MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28e0d8fecfba61598ad3d44e802320c3543dd4fc7084bb98303b1c8feab595b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 2 File information Comments

SHA256 hash:	28e0d8fecfba61598ad3d44e802320c3543dd4fc7084bb98303b1c8feab595b2
SHA3-384 hash:	3f07e325016011ea4c3d782df2a0612c20ead046b8627063c8d85c8d9de7b8f41dc2497dcb4d66f4b6e2ff5858359e72
SHA1 hash:	77d69238eebbbd6a65305912c5cc76b71fa5b917
MD5 hash:	7fa6f5d600ec47918bb606705e38cb21
humanhash:	oklahoma-march-music-timing
File name:	ESD095874354688.COM.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	368'128 bytes
First seen:	2022-02-02 07:37:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	6144:y84gVO7JpyTadqKKKHWckZbHuvKsaPNcaG6dyf2OQ8xWR8pvwHlrzdWYzF28b:/VO7JHqKeck1IKzN/QHvbsWs
Threatray	7'172 similar samples on MalwareBazaar
TLSH	T17B747BB4A1A78694F10B8A74257CFDA502F231E3E9C60D38572A7541CFEEE543E84A4F
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://giskia.xyz/ho/zoo.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://giskia.xyz/ho/zoo.php	https://threatfox.abuse.ch/ioc/375439/

Intelligence

File Origin

# of uploads :

# of downloads :

225

Origin country :

n/a

Vendor Threat Intelligence

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/229825/

Detection(s):

SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Enabling the 'hidden' option for analyzed file

Stealing user critical data

Moving of the original file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61fa34e46d25ac9e79fab230/reports/61024a50-593e-49c7-84fd-d3ad8b6d4d19/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fbe32e11-8d92-40b7-8b54-9bea46082e86

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/933040

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/28e0d8fecfba61598ad3d44e802320c3543dd4fc7084bb98303b1c8feab595b2/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-02-02 07:38:16 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fdqnr7wpxjqvtcwt2rhiaizaynkd3vh4occlxgbqhmoi72vvswza._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

1e515ef044e4ac7ab2daaeb36c3c2d0a4997220c307d63fbbba0d131e7dcdbbc

Loki

71838c0510a2a1afcda841226edfdc2bcbb636dfb6785a3c026871b0ee53b020

Loki

7b12e253b0bf89ef0535a8dc539361954c67511bcdbc709060c0b1e6ed539cb6

Loki

98a1743d70be4d658c224d74d0ed47fe330c212ac90f1ed17d48daea53500d7e

Loki

af9ac07263f577041536d7c65a5aa6f9609613e7565ee6167e95e18f6f2e1110

Loki

bd6cf98ff23cdad2f5bb43bb60e61275d8ad1ad7baeb609aa0a812fc048fede0

Loki

dc0c244674ff2d063c77edd72795ce34db8fe4fdd054ce2a7b5018fb34adba4b

Loki

dd8a3353f1fc1446d5c32585a3b90fe0743187316e96ee3d8daf9e0059738478

Loki

+ 7'162 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection persistence spyware stealer suricata trojan

Link:

https://tria.ge/reports/220202-jgd2gshdfl/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Sets service image path in registry

Lokibot

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://giskia.xyz/ho/zoo.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

6f1b89bc3013177c101fe4448340c48c0dd08d19017a798bd11c2d0f76be1fbc

MD5 hash:

60a604887b3616e3ed86d81fab0a9ebb

SHA1 hash:

8db84f5f4c569c86c69aff464b2ffc4ce3dafa20

Link:

https://www.unpac.me/results/ace57c54-6cf7-4441-a92d-e1b110f87621/

SH256 hash:

d58f42838b6f0c8ccd6d47acb10cba4be67a18959203d2229b4e249f0e10184a

MD5 hash:

91a239317a6c269f5f62241444779177

SHA1 hash:

51106f6550e64840ff34d1025d7caa9b8345853e

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/ace57c54-6cf7-4441-a92d-e1b110f87621/

SH256 hash:

d8efd1c507ff82ad9549f0614c130c6829d0553f29641cef895e70a5784c3280

MD5 hash:

25364f8fdcd7dcd610a976ad1834267b

SHA1 hash:

4b4e7528145e5779f0a429c7203f9d1166192d0f

Link:

https://www.unpac.me/results/ace57c54-6cf7-4441-a92d-e1b110f87621/

SH256 hash:

28e0d8fecfba61598ad3d44e802320c3543dd4fc7084bb98303b1c8feab595b2

MD5 hash:

7fa6f5d600ec47918bb606705e38cb21

SHA1 hash:

77d69238eebbbd6a65305912c5cc76b71fa5b917

Link:

https://www.unpac.me/results/ace57c54-6cf7-4441-a92d-e1b110f87621/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/28e0d8fecfba/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/28e0d8fecfba61598ad3d44e802320c3543dd4fc7084bb98303b1c8feab595b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/229825/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample