MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 243d8dc0e3a5ad9027b0bd90ddd2bc850e2837acefa54bfb3047e1cf8fa7fa45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 18


Intelligence 18 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 243d8dc0e3a5ad9027b0bd90ddd2bc850e2837acefa54bfb3047e1cf8fa7fa45
SHA3-384 hash: 83310d8f1c0096596cb194ccfac59f0645c8de7d1d01cf364938a6bead58e6fd7965b1c222ecce00c58cee8e9bb901db
SHA1 hash: 06dc7948776286af0e962a328d5eaea3db862541
MD5 hash: 16318c33d45ad97cde0d6a19d6b556cd
humanhash: dakota-mirror-five-solar
File name:92A0A235D12853B42BAE99BE49104351C3BB10AFC8C8B0E401DE27D3981EF6BD.exe
Download: download sample
Signature Loki
Create hunting rule
File size:276'480 bytes
First seen:2024-07-24 19:07:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e22fde80595c4bea0880fd6845018d6a (7 x RedLineStealer, 6 x Loki, 6 x Worm.Ramnit)
ssdeep 3072:K072IS3rHzXddSROXXCE9tZfPqY5Dp0BWO3Xqzc1ja5q/wJaRJCrSIy66J4dI5lL:YHSoi6Xfx6BWgXqG7SzrlzGligoOyoc
TLSH T17044AE00B790C035E4F712F4897AD3ADB93E7AA15B2560CB62D52BEE26356E4EC31347
TrID 29.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
21.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
16.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
6.7% (.SCR) Windows screen saver (13097/50/3)
File icon (PE):PE icon
dhash icon b6dacaaecee6baa6 (15 x RedLineStealer, 14 x Stop, 7 x RaccoonStealer)
Reporter Anonymous
Tags:exe Loki


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
354
Origin country :
CN CN
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
243d8dc0e3a5ad9027b0bd90ddd2bc850e2837acefa54bfb3047e1cf8fa7fa45.exe
Verdict:
Malicious activity
Analysis date:
2024-07-25 17:33:31 UTC
Tags:
bdaejec lokibot stealer trojan
Link:
https://app.any.run/tasks/4ced4763-5361-4564-86fb-852b09e139e7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Virus.Wapomi-9802127-0
Create hunting rule

Win.Dropper.Generickdz-9939781-0
Create hunting rule

Win.Trojan.Generickdz-9950759-0
Create hunting rule

Win.Trojan.Generickdz-9951389-0
Create hunting rule

Win.Packed.Crypterx-9954995-0
Create hunting rule

Win.Malware.Wapomi-10020301-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a15115ae21d7902eafbcfc
Tags:
Execution Generic Network Static Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing an executable file
Creating a window
Сreating synchronization primitives
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Reading critical registry keys
Changing a file
Modifying an executable file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for analyzed file
Query of malicious DNS domain
Stealing user critical data
Moving of the original file
Infecting executable files
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint lolbin microsoft_visual_cc packed shell32
Link:
https://www.filescan.io/uploads/66a151ac9149fd55f99006cc/reports/e5e6ae42-af87-4bbd-af97-4fdc1eb41f04/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a5f8932-9628-4146-ba59-4a1261313a75
Result
Threat name:
Bdaejec, Lokibot
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1480608
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
PE file contains section with special chars
PE file has a writeable .text section
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Bdaejec
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1480608 Sample: 92A0A235D12853B42BAE99BE491... Startdate: 24/07/2024 Architecture: WINDOWS Score: 100 27 sempersim.su 2->27 29 ddos.dnsnb8.net 2->29 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 11 other signatures 2->39 8 92A0A235D12853B42BAE99BE49104351C3BB10AFC8C8B0E401DE27D3981EF6BD.exe 58 2->8         started        signatures3 process4 dnsIp5 31 sempersim.su 185.130.225.203, 49711, 49712, 49713 HOSTKEY-ASNL Netherlands 8->31 19 C:\Users\user\AppData\Local\Temp\VKhZeY.exe, PE32 8->19 dropped 41 Detected unpacking (changes PE section rights) 8->41 43 Detected unpacking (overwrites its own PE header) 8->43 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 8->45 47 4 other signatures 8->47 13 VKhZeY.exe 12 8->13         started        file6 signatures7 process8 file9 21 C:\Program Files\7-Zip\Uninstall.exe, PE32 13->21 dropped 23 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 13->23 dropped 25 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 13->25 dropped 49 Antivirus detection for dropped file 13->49 51 Detected unpacking (changes PE section rights) 13->51 53 Machine Learning detection for dropped file 13->53 55 Infects executable files (exe, dll, sys, html) 13->55 17 WerFault.exe 22 16 13->17         started        signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/243d8dc0e3a5ad9027b0bd90ddd2bc850e2837acefa54bfb3047e1cf8fa7fa45
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/243d8dc0e3a5ad9027b0bd90ddd2bc850e2837acefa54bfb3047e1cf8fa7fa45/
Threat name:
Win32.Virus.Jadtre
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 19:08:11 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eq6y3qhduwwzaj5qxwin3uv4quhcqn5m56sux6zqi7q47d5h7jcq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot aspackv2 collection credential_access discovery spyware stealer trojan
Link:
https://tria.ge/reports/240724-xs71lasdqm/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Accesses Microsoft Outlook profiles
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Credentials from Password Stores: Credentials from Web Browsers
Lokibot
Malware Config
C2 Extraction:
http://sempersim.su/gc23/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/304859ec-151f-4693-8d88-f8a446f96840
Unpacked files
SH256 hash:
060c08860f1009b299ceffb9ea577f5590c00ed5335aea02df79d9f1ecd585dc
MD5 hash:
a4ecb2ba3a3a725da5cbc92667b74d60
SHA1 hash:
c0f5086ce4b8b9155bebe9f941d266d710445218
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Lokibot
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
STEALER_Lokibot
Create hunting rule
Link:
https://www.unpac.me/results/99c1ad57-f567-42b6-95d1-0e1309b80fe5/
Parent samples :
92a0a235d12853b42bae99be49104351c3bb10afc8c8b0e401de27d3981ef6bd
b9d518ec7f1282ba657fe75fa1f9ffae78998050044296a35bda4f038cad61a4
a9594bf0154da36e2dd564ebfc6aa6896ec8a96a15d5d3de05518f9a44fa2c5d
911200cd3ee845071a445ed506b35eebdd1ee2df93697ef0f773e142070edbf2
f52025ad2e051afc5b3a48f9b84d88c929a1a27df132c78be3956e34f7ed473b
7e059156d292c91d41f8ff92dcf6bd40e47d0aef0140c51d5bfbdfc865e80f09
a4fbcf0da39f90df5791fa1f3908403eb99e2cf21fd02d069501e2833dc24bfd
06cf8217e034ac0004a6fc08d3051b9c3cf79d04d6b108d90a7773038e64cd92
f766b8e7d891d8cfe0ac028a7b81856e060305051f499a7567e59587a922be7c
44eface2d74771701600e5d9e966e3a4f136fe0b38aa60fceee0992e97e9cd9e
749488434c5ffb45030273e48a2d2c8fec03a3c547c1d606d748eb6a02be833d
243d8dc0e3a5ad9027b0bd90ddd2bc850e2837acefa54bfb3047e1cf8fa7fa45
SH256 hash:
fe433f01a04faa98ce555c0e41f42bee1c7c1c5dc3684d0702aad7f43edbc99b
MD5 hash:
b6484e49f7382e02232d6e78c2c32ecf
SHA1 hash:
d07c84376819321410a70869370d1b485b718057
Detections:
win_unidentified_045_auto
Create hunting rule
win_unidentified_045_g0
Create hunting rule
Link:
https://www.unpac.me/results/99c1ad57-f567-42b6-95d1-0e1309b80fe5/
SH256 hash:
243d8dc0e3a5ad9027b0bd90ddd2bc850e2837acefa54bfb3047e1cf8fa7fa45
MD5 hash:
16318c33d45ad97cde0d6a19d6b556cd
SHA1 hash:
06dc7948776286af0e962a328d5eaea3db862541
Link:
https://www.unpac.me/results/99c1ad57-f567-42b6-95d1-0e1309b80fe5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/243d8dc0e3a5ad9027b0bd90ddd2bc850e2837acefa54bfb3047e1cf8fa7fa45

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 243d8dc0e3a5ad9027b0bd90ddd2bc850e2837acefa54bfb3047e1cf8fa7fa45

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::SetProcessShutdownParameters
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::FindNextVolumeW
KERNEL32.dll::FindNextVolumeMountPointA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::FillConsoleOutputCharacterA
KERNEL32.dll::FillConsoleOutputCharacterW
KERNEL32.dll::FlushConsoleInputBuffer
KERNEL32.dll::WriteConsoleInputA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleOutputCharacterA
KERNEL32.dll::WriteConsoleA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileWithProgressW
KERNEL32.dll::MoveFileA

Comments