MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22f5494084ff004f52cf031f8dc00e72f764863e88b90be6e8fe0009af7178b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22f5494084ff004f52cf031f8dc00e72f764863e88b90be6e8fe0009af7178b9
SHA3-384 hash: 2f2ae34c55f13d5672e9f5d86bac9f591c7385e9470e9a84fef9e5b5ce6563db412763179be8e5dd153be1f263fe80f3
SHA1 hash: 81cd8d2aede765fe6191c2462898966672c8b856
MD5 hash: bfb726f86506ee1de674dad789db189d
humanhash: vegan-pizza-winter-ack
File name:crypter_pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:413'696 bytes
First seen:2021-01-19 07:23:39 UTC
Last seen:2021-01-19 09:21:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 616765ca1e3c367f5f3771d38d13b610 (7 x Loki, 4 x RemcosRAT, 4 x AgentTesla)
ssdeep 6144:C3CDRM9sIkrdnvhgUmCey/QOEHT9/PXKV1ChVKjyU4:6f9HmdvhKCeYXCThKihVKo
Threatray 2'325 similar samples on MalwareBazaar
TLSH 0B94AE2371F09071F061C1B972609BA2357F7E215E61489B6FEDB85D2ABC2D0623F792
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: svr105.phsserver.net
Sending IP: 203.175.162.90
From: Chinese University of Hong Kong <admin@cuhk.edu.hk>
Subject: REQUEST FOR OFFER (Chinese University of Hong Kong) EUI894/SG4660
Attachment: REQUEST FOR OFFER 1-19-2020.pdf.rar (contains "crypter_pdf.exe")

Loki C2:
http://51.195.53.221/p.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
crypter_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-19 07:34:09 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/1f5bd75c-847a-443f-a192-ec96b83f06d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112770/
Detection(s):
PUA.Win.Adware.Bang5mai-6804572-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Reading critical registry keys
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Sending a UDP request
Stealing user critical data
Moving of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/584732
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/22f5494084ff004f52cf031f8dc00e72f764863e88b90be6e8fe0009af7178b9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-19 00:20:18 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=el2usqee74ae6uwpampy3qaool3wjbr6rc4qxzxi7yaatl3rpc4q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0b813805cdf296dc50f3336dcbf6e41f4dc119e753be9511634857eba90a7b0f
Loki
35f2d31f591a7850c05f86c1124aef7193bdd2f2ad7421d1fb09e1144b3fc3d3
Loki
445e1ae4fb515ce4fca81255fc4f569ba238d2a7b3ba0c093f4d55bc8fa5ae08
Loki
7c543362b23c8618d029f1fff5185c8af6adaaa3a6f358d4c8415e8e71ae7818
Loki
88fefe74a59525eecee004f0ca10e3b964462adc1f3b44a794282e17dd3dd67e
Loki
8f381987b6d04acb2f13d81524cd91deed670b4e678d34fc3960278a28cc4eb6
Loki
9dd8b9b40de05ac0aaf1bb9e1710faea9ef584f5eff71d3af7ad3a2dc083649f
Loki
b40eb6fd6c232b3359d55b0a4a2392196dd37b4fd6fc3fbe64637caa1a817042
Loki
b8f93d593fb0feaa265c385ab4afb8c8e1bb7908b166cf68b6efb36ed1f7fa4f
Loki
e3699291676cb658693307f1f568e8ae9d82e50f3b2a3c3031437c5d54fe7c16
Loki
+ 2'315 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210119-b117eg2cdx/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://51.195.53.221/p.php/SczbkxCQZQyVr
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
a4d4a4094969b6d7b779e3612be6b1d49c4d73b040fa21a12f28f8d5b7c04d7b
MD5 hash:
d7a77336eb7bbfa4081d49c0ce5bc4a3
SHA1 hash:
425c70c465619909cef0ae1e63e3b22fa4b4c640
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/6e38d697-8138-44eb-b1fb-6c9a9f3d1a81/
Parent samples :
909b3558b85ccc4b1890253c148345b2eecd0511c6d33f76752e14d56c9d9018
22f5494084ff004f52cf031f8dc00e72f764863e88b90be6e8fe0009af7178b9
b374351f0f9b840defca70f32554b5ee570905a96ec6ef032987476684e94742
SH256 hash:
22f5494084ff004f52cf031f8dc00e72f764863e88b90be6e8fe0009af7178b9
MD5 hash:
bfb726f86506ee1de674dad789db189d
SHA1 hash:
81cd8d2aede765fe6191c2462898966672c8b856
Link:
https://www.unpac.me/results/6e38d697-8138-44eb-b1fb-6c9a9f3d1a81/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22f5494084ff004f52cf031f8dc00e72f764863e88b90be6e8fe0009af7178b9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

rar 79057aed165c47cc5f52097889fc6a8416f26816a954b6f4ac1e97df6a67be37

Loki

Executable exe 22f5494084ff004f52cf031f8dc00e72f764863e88b90be6e8fe0009af7178b9

(this sample)

  
Dropped by
MD5 f34de58f849d03c3971d79de1dade226
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 79057aed165c47cc5f52097889fc6a8416f26816a954b6f4ac1e97df6a67be37
Cape
Cape
https://www.capesandbox.com/analysis/112770/

Comments