MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 198d58cc197591cc16533aa30d1eb358dd1f7d9788467e15a7a1430c039399ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 18

Intelligence 18 IOCs YARA 15 File information Comments 1

SHA256 hash:	198d58cc197591cc16533aa30d1eb358dd1f7d9788467e15a7a1430c039399ea
SHA3-384 hash:	4c06c4d1980ea2aa4c10843f8e546e97862eea627dfcfb8071c0c793f8bf8c9227aa2d0d5cccdf442f5807c64b9d32e7
SHA1 hash:	cf8187986e2776abfce35a6beba895012b97d173
MD5 hash:	07a900b9ecc4bd5bd4137137961769a2
humanhash:	delaware-ceiling-mississippi-oxygen
File name:	07a900b9ecc4bd5bd4137137961769a2
Download:	download sample
Signature	Loki Create hunting rule
File size:	514'560 bytes
First seen:	2023-07-05 03:45:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:UmmP/nD2VO5wAHts6oFKCYoxbDbhPqEwpjR:Y/nvwtYox8L
Threatray	4'200 similar samples on MalwareBazaar
TLSH	T1E6B4383C1CBC5E32C170C6A68FD5C461F558C5EB32A28F3667C79A954A1EA0229CBD3D
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	595979c4d4d4d4d4 (6 x AsyncRAT, 2 x Loki)
Reporter	zbetcheckin
Tags:	32 exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

310

Origin country :

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

07a900b9ecc4bd5bd4137137961769a2

Verdict:

Malicious activity

Analysis date:

2023-07-05 03:46:18 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/aae30181-1183-4da3-87b1-0a3bd1959221

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/407345/

Detection(s):

SecuriteInfo.com.Trojan.GenericKDZ.101591.30902.18318.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

71%

Tags:

formbook packed

Link:

https://www.filescan.io/uploads/64a4e77c6647cd2df844b277/reports/49c51a88-efe7-4e0c-bfc0-e8334465d8ec/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/198d58cc197591cc16533aa30d1eb358dd1f7d9788467e15a7a1430c039399ea

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fd0b90f7-83f8-445a-982e-6067e203357c

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1266903

Signature

.NET source code contains very large strings

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/198d58cc197591cc16533aa30d1eb358dd1f7d9788467e15a7a1430c039399ea/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-07-04 18:19:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 23 (73.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dggvrtazowi4yfsthkrq2hvtldor67mxrbdh4fnhufbqya4tthva._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

29fb5b111ae1c20a4b6a0e74b8df0748b1ccea58aa9d07a80f0bd1bb4577db56

Loki

355b738b1bfefdf20d18bc264d0741069c463d35eb34545de12a2187dbf2665a

Loki

82459746ad789498fb60c495e633e452cd072fe0ac457a0032cac23fd12f6610

Loki

b55d2b174334aeb67e0568c3b9262fa719382647326eb5428fdcff753b9a7643

Loki

d9ad2df08f75b265cb1865f6f3ba322488b69ab7fa1ce94ca509b27ec1c10129

Loki

e3a60c9d44679aa4a97d4a7d8c60e56dfc63243c126a8e92a92ba527dc4f5ee2

Loki

+ 4'190 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230705-ebmdfsbh81/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://161.35.102.56/~nikol/?p=3702260915
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

8022eb6a31ff09510ea4bc66e3a92f6f5ef5cd23412d10e12207e93ec38c3672

MD5 hash:

14ee8b8b7e47469317d1012f0898b111

SHA1 hash:

c6da4e2f1ab8c277129026648cbf97d8d6126245

Link:

https://www.unpac.me/results/93115f50-90b7-45be-adae-a93bcf1b8234/

SH256 hash:

8022eb6a31ff09510ea4bc66e3a92f6f5ef5cd23412d10e12207e93ec38c3672

MD5 hash:

14ee8b8b7e47469317d1012f0898b111

SHA1 hash:

c6da4e2f1ab8c277129026648cbf97d8d6126245

Link:

https://www.unpac.me/results/93115f50-90b7-45be-adae-a93bcf1b8234/

SH256 hash:

12da305af19dfb2a35471542857e1f3440dc02c4db1135ff1442b5e66a626731

MD5 hash:

4da6e8fb63a07cb84e8736e4eafb4acf

SHA1 hash:

c6669403168d52ab94cc7e092ed927c450a049d1

Link:

https://www.unpac.me/results/93115f50-90b7-45be-adae-a93bcf1b8234/

SH256 hash:

12da305af19dfb2a35471542857e1f3440dc02c4db1135ff1442b5e66a626731

MD5 hash:

4da6e8fb63a07cb84e8736e4eafb4acf

SHA1 hash:

c6669403168d52ab94cc7e092ed927c450a049d1

Link:

https://www.unpac.me/results/93115f50-90b7-45be-adae-a93bcf1b8234/

SH256 hash:

9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5

MD5 hash:

adac60763fcfe4d5f4ad323046e79500

SHA1 hash:

9ced772a90ddec9fffde8c745225ad289f3f087e

Link:

https://www.unpac.me/results/93115f50-90b7-45be-adae-a93bcf1b8234/

SH256 hash:

9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5

MD5 hash:

adac60763fcfe4d5f4ad323046e79500

SHA1 hash:

9ced772a90ddec9fffde8c745225ad289f3f087e

Link:

https://www.unpac.me/results/93115f50-90b7-45be-adae-a93bcf1b8234/

SH256 hash:

a487dfdd6e34434832649c2560874bb9889d8ef40a53c3ee0bf39828479f44f9

MD5 hash:

5195bcf26451220f670dc3c9bbad319b

SHA1 hash:

4cc9d8baf9af43fc3e6019e2fc3c8f937823b9c5

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/93115f50-90b7-45be-adae-a93bcf1b8234/

SH256 hash:

a487dfdd6e34434832649c2560874bb9889d8ef40a53c3ee0bf39828479f44f9

MD5 hash:

5195bcf26451220f670dc3c9bbad319b

SHA1 hash:

4cc9d8baf9af43fc3e6019e2fc3c8f937823b9c5

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/93115f50-90b7-45be-adae-a93bcf1b8234/

SH256 hash:

8022eb6a31ff09510ea4bc66e3a92f6f5ef5cd23412d10e12207e93ec38c3672

MD5 hash:

14ee8b8b7e47469317d1012f0898b111

SHA1 hash:

c6da4e2f1ab8c277129026648cbf97d8d6126245

Link:

https://www.unpac.me/results/93115f50-90b7-45be-adae-a93bcf1b8234/

SH256 hash:

12da305af19dfb2a35471542857e1f3440dc02c4db1135ff1442b5e66a626731

MD5 hash:

4da6e8fb63a07cb84e8736e4eafb4acf

SHA1 hash:

c6669403168d52ab94cc7e092ed927c450a049d1

Link:

https://www.unpac.me/results/93115f50-90b7-45be-adae-a93bcf1b8234/

SH256 hash:

9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5

MD5 hash:

adac60763fcfe4d5f4ad323046e79500

SHA1 hash:

9ced772a90ddec9fffde8c745225ad289f3f087e

Link:

https://www.unpac.me/results/93115f50-90b7-45be-adae-a93bcf1b8234/

SH256 hash:

a487dfdd6e34434832649c2560874bb9889d8ef40a53c3ee0bf39828479f44f9

MD5 hash:

5195bcf26451220f670dc3c9bbad319b

SHA1 hash:

4cc9d8baf9af43fc3e6019e2fc3c8f937823b9c5

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/93115f50-90b7-45be-adae-a93bcf1b8234/

SH256 hash:

8022eb6a31ff09510ea4bc66e3a92f6f5ef5cd23412d10e12207e93ec38c3672

MD5 hash:

14ee8b8b7e47469317d1012f0898b111

SHA1 hash:

c6da4e2f1ab8c277129026648cbf97d8d6126245

Link:

https://www.unpac.me/results/93115f50-90b7-45be-adae-a93bcf1b8234/

SH256 hash:

12da305af19dfb2a35471542857e1f3440dc02c4db1135ff1442b5e66a626731

MD5 hash:

4da6e8fb63a07cb84e8736e4eafb4acf

SHA1 hash:

c6669403168d52ab94cc7e092ed927c450a049d1

Link:

https://www.unpac.me/results/93115f50-90b7-45be-adae-a93bcf1b8234/

SH256 hash:

9d6c73e273a966a4ed1d93350392d965792ddf5ad201bfa28b8adcec2e344db5

MD5 hash:

adac60763fcfe4d5f4ad323046e79500

SHA1 hash:

9ced772a90ddec9fffde8c745225ad289f3f087e

Link:

https://www.unpac.me/results/93115f50-90b7-45be-adae-a93bcf1b8234/

SH256 hash:

a487dfdd6e34434832649c2560874bb9889d8ef40a53c3ee0bf39828479f44f9

MD5 hash:

5195bcf26451220f670dc3c9bbad319b

SHA1 hash:

4cc9d8baf9af43fc3e6019e2fc3c8f937823b9c5

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/93115f50-90b7-45be-adae-a93bcf1b8234/

SH256 hash:

198d58cc197591cc16533aa30d1eb358dd1f7d9788467e15a7a1430c039399ea

MD5 hash:

07a900b9ecc4bd5bd4137137961769a2

SHA1 hash:

cf8187986e2776abfce35a6beba895012b97d173

Link:

https://www.unpac.me/results/93115f50-90b7-45be-adae-a93bcf1b8234/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/198d58cc1975/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/198d58cc197591cc16533aa30d1eb358dd1f7d9788467e15a7a1430c039399ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	infostealer_loki Create hunting rule

Rule name:	infostealer_xor_patterns Create hunting rule
Author:	jeFF0Falltrades
Description:	The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.

Rule name:	Loki Create hunting rule
Author:	kevoreilly
Description:	Loki Payload

Rule name:	LokiBot Create hunting rule
Author:	kevoreilly
Description:	LokiBot Payload

Rule name:	malware_Lokibot_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	Windows_Trojan_Lokibot_0f421617 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Lokibot_1f885282 Create hunting rule
Author:	Elastic Security

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

exe 198d58cc197591cc16533aa30d1eb358dd1f7d9788467e15a7a1430c039399ea

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2676807/

Cape

https://www.capesandbox.com/analysis/407345/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-07-05 03:45:34 UTC

url : hxxp://185.246.220.60/dukaszx.exe