MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c199909d3cf1011c4dcca10019608ccd1a5e43552a05e8d299ebaabd9b32b05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c199909d3cf1011c4dcca10019608ccd1a5e43552a05e8d299ebaabd9b32b05
SHA3-384 hash: 7aa5523b7731cc2e128aed5d1ba5a284863865286b5a23b18e1029f7f388196caea473331fef3e5c29c21b2a14605d6b
SHA1 hash: 4582269c26ccc2a8750a96779ed400ee6a2743a3
MD5 hash: cebb5c3481041527c5c6bacaa52a17a1
humanhash: mexico-monkey-mars-twelve
File name:REQUIREMENT.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'024'512 bytes
First seen:2020-10-19 10:21:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:98B5dajCr9A1GKZHNYPzodG79oZOgyMlu37EUKbHS5gbJZPsfJ9jV:8RA1GUKzodGaJurtKbPtZPOJl
Threatray 1'685 similar samples on MalwareBazaar
TLSH 84257B0527F81B88F47A87F15624504187B67E9EA13ED28C7DCD31EE5BB2B410A63B27
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: vmi294194.contaboserver.net
Sending IP: 164.68.123.19
From: bcjung <bcjung@mscnbs.com>
Subject: FW: MSC DIANA REPAIR REQUIREMENT
Attachment: REQUIREMENT.zip (contains "REQUIREMENT.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72881/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.321.28512.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Reading critical registry keys
Creating a file
Changing a file
Replacing files
DNS request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Moving of the original file
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/495220
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1c199909d3cf1011c4dcca10019608ccd1a5e43552a05e8d299ebaabd9b32b05/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 09:24:34 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dqmzscotz4ibdrg4ziiadfqizti2lzbvkkqf5djjt25kxwntfmcq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
3b97909b8cc676b840fd25680d29f211efcc6c71a0234f33365dd0fec17e8438
Loki
58bd9279e5ef2a3c1a55c9257c276f8203b69c79e29008399c6629eaf8ca6d56
Loki
6490275833a54ddb21377ef003cacd595697c7659c1b7c6fc24a285fec1946ee
Loki
680e6e46c8bed6c48e63f6dab3409bb9cd05f6642084ef8b0d03898dacc500a7
Loki
99cc56c49ea22eaf929c14180a5625096c6652ae122fb35d913ae774604965f0
Loki
a6f68b61781c4503ac6dbc6b79d22d3a2f6e7995c35e85f08c0d153e056d6f0e
Loki
b8e4dfdddae3c40ef710797605631573fe5689ae296637a411a88f8f3c1d7389
Loki
ba5cf0e14767afbaf1ef4310a5a7a55e152b7c54507a1b567133cdf42493629d
Loki
d18f27370f8ee9d89c588980241ef2757a4a5d6cc70a357c7a45fae186c7e84b
Loki
eacd132f69b64ef7a47c959fd92f50343be23e5768f0476c665870f5de4f89ee
Loki
+ 1'675 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/201019-dzscrl2nve/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://logspot.pw/officem2/logs/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
5fe6310655b51613eaaa132e6f29476252f74f56f323fcf6998f616deff8a394
MD5 hash:
2afb21a7cddcc51b8cc5907c5941bba5
SHA1 hash:
35855d7bc7a7d16dca42b46c629125470799e482
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/b2b6fa51-8496-47d5-9903-e793acce4b6f/
Parent samples :
5434b3121b379bde98f409a5d00c6da0be9f001b73e73860ca0c530386e002c6
1c199909d3cf1011c4dcca10019608ccd1a5e43552a05e8d299ebaabd9b32b05
SH256 hash:
e7649236134abf9f0a89f90630cb457fed23551d54b298259a6925f6a638d06b
MD5 hash:
128e40ac3ea4e9a88c69c2a84d1a018e
SHA1 hash:
892d5e2aa3ea437a1f30dbf8a21d850cf3842925
Link:
https://www.unpac.me/results/b2b6fa51-8496-47d5-9903-e793acce4b6f/
SH256 hash:
6e8c746e2a125fe8740a643f86bd994a9310e8ac0f880af3922498f03fb2b509
MD5 hash:
834283e6fd7ee5ee2dca66b86434990c
SHA1 hash:
bdd728fda3d91c0b3871382f954688ea9415e739
Link:
https://www.unpac.me/results/b2b6fa51-8496-47d5-9903-e793acce4b6f/
SH256 hash:
1c199909d3cf1011c4dcca10019608ccd1a5e43552a05e8d299ebaabd9b32b05
MD5 hash:
cebb5c3481041527c5c6bacaa52a17a1
SHA1 hash:
4582269c26ccc2a8750a96779ed400ee6a2743a3
Link:
https://www.unpac.me/results/b2b6fa51-8496-47d5-9903-e793acce4b6f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c199909d3cf1011c4dcca10019608ccd1a5e43552a05e8d299ebaabd9b32b05

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

zip 1e1a1ebbeb09de67c77d4eb259534f71b11dbec1ef41ae34ef62f0f1839dc0d1

Loki

Executable exe 1c199909d3cf1011c4dcca10019608ccd1a5e43552a05e8d299ebaabd9b32b05

(this sample)

  
Dropped by
MD5 3b5460a81719dfe5dffb842cdb17a3a4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72881/
  
Dropped by
SHA256 1e1a1ebbeb09de67c77d4eb259534f71b11dbec1ef41ae34ef62f0f1839dc0d1

Comments