MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28888617c365a573886c81406a85e3d3d770cbb82031f9320b795cb259a3a54d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 15

Intelligence 15 IOCs YARA 13 File information Comments

SHA256 hash:	28888617c365a573886c81406a85e3d3d770cbb82031f9320b795cb259a3a54d
SHA3-384 hash:	15f43c8e1cd943d14fb89a1b3785c84462da6890d6ff2c9cd421fc01b9b1918ef5e66a03c907afc5260daa01ffe40fbd
SHA1 hash:	0404276b8dd1ef373872a030a19b2ad4e7b93b5d
MD5 hash:	17d67caf8b324b269f246a8a2efd081f
humanhash:	failed-wyoming-autumn-missouri
File name:	2022DT_PO2220_SHP.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	305'457 bytes
First seen:	2022-03-22 09:52:47 UTC
Last seen:	2022-03-22 12:32:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	6144:rGi9z7a99E45ESKph3XfPERmQEvVz8d3iLTdCqADs4TIA84sWd65:S/2SKT/PERmQmzWSLTdCbDsJTuq
Threatray	4'842 similar samples on MalwareBazaar
TLSH	T11054121695A8C837D6612D32AD72B3BAE7B4D7885602460F87B40CFA7E905CB097D382
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	GovCERT_CH
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

236

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2022DT_PO2220_SHP.exe

Verdict:

Suspicious activity

Analysis date:

2022-03-22 08:15:06 UTC

Tags:

installer

Link:

https://app.any.run/tasks/5a407373-1e9a-4232-93fe-c94799166b33

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/254072/

Detection(s):

SecuriteInfo.com.MemScan.Trojan.GenericKDZ.85536.1714.4205.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Launching a process

Creating a file

Searching for synchronization primitives

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll zusy

Link:

https://www.filescan.io/uploads/62399c84b94fb38cb4cd0895/reports/cc398d86-0fe1-42f8-872c-ce7f6c611fa3/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1cb53328-8162-49d6-99ad-105563e95be0

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/961536

Signature

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/28888617c365a573886c81406a85e3d3d770cbb82031f9320b795cb259a3a54d/

Threat name:

Win32.Trojan.NSISInject

Status:

Malicious

First seen:

2022-03-22 09:53:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 25 (80.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fceimf6dmwsxhcdmqfagvbpd2plxbs5yeay7smqlpfolewnduvgq._file

Verdict:

malicious

Loki

1a4c2314615f2ebf7a71d3da4a70f421c604daa81c51abd4c7f3625ebdace7a5

Loki

1f7de270de983863bc7d6da4b44ef251cee61011150fafcea84212ba169d03e9

Loki

46ff11f15fe37417ceadb41b370ff065eb2fc89043c397ac2b0e193d77924f1b

Loki

75a17cb26bd616c7d7b48b0b3add3033b6cd8656d8d20a0618734a3850072632

Loki

a8ac9057025ae99a3ef4539ceabb2f4c4f505ee8388c3f3eac6385006e2e955c

Loki

+ 4'832 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot spyware stealer trojan

Link:

https://tria.ge/reports/220322-lwmy2sbcck/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Lokibot

Malware Config

C2 Extraction:

http://furnaceshst.net/ge10/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

855d853be9452baa9ace281deeb34b4b3d37091c5ed7975443667c9c5297ccc5

MD5 hash:

5a7f849af4ceaf44ffb76bdd39e8a7fc

SHA1 hash:

7e1af3c01cd5dff07bc9059f26ae097f08b48399

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/cdc4ecc1-4cee-48f0-857b-6e928e4c23ba/

Parent samples :

d8386b61dc23c554ffa380c7f45ae9184ce2e8048c9f78aca258fd381098c724
9894223dde15736ccaddc4899a4e7a3ee831d2f14a83a2e6ae075785bb131027
28888617c365a573886c81406a85e3d3d770cbb82031f9320b795cb259a3a54d
b392732e333e4ac15c22471870011f25f495371419a25375ca65c3f51999bb90

SH256 hash:

da6fac9fe02be0c8f792c69f1189d9bea6a6c7a65886ff6640705ffbe86485ac

MD5 hash:

b05f683f825d7b6f6ea59e83b086ed30

SHA1 hash:

0ae54ae461dcdedbdb74546ad7281cbaab423d84

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/cdc4ecc1-4cee-48f0-857b-6e928e4c23ba/

SH256 hash:

a3177f4f3b4df7c000634e3e4412498dc0329f30d8a4950404afaf9fe728babe

MD5 hash:

77554ce3f392106310d5f3bca4397521

SHA1 hash:

fd801f993994e3bf11a4ed5d382f960ea521426e

Link:

https://www.unpac.me/results/cdc4ecc1-4cee-48f0-857b-6e928e4c23ba/

SH256 hash:

28888617c365a573886c81406a85e3d3d770cbb82031f9320b795cb259a3a54d

MD5 hash:

17d67caf8b324b269f246a8a2efd081f

SHA1 hash:

0404276b8dd1ef373872a030a19b2ad4e7b93b5d

Link:

https://www.unpac.me/results/cdc4ecc1-4cee-48f0-857b-6e928e4c23ba/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/28888617c365/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.73

Link:

https://yomi.yoroi.company/submissions/28888617c365a573886c81406a85e3d3d770cbb82031f9320b795cb259a3a54d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	infostealer_loki Create hunting rule

Rule name:	infostealer_xor_patterns Create hunting rule
Author:	jeFF0Falltrades
Description:	The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.

Rule name:	Loki Create hunting rule
Author:	kevoreilly
Description:	Loki Payload

Rule name:	LokiBot Create hunting rule
Author:	kevoreilly
Description:	LokiBot Payload

Rule name:	malware_Lokibot_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lokipws.

Rule name:	XOREngine_Misc_XOR_Func Create hunting rule
Author:	smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:	Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

exe 28888617c365a573886c81406a85e3d3d770cbb82031f9320b795cb259a3a54d

(this sample)

Dropped by

loki

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/254072/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample