MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 234c88ce76cde3cb4510ae1532863bb3c29efa0e94889d5dd30818f084c3b958. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 234c88ce76cde3cb4510ae1532863bb3c29efa0e94889d5dd30818f084c3b958
SHA3-384 hash: 05874a76df0ab4832007683ad1eb3a54f91559e80340268af265911db8978b06530ba7f9c503b863c1442ad019abf6f2
SHA1 hash: ef655931d08bd2a9839d6bcc4cab23499b8ac013
MD5 hash: 5c0ef516f2e1cecf656358b495e0d05f
humanhash: robert-spring-lactose-muppet
File name:FGD0987678000.cmd.exe
Download: download sample
Signature Loki
Create hunting rule
File size:472'064 bytes
First seen:2024-11-20 05:25:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:NJOr0Yb59iAIYhQZSjNx+bZzT4yoQ8BTjIzW62JVbY:Ng7jC2nZtpbY
Threatray 2'813 similar samples on MalwareBazaar
TLSH T11FA46B9163FC911DFAFBAB34AA39B2105A36FD8F4476C28C1560316D1832F82DA60777
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://87.120.113.235/18/pin.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://87.120.113.235/18/pin.php https://threatfox.abuse.ch/ioc/1346057/

Intelligence

File Origin
# of uploads :
1
# of downloads :
530
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
FGD0987678000.cmd.exe
Verdict:
Malicious activity
Analysis date:
2024-11-20 05:26:10 UTC
Tags:
lokibot stealer xor-url generic trojan
Link:
https://app.any.run/tasks/62285890-1e5c-4a79-b105-ae74a83129e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Basic.3818.2053.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673d73817b9ab5fcc4dba5f9
Tags:
autorun gumen
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
Creating a window
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
explorer lokibot lolbin masquerade obfuscated packed remote
Link:
https://www.filescan.io/uploads/673d72ecb1a62895a51fe470/reports/9e14a561-2533-4c75-8d03-ae8373391b33/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/234c88ce76cde3cb4510ae1532863bb3c29efa0e94889d5dd30818f084c3b958
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b9e8dd16-2684-46cf-a4ae-31060e7c940e
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1559066
Signature
.NET source code references suspicious native API functions
AI detected suspicious sample
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates executable files without a name
Drops PE files to the startup folder
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Copy file to startup via Powershell
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1559066 Sample: FGD0987678000.cmd.exe Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 27 Multi AV Scanner detection for domain / URL 2->27 29 Found malware configuration 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 11 other signatures 2->33 7 FGD0987678000.cmd.exe 2 2->7         started        10 svchost.exe 1 1 2->10         started        process3 dnsIp4 35 Bypasses PowerShell execution policy 7->35 13 powershell.exe 13 7->13         started        17 FGD0987678000.cmd.exe 7->17         started        25 127.0.0.1 unknown unknown 10->25 signatures5 process6 file7 21 C:\Users\user\AppData\Roaming\...\.exe, PE32 13->21 dropped 23 C:\Users\user\...\.exe:Zone.Identifier, ASCII 13->23 dropped 37 Creates executable files without a name 13->37 39 Drops PE files to the startup folder 13->39 41 Powershell drops PE file 13->41 19 conhost.exe 13->19         started        signatures8 process9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/234c88ce76cde3cb4510ae1532863bb3c29efa0e94889d5dd30818f084c3b958
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/234c88ce76cde3cb4510ae1532863bb3c29efa0e94889d5dd30818f084c3b958/
Threat name:
ByteCode-MSIL.Infostealer.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2024-11-20 04:51:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=engirttwzxr4wriqvyktfbr3wpbj56qossej2xotbampbbgdxfma._file
Verdict:
malicious
Label(s):
lokibot
Create hunting rule
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
234c88ce76cde3cb4510ae1532863bb3c29efa0e94889d5dd30818f084c3b958
Loki
3c3cedc000a25a9478e78e2a90b3310afec83616d36f9353be0721dd2aa052f8
Loki
972ef638b803266c9fe4afce93a2f0a4a2a880b7a93a6c250209c55dea295ee0
Loki
c324fe32df959176f968d80a6ff1914f2b195c1796376f2511cb97f763f1d905
Loki
c3338e8d8bb652e897c624f3380e1432eb1c4c93091b64dd28abc3cfa02fa804
Loki
c92a29ffe704fd01df9832b221781fe8cafef9fcd125fb380227571cd94df921
Loki
d921a6bd7134c1c395ad51969aa098197ecfcd37933bf2af4af07d7e4c36b8dc
Loki
dab1d46327d46ccbade543f499379b66a9c71a392e96f3aa29f988301bc8b656
Loki
error
Loki
+ 2'803 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection discovery execution spyware stealer trojan
Link:
https://tria.ge/reports/241120-f4ve7ssfnl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Drops startup file
Reads user/profile data of web browsers
Lokibot
Lokibot family
Malware Config
C2 Extraction:
http://87.120.113.235/18/pin.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/963616f3-72ba-4a4c-89f5-e184037e3121
Unpacked files
SH256 hash:
4080f041c0d248fea39e9a2649cb9ef7748764755e022ae3d79b0bce2d20326e
MD5 hash:
ac347d3b3a710682340d9de47cdfd624
SHA1 hash:
c9bac003e88498b6b08fd8243eefce42cb889820
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Lokibot
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
STEALER_Lokibot
Create hunting rule
Link:
https://www.unpac.me/results/c054da65-1d00-4520-9c64-72a2d51b3617/
Parent samples :
a4e13d5ddfed2748925ccf8cb2a08cf03f992de943e195aa73411e1fd2efab80
041c73bd4c470d02db20ef282a1a8550f8987e362cbd07fc3828c14873a7f772
c324fe32df959176f968d80a6ff1914f2b195c1796376f2511cb97f763f1d905
234c88ce76cde3cb4510ae1532863bb3c29efa0e94889d5dd30818f084c3b958
ecc61fe635e2cdb0859441ef90e330230094e7514cf00cb48829e136d713b63b
be789d9c5185f7f04ddb78f2b39f9dd7415080c4d975139fc612158b0b3a5bad
afd5885712157bf7e51471f21b977788084aa78bf58d45287b4043edb2ee3495
SH256 hash:
45c7b64a55dca23ee1239649e03a7c361813dbcfc2a0817b0d8e94c907d6ed4b
MD5 hash:
fb1bc19121c4e190d83672bc71b493f0
SHA1 hash:
c3488b969ba578e28ee360be24b6416425a224a0
Link:
https://www.unpac.me/results/c054da65-1d00-4520-9c64-72a2d51b3617/
SH256 hash:
287fd051cba648e5343f069395e396035ed6f709e0fc3c48738d1cb4160b57b7
MD5 hash:
827fcf970bb5b799f100c02314a85909
SHA1 hash:
a4fd8676f41daf908ee4a23543286b3b5c35948e
Link:
https://www.unpac.me/results/c054da65-1d00-4520-9c64-72a2d51b3617/
SH256 hash:
234c88ce76cde3cb4510ae1532863bb3c29efa0e94889d5dd30818f084c3b958
MD5 hash:
5c0ef516f2e1cecf656358b495e0d05f
SHA1 hash:
ef655931d08bd2a9839d6bcc4cab23499b8ac013
Link:
https://www.unpac.me/results/c054da65-1d00-4520-9c64-72a2d51b3617/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/234c88ce76cd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/234c88ce76cde3cb4510ae1532863bb3c29efa0e94889d5dd30818f084c3b958

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:RSharedStrings
Create hunting rule
Author:Katie Kleemola
Description:identifiers for remote and gmremote
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments