MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bf23bcaac2fa52fde6e170575defcc11807e3409747e92e1cd0b8cf93c898b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 3 File information Comments

SHA256 hash:	2bf23bcaac2fa52fde6e170575defcc11807e3409747e92e1cd0b8cf93c898b6
SHA3-384 hash:	c64fee1b4dc05f4754281a7e8214b174df6553e8d4a68dbbe4799523f78a682842c544e813b72e3dea37074f970d31d8
SHA1 hash:	145969247a1c9bba3ce5f4d4ae8ffa9ed3b50fc3
MD5 hash:	4267514133e3b588945a6461622e8cac
humanhash:	carolina-don-papa-solar
File name:	vbc.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	387'072 bytes
First seen:	2022-06-17 09:02:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:xXs5NRX2OuA8j8Y9bjAePlqlWIHYIK3aEL5iT4iHVZ88nhkDgqBwl5FRj8iAzL:xuAj8IjAePlV8u3aEFiT4i1Z8GkfS5FK
TLSH	T1C6840244AAAC6B27DABB6BFDC4B1640503F1B53D7622E3585CD122CE4E637808B58F17
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	3092b27070b29230 (6 x Formbook, 5 x Loki, 3 x AgentTesla)
Reporter	pr0xylife
Tags:	exe Loki

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://plxnva67001gs6gljacjpqudhatjqf.ml/BN4/fre.php	https://threatfox.abuse.ch/ioc/715916/

Intelligence

File Origin

# of uploads :

# of downloads :

266

Origin country :

n/a

Vendor Threat Intelligence

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/280898/

Detection(s):

SecuriteInfo.com.IL.Trojan.MSILZilla.19314.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Enabling the 'hidden' option for analyzed file

Stealing user critical data

Moving of the original file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62ac4354473553ed3198b837/reports/91128245-46d1-48bc-bf60-837efcbe8eae/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/998be917-067a-4f09-800b-885b5e1a620e

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1015025

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Queries random domain names (often used to prevent blacklisting and sinkholes)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/2bf23bcaac2fa52fde6e170575defcc11807e3409747e92e1cd0b8cf93c898b6/

Threat name:

ByteCode-MSIL.Trojan.LokiBot

Status:

Malicious

First seen:

2022-06-17 08:46:29 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fpzdxsvmf6ss7xtoc4cxlxx4yemapy2as5d6slq42c4m7e6itc3a._file

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer suricata trojan

Link:

https://tria.ge/reports/220617-kz1hwadge4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Lokibot

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot Fake 404 Response

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://plxnva67001gs6gljacjpqudhatjqf.ml/BN4/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

4de22c3ae6d00e2235699463077878e4ee50154334298cb448afad0f8332601c

MD5 hash:

fee12c02bf81c361c624a1e04aec8704

SHA1 hash:

81080652b1557205d9369edeb4aa14b399a54b0b

Detections:

lokibot

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/d987f07c-db98-4fcf-a8c8-57e429d50848/

Parent samples :

2bf23bcaac2fa52fde6e170575defcc11807e3409747e92e1cd0b8cf93c898b6
9b44c677587d3cbd6eeb546e50011fbeb5e7e5ed5768d25858be6da683ba5bde
8e1e3092d5e2010d374b8b6b44492d22431dcfde69cc4058e51b5626b67beafa
a268288a6fd08bdf1f7458dbfba0cfce862e6f109dc51738d51654dd2540256c
69c72c6b690d302ba4c3294c90b067a50964bdac9e9f36b7d4ce6fd041c0715e
1cad6ac7f1a52dabece616a63040cc6e1b191461ce96caaef87a846de6c8ead4
e62ee0571627a81874e4439aacbb166d8a6419437e190278f432accfd92adb35

SH256 hash:

a6659ca7295cfcb74435a742f8ecb956586c32dfbb84e5ca50e3c1c89b08fffc

MD5 hash:

aa97059512dd6d6e84d469eab8a8f6e7

SHA1 hash:

6da0f5b6c6d6c3718c9148166ef35f78e7845f0e

Link:

https://www.unpac.me/results/d987f07c-db98-4fcf-a8c8-57e429d50848/

SH256 hash:

ca6eb90741f10c19d763605139aa0060709b966776778339c3d45a414e593309

MD5 hash:

c02d8e665e142aff718e314e9f2bcb2d

SHA1 hash:

5ff45a60bc01b128691f8b7f1953abae12c6d4a4

Link:

https://www.unpac.me/results/d987f07c-db98-4fcf-a8c8-57e429d50848/

SH256 hash:

84238dc32dc2c72716d7233f509b43a45617e2a24ca07eecda58ae37a704b90b

MD5 hash:

1d6115ad56b1707c8afa1a65f22afc96

SHA1 hash:

58cbf25298e84cf9d91da78ae370ac5ddbb2c3fd

Link:

https://www.unpac.me/results/d987f07c-db98-4fcf-a8c8-57e429d50848/

SH256 hash:

2bf23bcaac2fa52fde6e170575defcc11807e3409747e92e1cd0b8cf93c898b6

MD5 hash:

4267514133e3b588945a6461622e8cac

SHA1 hash:

145969247a1c9bba3ce5f4d4ae8ffa9ed3b50fc3

Link:

https://www.unpac.me/results/d987f07c-db98-4fcf-a8c8-57e429d50848/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2bf23bcaac2fa52fde6e170575defcc11807e3409747e92e1cd0b8cf93c898b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

exe 2bf23bcaac2fa52fde6e170575defcc11807e3409747e92e1cd0b8cf93c898b6

(this sample)

Cape

https://www.capesandbox.com/analysis/280898/

URLhaus

https://urlhaus.abuse.ch/url/2242008/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample