MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2407da1627f35dafc162c06c93c95d612ac0349488241d297152e41d0f8af7a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 31 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2407da1627f35dafc162c06c93c95d612ac0349488241d297152e41d0f8af7a0
SHA3-384 hash: 1ffd664b6a58ed404cf6ab8a4a8c5e7bb67e22e7911162ebf63cb76da5a2b68a9c279f213035fbd957a5e5efe9f1d508
SHA1 hash: bcd8d182b9d8036ce3b31c4fac14cb1d074e45ff
MD5 hash: 1af02455b4d35d282469dde4144cbd07
humanhash: sixteen-jersey-spring-arizona
File name:SWU5109523I.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'836'544 bytes
First seen:2024-06-25 10:05:24 UTC
Last seen:2024-06-25 16:38:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8f2ed59ffaf0389477f5411c8b4c37fd (3 x AgentTesla, 3 x Formbook, 3 x RemcosRAT)
ssdeep 49152:mOD+bTI6YTDml4HJPHDQkOBU0f9iygcrxZ3aU5ZdIrRo2ht1K1YvkUw:rv85
TLSH T1F385BE15E3E805A8E577DB34CA629333CAB1B8561730E58F065CD2052F73EA19B7B326
TrID 72.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
13.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.EXE) OS/2 Executable (generic) (2029/13)
2.5% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 74e4d4d4ecf4d4d4 (23 x GuLoader, 20 x LummaStealer, 19 x AgentTesla)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://sssteell-com.pro/kedu/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://sssteell-com.pro/kedu/fre.php https://threatfox.abuse.ch/ioc/1288606/

Intelligence

File Origin
# of uploads :
4
# of downloads :
453
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
2407da1627f35dafc162c06c93c95d612ac0349488241d297152e41d0f8af7a0.exe
Verdict:
Malicious activity
Analysis date:
2024-06-25 10:06:59 UTC
Tags:
lokibot stealer loader trojan formbook xloader
Link:
https://app.any.run/tasks/a5fad005-8a88-4f74-94bb-36cd56b199de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.15369.16220.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=667a96ca8bee61523c5d2692win7simulatehigh_evasion
Tags:
Encryption Execution Network Static
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Reading critical registry keys
Changing a file
DNS request
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a window
Sending an HTTP GET request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a process with a hidden window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
hacktool lolbin microsoft_visual_cc packed regedit remote shell32
Link:
https://www.filescan.io/uploads/667a9695eae3878d8f3b44c3/reports/79670820-bd32-4e23-968c-244ca2898093/overview
Verdict:
Malicious
Labled as:
Win64/GenKryptik.GYXR trojan
Link:
https://www.hybrid-analysis.com/sample/2407da1627f35dafc162c06c93c95d612ac0349488241d297152e41d0f8af7a0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2f5fd75-44b0-4577-a3b2-a5b365baa704
Result
Threat name:
FormBook, Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1462369
Signature
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses regedit.exe to modify the Windows registry
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected FormBook
Yara detected Lokibot
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1462369 Sample: SWU5109523I.exe Startdate: 25/06/2024 Architecture: WINDOWS Score: 100 49 www.skinnovations.xyz 2->49 51 www.sonhouseton.com 2->51 53 5 other IPs or domains 2->53 73 Snort IDS alert for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 81 12 other signatures 2->81 12 SWU5109523I.exe 1 2->12         started        signatures3 79 Performs DNS queries to domains with low reputation 49->79 process4 signatures5 101 Uses regedit.exe to modify the Windows registry 12->101 103 Writes to foreign memory regions 12->103 105 Allocates memory in foreign processes 12->105 107 Injects a PE file into a foreign processes 12->107 15 aspnet_wp.exe 138 12->15         started        20 conhost.exe 12->20         started        22 regedit.exe 12->22         started        24 4 other processes 12->24 process6 dnsIp7 61 sssteell-com.pro 31.192.235.101, 49706, 49707, 49708 GLESYS-ASSE Russian Federation 15->61 63 104.129.27.23, 49710, 80 ASN-QUADRANET-GLOBALUS United States 15->63 45 C:\Users\user\AppData\Roaming\XttwIhO.exe, PE32+ 15->45 dropped 47 C:\Users\user\AppData\Local\...\PO580[1].exe, PE32+ 15->47 dropped 65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->65 67 Tries to steal Mail credentials (via file registry) 15->67 69 Tries to steal Mail credentials (via file / registry access) 15->69 71 Tries to harvest and steal ftp login credentials 15->71 26 XttwIhO.exe 2 15->26         started        file8 signatures9 process10 signatures11 93 Multi AV Scanner detection for dropped file 26->93 95 Machine Learning detection for dropped file 26->95 97 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 26->97 99 3 other signatures 26->99 29 vbc.exe 26->29         started        32 WerFault.exe 2 26->32         started        34 vbc.exe 26->34         started        process12 signatures13 109 Maps a DLL or memory area into another process 29->109 36 tRfQCXeJVnXjrCojpmzHfxCQSE.exe 29->36 injected process14 dnsIp15 55 sonhouseton.com 112.213.94.125, 49805, 49809, 49813 SUPERDATA-AS-VNSUPERDATA-VN Viet Nam 36->55 57 www.0psxk.top 154.214.114.86, 49848, 49852, 49856 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 36->57 59 2 other IPs or domains 36->59 83 Found direct / indirect Syscall (likely to bypass EDR) 36->83 40 TapiUnattend.exe 13 36->40         started        signatures16 process17 signatures18 85 Tries to steal Mail credentials (via file / registry access) 40->85 87 Tries to harvest and steal browser information (history, passwords, etc) 40->87 89 Modifies the context of a thread in another process (thread injection) 40->89 91 2 other signatures 40->91 43 firefox.exe 40->43         started        process19
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2407da1627f35dafc162c06c93c95d612ac0349488241d297152e41d0f8af7a0
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2407da1627f35dafc162c06c93c95d612ac0349488241d297152e41d0f8af7a0/
Threat name:
Win64.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2024-06-25 10:06:05 UTC
File Type:
PE+ (Exe)
Extracted files:
16
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eqd5ufrh6no27qlcybwjhsk5mevmaneurasb2klrklsb2d4k66qa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection persistence spyware stealer trojan
Link:
https://tria.ge/reports/240625-l43dpstara/
Behaviour
Runs regedit.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Adds policy Run key to start application
Downloads MZ/PE file
Lokibot
Malware Config
C2 Extraction:
http://sssteell-com.pro/kedu/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c8f9e31d-4d56-4c54-9e07-05d4e8ff6997
Unpacked files
SH256 hash:
2407da1627f35dafc162c06c93c95d612ac0349488241d297152e41d0f8af7a0
MD5 hash:
1af02455b4d35d282469dde4144cbd07
SHA1 hash:
bcd8d182b9d8036ce3b31c4fac14cb1d074e45ff
Link:
https://www.unpac.me/results/cb0893f8-893e-48f0-9b0d-ae62adf55d48/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2407da1627f35dafc162c06c93c95d612ac0349488241d297152e41d0f8af7a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifacts observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_Lokibot_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Lokibot_0f421617
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Lokibot_1f885282
Create hunting rule
Author:Elastic Security
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::CreateWellKnownSid
ADVAPI32.dll::RevertToSelf
ADVAPI32.dll::GetSecurityDescriptorLength
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetWindowsAccountDomainSid
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
ADVAPI32.dll::SetThreadToken
KERNEL32.dll::VirtualAllocExNuma
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::DeleteVolumeMountPointW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetVolumeInformationW
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::FreeConsole
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleWindow
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::ReplaceFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptDecrypt
bcrypt.dll::BCryptDestroyKey
bcrypt.dll::BCryptGenRandom
bcrypt.dll::BCryptOpenAlgorithmProvider
bcrypt.dll::BCryptCloseAlgorithmProvider
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyExW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExA
ADVAPI32.dll::RegSetValueExW

Comments