MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b9f29f475b49afdcc26e603cc6ff6508ff3bd7666cd181a1e7c5fac231f677c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b9f29f475b49afdcc26e603cc6ff6508ff3bd7666cd181a1e7c5fac231f677c
SHA3-384 hash: 0bf076ac950f05d36ce5a99fe88db85b09c1814845ae06561046d8c71f5296ad80f39bfe21660108ac3dcc1d87ecbd78
SHA1 hash: 2dd7b05c3f8f580c00253ffef3ba6ece4bbc6708
MD5 hash: 43f55a41a6ec2a858c28b796f0138f36
humanhash: south-artist-california-queen
File name:Cjdeazryrjcnuk.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'010'688 bytes
First seen:2023-10-17 02:25:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 003d3d12d28525a81de6bbbfc27b008c (5 x DBatLoader, 1 x Formbook, 1 x Loki)
ssdeep 24576:PKEbMgZ1x1BaPhO/TvtcY6Rs7bvteS+BfKZ5puZP:iEogpU6T+YoE5puZP
Threatray 3 similar samples on MalwareBazaar
TLSH T14B259F63E2920637D173D638AF0BE3E95B2D7E20252C788D5BD86C489F395853C1A397
TrID 84.9% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.2% (.SCR) Windows screen saver (13097/50/3)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70f0f0d4dcc8c8dc (4 x DBatLoader, 1 x Formbook, 1 x Loki)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://45.77.76.224/~clinics/3767664902

Intelligence

File Origin
# of uploads :
1
# of downloads :
401
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
ModiLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/455098/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.32473.29083.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Reading critical registry keys
Changing a file
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware keylogger lolbin replace
Link:
https://www.filescan.io/uploads/652df0ba422e14c65a910ab8/reports/016c6e76-3c00-44a1-a055-dcc37cc46772/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/2b9f29f475b49afdcc26e603cc6ff6508ff3bd7666cd181a1e7c5fac231f677c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d903d443-b12a-414a-bb87-dae22145395d
Result
Threat name:
DBatLoader, Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1326958
Signature
Adds a directory exclusion to Windows Defender
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected DBatLoader
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1326958 Sample: Cjdeazryrjcnuk.exe Startdate: 17/10/2023 Architecture: WINDOWS Score: 100 55 web.fe.1drv.com 2->55 57 ph-files.fe.1drv.com 2->57 59 2 other IPs or domains 2->59 81 Snort IDS alert for network traffic 2->81 83 Multi AV Scanner detection for domain / URL 2->83 85 Found malware configuration 2->85 87 9 other signatures 2->87 12 Cjdeazryrjcnuk.exe 6 2->12         started        signatures3 process4 file5 49 C:\Users\Public\Libraries\yrzaedjC.pif, PE32 12->49 dropped 51 C:\Users\Public\Libraries\netutils.dll, PE32+ 12->51 dropped 53 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 12->53 dropped 93 Drops PE files with a suspicious file extension 12->93 95 Writes to foreign memory regions 12->95 97 Allocates memory in foreign processes 12->97 99 2 other signatures 12->99 16 cmd.exe 1 12->16         started        19 yrzaedjC.pif 54 12->19         started        signatures6 process7 dnsIp8 65 Uses ping.exe to sleep 16->65 67 Drops executables to the windows directory (C:\Windows) and starts them 16->67 69 Uses ping.exe to check the status of other devices and networks 16->69 22 easinvoker.exe 16->22         started        24 PING.EXE 1 16->24         started        27 xcopy.exe 2 16->27         started        30 8 other processes 16->30 61 45.77.76.224, 49747, 49748, 49749 AS-CHOOPAUS United States 19->61 71 Detected unpacking (changes PE section rights) 19->71 73 Detected unpacking (overwrites its own PE header) 19->73 75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->75 77 4 other signatures 19->77 signatures9 process10 dnsIp11 32 cmd.exe 1 22->32         started        63 127.0.0.1 unknown unknown 24->63 45 C:\Windows \System32\easinvoker.exe, PE32+ 27->45 dropped 47 C:\Windows \System32\netutils.dll, PE32+ 30->47 dropped file12 process13 signatures14 79 Adds a directory exclusion to Windows Defender 32->79 35 cmd.exe 1 32->35         started        38 conhost.exe 32->38         started        process15 signatures16 89 Adds a directory exclusion to Windows Defender 35->89 40 powershell.exe 27 35->40         started        process17 signatures18 91 DLL side loading technique detected 40->91 43 conhost.exe 40->43         started        process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2b9f29f475b49afdcc26e603cc6ff6508ff3bd7666cd181a1e7c5fac231f677c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b9f29f475b49afdcc26e603cc6ff6508ff3bd7666cd181a1e7c5fac231f677c/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-10-17 02:26:05 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
19 of 22 (86.36%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fopst5dvwsnp3tbg4yb4y37wkch7hplwm3grqgq6prp2yiy7m56a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
6b390b01eb98d6376430626d51e2745f1a4f57cf89b9b6cfb81f968d44af09c8
Loki
a3c849f16457f5e170e594c7ca0a2fbb12d9e144e83e51d93f4fab8d62a5de82
Loki
f95d84bd16012696182588589d691c5eaa131d28b7dc53cad85d497d61dab85f
Loki
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:lokibot family:modiloader collection spyware stealer trojan
Link:
https://tria.ge/reports/231017-cwtxxsgg7z/
Behaviour
Enumerates system info in registry
Script User-Agent
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Executes dropped EXE
Reads user/profile data of web browsers
ModiLoader Second Stage
Lokibot
ModiLoader, DBatLoader
Malware Config
C2 Extraction:
http://45.77.76.224/~clinics/3767664902
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
b84daaf8a74ca536da7ec9c2a72d418ebe2db4462b99d7ee69fbc4713ffc8930
MD5 hash:
e943ba5fb84c37030c0daf907c79825c
SHA1 hash:
d393d513939c6a4b1e5fb2598ef14ed424fcb9e2
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/70d09aae-fda9-44ce-b6a1-28d29c74da87/
Parent samples :
a3c849f16457f5e170e594c7ca0a2fbb12d9e144e83e51d93f4fab8d62a5de82
f95d84bd16012696182588589d691c5eaa131d28b7dc53cad85d497d61dab85f
6b390b01eb98d6376430626d51e2745f1a4f57cf89b9b6cfb81f968d44af09c8
2b9f29f475b49afdcc26e603cc6ff6508ff3bd7666cd181a1e7c5fac231f677c
e329d4fdf3557b00cfd9044dbd12048077fcb6f8cdbaf1553308e292bf6a3707
9fd26cbae8d741263a304f7532107d61d6e78b91a1e551dc2822131dc70eddc0
f76b8555effde0257cd4c22e62e7aeb3c4f055bac15cc24c46de1292fe7b034f
035f5ee40a4986872d3480fa5d5e96e4dd56c0d1b93cd77a82cadce3283243e7
c9f192e7d1592bfc56e3209da73bbf5fb8a5fbcfcc2d492dbdddfc60c77a1d20
af2a5455f4de7136e90e94e7bee5ba398d01f09ab9d01ef32bb70e560030b650
4397154fc1574bb682c055e6c5cefd36155aa07928edce3593ef38cb975b1f0f
267f54dc36591c1746dba949c776e015c9c89be7a11f4c3ebf7ab0fb4510e0e3
129a9a2dbbd1c3f8c82b66d020ec59b82878ab94a30647902d80dbeb92f74878
4b45c80c13d9143811cacdda64ac2e4cab04fe6262e16cb813836fd244ff5b9c
13a14e45ca00f015b20954bfd7eed1a9eaf0a763da1d155e673e53d31821abb1
582cf4bb7c3f703cb6bbacd2bfa8a1d2f098ca11e0d0fddb8c1d8e812ddc2d69
5e9fb70e299a28b494b0ef9522226219e4dbf7dcf1aeae541f23eaa90ff3f28f
e4fbd0f46d093579c855bf711e874a5ba4e6f3ea047ae5964a08bfb1e762d4f6
204d5541a347bee64224d392403286271bc2351c50101e89b19e896f1756b389
48b290c2bfc5741616cef2f1904acebfc3366cfc99388f075aeb26100881ea98
f45307b5999dab601bb6371d4617cb7378d352e234f1df11b5ba41d779a90564
7a79cdd88f52bd9acdbe1b312bf1583e09827d58b293f53a3d261a654dcfb1df
04f083fb8b7b8ff01c98b972859d03db4de185f81877e180317792e2361043cf
85ca618bef7b97885f9f8c83a5abcb5afcafe9b6ffc3db6893a0dcdd61f6a891
53ac3a6c6aa59e943cff071d3100d55d826268f96e2366ddad3b32fe8c9b98e2
771af3e897f1d32625cdc3cf41d76dcfd21ae27994b721ae6c7cb82bcb284789
b1ca8bbed94ba2690e722c88c1af75082b8a4abf9d7f70206f986746aaa0eae2
39b4aba5e8641981ee7c36537c71403e038895c5699f172498fb99f51f994b85
6b1c7f3b04daf1250db40b85131f39811315781ca521135b7648f453bfbe55cf
22e384543598c8f6d4b45b6d19c09f23e08429a89bb3fe580b368c8aecb9663b
f742048a48e4d17061d323b8543db4e61163d13739ab9c18e8d1c85aef2ca7ff
7e0c562b58d5c2183c98af42b5ff6b6cee6d7d82ad89e773bf0ba9c7f67c04b4
14323b6d2d712b7cd421ca1f6c0d25343fbb7cb94144e338d7a042f0f421e3b7
96df4af7b51b4a03a7014169c0862ed5820d4326d217f5ef4e099c1667a8045d
c2f8b88850fcbc4df88e6708b12a265ed133ba04702f89ae9cf1da504c11bc6e
452fa0451a2bb4c555368aec8f070a3db895414d43e089af54431ebf89d50841
d9c05e4806384074097aabfbdd8965b3767d673f9032b06bed207fda7feccbd7
3ba6ce638dcb1c82a2d3096edcc46a1d5086b9233c4e8be471ba748af9d9b41a
b2a65a2aa1c5bed21112712762ddb73f254219e8037e57c984c1bcd65ad576a7
448a8114208fbb7d2e83c81d59bc262d6857937ec0bceeebda75ad978265b5dc
9dbe21429d77afca07940928b39d0e7c9d994ea9d10a651ccd5189d4522be1cf
cf9cebd5de732b485456f6de49e70b488fb4658c48af572b16b6b2943dfadd50
214d29953c8211d48c06ce4e16239920b4ed1e148428a9165dcfe184fd6ab619
2a347e81537122aca6656bd41eab07d8abd57d85684e71c877650c96963f9123
8282976c399101d48a2f46771f768d37f4de4124d00f4ba8f01d63d6ef935c1a
c016c2649684722dc1e308e080f1739f3314927b3c022f63ad7da9caacd79a63
ea854ab77631dbf87f8a69de2f865d33751dcd3fe5b0284c38e12de2f471a9a4
1868a740c4a9ad3f6df9ee149c74de5744e3488faa33bf3c9811882fbb5d76af
c6e6d9dd75af4dd8ec008e9dc75688b0325d31c822eef311783feaffff7c0dbb
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/70d09aae-fda9-44ce-b6a1-28d29c74da87/
SH256 hash:
2b9f29f475b49afdcc26e603cc6ff6508ff3bd7666cd181a1e7c5fac231f677c
MD5 hash:
43f55a41a6ec2a858c28b796f0138f36
SHA1 hash:
2dd7b05c3f8f580c00253ffef3ba6ece4bbc6708
Link:
https://www.unpac.me/results/70d09aae-fda9-44ce-b6a1-28d29c74da87/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2b9f29f475b4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/455098/

Comments