MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a37f5980dfaccf82f357074e3d3013e6280e14ddb291ff49b539393daa9da6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a37f5980dfaccf82f357074e3d3013e6280e14ddb291ff49b539393daa9da6d
SHA3-384 hash: 5cf7509aa7ec9a269cbc706f916d0c57cd903ad736bd75e28c3649d2f19db351288f58229ec87e3c30b6b171997f86e6
SHA1 hash: 2caa8f51053d9ebc43f10b65e98bbe70d3a3b0fa
MD5 hash: 2932643a3d5b254d1aa3b08e4453341b
humanhash: march-bakerloo-grey-aspen
File name:BOQfromemiratespalace.com.exe
Download: download sample
Signature Loki
Create hunting rule
File size:413'017 bytes
First seen:2022-09-27 07:21:42 UTC
Last seen:2022-09-27 11:39:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (430 x NirCmd, 392 x DCRat, 52 x RedLineStealer)
ssdeep 12288:lToPWBv/cpGrU3y8tGKqlIsrDHi5ogxE7ddrKY:lTbBv5rUlGKeFrDC5bW7qY
Threatray 10'383 similar samples on MalwareBazaar
TLSH T1A894D002BEC298B2D5B31D325A796B21A97CB9201FA5CEDF63D00A5DDE315C0D7317A2
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://45.155.165.70/se8se/pin.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.155.165.70/se8se/pin.php https://threatfox.abuse.ch/ioc/851931/

Intelligence

File Origin
# of uploads :
2
# of downloads :
320
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
BOQ_from_emirates_palace.com
Verdict:
Malicious activity
Analysis date:
2022-09-28 07:03:08 UTC
Tags:
lokibot trojan stealer
Link:
https://app.any.run/tasks/645615eb-61e2-418e-b0af-dad5a8bad8ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/313849/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/39422/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
anti-vm greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6332a49d6db724e16b707e13/reports/2252728a-3914-4725-9cf6-649d368d03d2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a325c4cd-8dfc-4a26-82bc-fc56279101db
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1078096
Signature
Antivirus detection for dropped file
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 710648 Sample: BOQfromemiratespalace.com.exe Startdate: 27/09/2022 Architecture: WINDOWS Score: 100 76 Snort IDS alert for network traffic 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 Antivirus detection for dropped file 2->80 82 4 other signatures 2->82 8 BOQfromemiratespalace.com.exe 10 2->8         started        11 xclx.exe 3 2->11         started        process3 dnsIp4 44 C:\Users\user\AppData\Local\Temp\gwaji.exe, PE32 8->44 dropped 15 gwaji.exe 1 4 8->15         started        64 192.168.2.1 unknown unknown 11->64 46 C:\Users\user\AppData\Local\Temp\D035.tmp, PE32 11->46 dropped 48 C:\Users\user\AppData\Local\Temp\6F07.tmp, PE32 11->48 dropped 50 C:\Users\user\AppData\Local\Temp\65DE.tmp, PE32 11->50 dropped 84 Machine Learning detection for dropped file 11->84 86 Found hidden mapped module (file has been removed from disk) 11->86 88 Maps a DLL or memory area into another process 11->88 19 WerFault.exe 10 11->19         started        21 xclx.exe 11->21         started        23 xclx.exe 11->23         started        25 xclx.exe 11->25         started        file5 signatures6 process7 file8 58 C:\Users\user\AppData\Roaming\...\xclx.exe, PE32 15->58 dropped 60 C:\Users\user\AppData\Local\Temp\3C91.tmp, PE32 15->60 dropped 62 C:\Users\user\AppData\Local\Temp\326E.tmp, PE32 15->62 dropped 68 Tries to steal Mail credentials (via file registry) 15->68 70 Machine Learning detection for dropped file 15->70 72 Found hidden mapped module (file has been removed from disk) 15->72 74 Maps a DLL or memory area into another process 15->74 27 gwaji.exe 54 15->27         started        32 xclx.exe 2 15->32         started        34 WerFault.exe 6 9 15->34         started        36 gwaji.exe 15->36         started        signatures9 process10 dnsIp11 66 45.155.165.70, 49707, 49708, 49709 AGROSVITUA Russian Federation 27->66 52 C:\Users\user\AppData\...\B52B3F.exe (copy), PE32 27->52 dropped 90 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->90 92 Tries to steal Mail credentials (via file / registry access) 27->92 94 Tries to harvest and steal ftp login credentials 27->94 96 Tries to harvest and steal browser information (history, passwords, etc) 27->96 54 C:\Users\user\AppData\Local\Temp\F3BB.tmp, PE32 32->54 dropped 56 C:\Users\user\AppData\Local\Temp\785D.tmp, PE32 32->56 dropped 98 Maps a DLL or memory area into another process 32->98 38 WerFault.exe 32->38         started        40 xclx.exe 32->40         started        42 xclx.exe 32->42         started        file12 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a37f5980dfaccf82f357074e3d3013e6280e14ddb291ff49b539393daa9da6d/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-09-27 07:22:09 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=di37lgan7lgpqlzvob2ohuybhzribykn3mur75e3kojzhwvj3jwq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0c22e8ea0ba6fc4f77bd273a12dd319e991899499b4bea8422d146d447034505
Loki
0c3e2f384b19e296f638c91f22b05f663ec9b0519c0a66efedf4690f0e22ef97
Loki
301a3e665000c99ab655a74dbf9408de24875866528be4f6d28e83490c19305b
Loki
339539d03ce22693c391b3141e6c20b2403da4efe6e25247c87c81a2e2fe1530
Loki
bd5502b3b91005d62013d1821b3a0a3c6c4fcd8e493e57c5088968304dbc035c
Loki
c787c9a5f407a656478efc835f1a0f8f738030bf26cedbd4748cb7b18ed2ea3e
Loki
ce349034ea5373d13d5fa3adaf34a3ecffff799fe9044d4a2c98bd8a16f0e9ed
Loki
+ 10'373 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection persistence spyware stealer trojan
Link:
https://tria.ge/reports/220927-h68rqacha7/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fde9a9b0-d0ff-4a5e-afb9-b384c99a2b30
Unpacked files
SH256 hash:
cb6696959705ef3d389addcbc1f43836959345b75cc2b9400c6b180c15a85401
MD5 hash:
90c0a37d71bd6eb7a0c4b1506118603e
SHA1 hash:
c9171bdb16595dc3931028160e48121fa3046a26
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/bc1db7fd-6054-465a-b868-40e5edf3be19/
SH256 hash:
f661b63d5652e02891a04409d3d22ee361ad7e235c06069542bef9785ab14bfb
MD5 hash:
508530e89960548ce3cdbec21c1cc58b
SHA1 hash:
a974a6dcd98e29b5db0331a64627f86768ecb43d
Link:
https://www.unpac.me/results/bc1db7fd-6054-465a-b868-40e5edf3be19/
SH256 hash:
1a37f5980dfaccf82f357074e3d3013e6280e14ddb291ff49b539393daa9da6d
MD5 hash:
2932643a3d5b254d1aa3b08e4453341b
SHA1 hash:
2caa8f51053d9ebc43f10b65e98bbe70d3a3b0fa
Link:
https://www.unpac.me/results/bc1db7fd-6054-465a-b868-40e5edf3be19/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1a37f5980dfa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/1a37f5980dfaccf82f357074e3d3013e6280e14ddb291ff49b539393daa9da6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:LokiBot
Create hunting rule
Author:kevoreilly
Description:LokiBot Payload
Rule name:malware_Lokibot_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest7
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/313849/

Comments