MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24198e6120171960649f2ea10d3a4d13291040c62f140fb33d5f527970788700. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24198e6120171960649f2ea10d3a4d13291040c62f140fb33d5f527970788700
SHA3-384 hash: aa181bcc9ad126876c4d8a0dc8ef28c1b61b22c54c3871798d921fc869ed887b1f93ffaf210360748c5a6427aeb808e8
SHA1 hash: 228cdc6abadc4ef7c5ea7166b8d9086c201ece06
MD5 hash: 6f09070ab32e73c04c0f148e8a3f7cf1
humanhash: nineteen-butter-east-single
File name:6f09070ab32e73c04c0f148e8a3f7cf1
Download: download sample
Signature Loki
Create hunting rule
File size:346'112 bytes
First seen:2021-10-11 10:10:13 UTC
Last seen:2021-10-11 11:22:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 788721417ad6ed4eefc1faa143c04d8a (3 x Smoke Loader, 2 x Loki, 1 x DanaBot)
ssdeep 6144:nZWQyksNHFmKezPTEz+5VYYlNzOWGSPfhx6KxEKKM1GQ:cQydH2YoV/lNzOuPf6KOKKIL
Threatray 5'005 similar samples on MalwareBazaar
TLSH T1D3748D30A7A0C034F5F716F989BA5269A53E7DA1AB2490CF13D52AEE5734AD1EC30317
File icon (PE):PE icon
dhash icon 9824e790c4e72158 (31 x RedLineStealer, 18 x Smoke Loader, 16 x ArkeiStealer)
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Invoice- INV-121920.xlsx
Verdict:
Malicious activity
Analysis date:
2021-10-11 09:57:35 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan lokibot stealer
Link:
https://app.any.run/tasks/662353f2-9947-42ad-bdd2-15c45f801f9d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196562/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.26568.10268.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Reading critical registry keys
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Moving of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61640db99fb4d8593d6170c0/reports/b8f858fc-70ba-4cd6-929c-dc3e34f55096/overview
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/868027
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/24198e6120171960649f2ea10d3a4d13291040c62f140fb33d5f527970788700/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-10-11 10:04:54 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eqmy4yjac4mwaze7f2qq2osncmuraqggf4ka7mz5l5jhs4dyq4aa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
2eeff837091b7d78f534e717e171890b69d22317d39760b91292203901bfca68
Loki
39b95a1927b9cc2435642fc76dbeb4e7fae9a858ce4cc2664490de6f74662fbc
Loki
4eb265e9a2a0b119bb5d4da0eb39c17d9b2a25aab1f14abd4b41f80087ac1556
Loki
573a2b0730e4da202bbd486ceaf7cf0b9cea7d2ca1a07448ec41e06e419bc104
Loki
94ce947ee07dc19d535d78551ba3a64ffc394fd3049b0719f43ec9f78be32c08
Loki
ca471f5b9cc2a2ea2e2d8b250f550e2a98c93cf322f7d7497dcd4cc1736f5448
Loki
ccb35b7420b1699e5d4896f5ac66445dc44f51b5f9311382eda1b501c3125fe8
Loki
dc92dc39a66515cd3422763d9dab9b0542f79c1be3a9b0b2add7a59f7ed0a182
Loki
e8ff02a0c3ef623bed6098ffee7befbd2595f1f7736971dc98954f88a40c087d
Loki
fb9dae4e80fa931e907f532772eb742e1a18cea81288f223ea8c7bd272657648
Loki
+ 4'995 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/211011-l7yvpaggc9/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://136.243.159.53/~element/page.php?id=119
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
e641af581e3e33501b2c63a4f9d82f4d6e9eb1df24e3fa7e30a6f8c60bd4a140
MD5 hash:
6d641b36e37a83166c34fc20a1a8eb55
SHA1 hash:
a597687163740a868fd6bbeba3286ed4fea04ce4
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/55392ee3-f1ce-4056-b867-71c388d63a31/
Parent samples :
137db6baaee41625a255900d2e76eb3c42575398bf06b92e2a0ef50a40305cc1
2b0adb1ba45e7ea11b27618151f3a185ce653c81235ab523dce4292403f99ac0
24198e6120171960649f2ea10d3a4d13291040c62f140fb33d5f527970788700
b83f53f67a2b2fa4d2abf6a0ce7b75542685661deaac9aeb2159f5e25977e10e
c5e30ba7109f8c474152f1a64dabe02e801f5ddc8313390954e1bbb5e04ce772
SH256 hash:
24198e6120171960649f2ea10d3a4d13291040c62f140fb33d5f527970788700
MD5 hash:
6f09070ab32e73c04c0f148e8a3f7cf1
SHA1 hash:
228cdc6abadc4ef7c5ea7166b8d9086c201ece06
Link:
https://www.unpac.me/results/55392ee3-f1ce-4056-b867-71c388d63a31/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/24198e612017/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/24198e6120171960649f2ea10d3a4d13291040c62f140fb33d5f527970788700

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 24198e6120171960649f2ea10d3a4d13291040c62f140fb33d5f527970788700

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1666301/
Cape
Cape
https://www.capesandbox.com/analysis/196562/

Comments


Avatar
zbet commented on 2021-10-11 10:10:14 UTC

url : hxxp://192.3.13.11/00011/vbc.exe