\Users\user\AppData\Roaming\...\B52B3F.exe, PE32 19->79 dropped 81 C:\Users\user\AppData\Roaming\8SfhZKi.exe, PE32 19->81 dropped 83 2 other malicious files 19->83 dropped 137 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->137 28 8SfhZKi.exe 32 19->28         started        32 hS8GPQ8.exe 32 19->32         started        139 Tries to steal Mail credentials (via file registry) 24->139 141 Tries to detect virtualization through RDTSC time measurements 24->141 143 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 24->143 file9 signatures10 process11 file12 85 C:\Users\user\AppData\Local\...\OximeLied.dll, PE32 28->85 dropped 169 Machine Learning detection for dropped file 28->169 34 rundll32.exe 28->34         started        87 C:\Users\user\AppData\...\cpConnectionC.dll, PE32 32->87 dropped 89 C:\Users\user\...\TwoLineListBoxEditor.dll, PE32 32->89 dropped 91 C:\Users\user\AppData\...\autolayt.dll, PE32 32->91 dropped 93 10 other files (none is malicious) 32->93 dropped 37 rundll32.exe 32->37         started        signatures13 process14 signatures15 123 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 34->123 125 Hijacks the control flow in another process 34->125 127 Maps a DLL or memory area into another process 34->127 39 cmd.exe 12 25 34->39         started        42 cmd.exe 37->42         started        44 cmd.exe 37->44         started        process16 signatures17 157 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 39->157 159 Creates an undocumented autostart registry key 39->159 161 Maps a DLL or memory area into another process 39->161 167 3 other signatures 39->167 46 explorer.exe 16 39 39->46         started        163 Modifies the context of a thread in another process (thread injection) 42->163 165 Sample uses process hollowing technique 42->165 50 explorer.exe 42->50 injected process18 dnsIp19 109 parisgranhotels.ga 46->109 171 System process connects to network (likely due to code injection or exploit) 46->171 173 Overwrites Windows DLL code with PUSH RET codes 46->173 175 Modifies Internet Explorer zone settings 46->175 177 4 other signatures 46->177 52 BOhacpKhMjaxpzTjvFwlpMqt.exe 46->52 injected 56 BOhacpKhMjaxpzTjvFwlpMqt.exe 46->56 injected 58 BOhacpKhMjaxpzTjvFwlpMqt.exe 46->58 injected 69 5 other processes 46->69 111 amdbback.javalebogame6.com 103.244.2.80, 49940, 80 GIGABIT-MYGigabitHostingSdnBhdMY Hong Kong 50->111 113 www.7754y.com 50->113 115 amdbweb.xaomenlebo6.com 50->115 60 msdt.exe 50->60         started        63 3a17c33q1c33.exe 50->63         started        65 3a17c33q1c33.exe 50->65         started        67 3a17c33q1c33.exe 50->67         started        signatures20 process21 dnsIp22 107 192.168.2.1 unknown unknown 52->107 145 Hides threads from debuggers 52->145 147 Hides that the sample has been downloaded from the Internet (zone.identifier) 52->147 95 C:\Users\user\AppData\...\JQ2logrv.ini, data 60->95 dropped 97 C:\Users\user\AppData\...\JQ2logri.ini, data 60->97 dropped 149 Detected FormBook malware 60->149 151 Tries to steal Mail credentials (via file access) 60->151 153 Tries to harvest and steal browser information (history, passwords, etc) 60->153 155 3 other signatures 60->155 71 conhost.exe 63->71         started        73 conhost.exe 65->73         started        75 conhost.exe 67->75         started        file23 signatures24 process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1844d9684eaed87d1549686887b88eb1f7fea807ce3348d6d5d9d41b77f69c57/
Threat name:
Win32.Ransomware.MyxaH
Create hunting rule
Status:
Malicious
First seen:
2020-08-25 08:37:49 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
33 of 48 (68.75%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dbcns2cov3mh2fkjnbuipoeowh375kahzyzurvwv3hkbw57wtrlq._file
Verdict:
malicious
Similar samples:
0f24e222f76b19a0f1995c70e3711ab2b1c7e3f41c5e915796e767fce361e2e3
Loki
46ceaed6d9f20fc2b5d51a63957ea0a5772f33ac4d58b1024cce8eb1c207567e
Loki
5c63c2887891a56e0465251c8112ce7a07fc70e782dbc2e80f45f670294d4285
Loki
5d9004bb38a2e4c6ee1528f75e8453e778d9f39a3e7d9f02ee7821eae65cf886
Loki
5e23eed104a5bd67c8ae3abe1f3554abac8500bf9f916992df36246b06f14419
Loki
72ec3dcd3d7a197c45c66605330968f86044d6a2ec37bf843e33b7f4668781f9
Loki
7ef7ff0660d406b237fd3253738d60a294c0273ca1436cf9ba87d5b2ea8d62d8
Loki
9ea8141b737b1dd5d56c800d4f84048014d83489f0fb3a78e42076a81186e30d
Loki
c2f42cfcfafad77546d57cbfde6a6f4c1c75d684a81304d1ec901285b1873bd3
Loki
fad58c442302c02a2750bc532c0c4705f6193e8cabb2acbc88181cdd328d6145
Loki
+ 243 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/200825-mxtdgte5dn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
Reads user/profile data of web browsers
Blacklisted process makes network request
Lokibot
Malware Config
C2 Extraction:
http://joovy.ga/webxpo/gate.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1844d9684eaed87d1549686887b88eb1f7fea807ce3348d6d5d9d41b77f69c57

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 1844d9684eaed87d1549686887b88eb1f7fea807ce3348d6d5d9d41b77f69c57

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/418706/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/50448/

Comments