MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c4cd5dc3ad1f238e7e186c4ab0fd34c2fb2215c7aadbd85f45850a6dffcde14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c4cd5dc3ad1f238e7e186c4ab0fd34c2fb2215c7aadbd85f45850a6dffcde14
SHA3-384 hash: 4a588559cad7d92822898cf1bd277ff153109a493ed5296967812c24e6c1e1020cb77b7b6289b2e6a547f239f6274efb
SHA1 hash: 67af810048271405a6f37bd06ad7da4bd2461b42
MD5 hash: 8565799047b02aac532da2d0996e6c23
humanhash: fix-magazine-avocado-princess
File name:Payment7602020062601480045_423_761.exe
Download: download sample
Signature Loki
Create hunting rule
File size:506'880 bytes
First seen:2020-10-22 06:17:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:3REJgB3ouBaKHxROZk+dEjltYtIwP8c/agZOjzzi9hrnukB:3P4u4v2l6tIQ8owwVB
Threatray 1'783 similar samples on MalwareBazaar
TLSH 09B4E12A2655BF11F4BD0A3BD4E95420637AEC03AA43D66E18E034FE5EB37F9015136B
Reporter abuse_ch
Tags:exe Hostwinds Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: hwsrv-791030.hostwindsdns.com
Sending IP: 104.168.203.117
From: serah <casd@toshiba.com>
Subject: Incoming Payment advice-BG_EDG7602020062601480045_423_761
Attachment: Payment7602020062601480045_423_761.rar (contains "Payment7602020062601480045_423_761.exe")

Loki C2:
http://mecharnise.ir/eb3/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74456/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.18074.13236.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Reading critical registry keys
Creating a file
Stealing user critical data
Moving of the original file
Enabling autorun by creating a file
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/506601
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 302472 Sample: Payment7602020062601480045_... Startdate: 22/10/2020 Architecture: WINDOWS Score: 100 28 mecharnise.ir 2->28 32 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->32 34 Multi AV Scanner detection for domain / URL 2->34 36 Found malware configuration 2->36 38 13 other signatures 2->38 8 Payment7602020062601480045_423_761.exe 7 2->8         started        signatures3 process4 file5 20 C:\Users\user\AppData\...\fjjmBJHPKFP.exe, PE32 8->20 dropped 22 C:\Users\...\fjjmBJHPKFP.exe:Zone.Identifier, ASCII 8->22 dropped 24 C:\Users\user\AppData\Local\Temp\tmp934.tmp, XML 8->24 dropped 26 Payment76020200626...045_423_761.exe.log, ASCII 8->26 dropped 40 Tries to steal Mail credentials (via file registry) 8->40 42 Injects a PE file into a foreign processes 8->42 12 Payment7602020062601480045_423_761.exe 54 8->12         started        16 schtasks.exe 1 8->16         started        signatures6 process7 dnsIp8 30 mecharnise.ir 193.228.91.147, 49735, 49736, 49737 REBECCAHOSTUS United Kingdom 12->30 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->44 46 Tries to steal Mail credentials (via file access) 12->46 48 Tries to harvest and steal ftp login credentials 12->48 50 Tries to harvest and steal browser information (history, passwords, etc) 12->50 18 conhost.exe 16->18         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c4cd5dc3ad1f238e7e186c4ab0fd34c2fb2215c7aadbd85f45850a6dffcde14/
Threat name:
ByteCode-MSIL.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 21:11:43 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=frgnlxb22hzdrz7bq3ckwd6tjqx3eik4pkw33bpulbiknx743yka._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
199528b69b42d1af70f525973be5e53bcd16c19b39a117cfaa27ba1a515723f8
Loki
22e8a783296dcabf49cb2c9b5f5a05b1cf670591e71130b08424a450aa54c419
Loki
37b6d65727f88fe36849efc718e55c7316daf13e6e72effb96eb715bfc22894c
Loki
54a48d5630f8a4ca57c1107678b3cb68ea03e80878db3dc2ddb9d92227ad542d
Loki
8867e72aaf3985ed148d3049c628d73ba0024e3129e466c17bd6a665be9e84f0
Loki
94f225b0d4018228ee1c69317cd8f369f3c343378145e41cdf939d4dd30b988d
Loki
9693d78b6cb6fcdb5e129c278d307d7fa6bef2fff302498909640051f22b730e
Loki
bea5a2a0bade8802b63d59a653b7140792acdfa1fd3f92ccafe9bb592a94882d
Loki
e1e0a4fba3b1dc2e64ac088f5839fe75832cd9a824fd9f0f5e043821d9d18b0c
Loki
eb140984e61c9b9860794656d3f978896944a0f7258c5abe25391b8c71f56853
Loki
+ 1'773 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/201022-nb23m4fqas/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://mecharnise.ir/eb3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
406789e1d8992e15048dced621b69c008b41008ec303d63c09e99dc6bbfdefa1
MD5 hash:
8d30528e067d95ee3696a0d40c245483
SHA1 hash:
30be566998d7d4d4ecd696de84d496da87745eba
Link:
https://www.unpac.me/results/7f92f560-8c91-4518-87fb-cc07859dffd1/
SH256 hash:
777af5fc4aa3ed0aa08f6936f537152824c6a928d3ee04ff7df12454e5119ec9
MD5 hash:
9af5ca8a904f16cbaf6aa980c8bfc9ac
SHA1 hash:
78f73f6cef33aabc5ac2da3d82bcf79a74d7174c
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/7f92f560-8c91-4518-87fb-cc07859dffd1/
Parent samples :
2c4cd5dc3ad1f238e7e186c4ab0fd34c2fb2215c7aadbd85f45850a6dffcde14
27e2de351b448871fe8c297a145dcb658dfe5a055772d79a0db8b0dfe710a758
SH256 hash:
32bfa8813807f39e13f8c246e8b7aa0f34caab984553d22bea4dfe04f3002553
MD5 hash:
e475ad8fa31c2a35b4b0c8d6739369ec
SHA1 hash:
8b6d05e53c765a93b02d78d8dbbb17608280f163
Link:
https://www.unpac.me/results/7f92f560-8c91-4518-87fb-cc07859dffd1/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/7f92f560-8c91-4518-87fb-cc07859dffd1/
SH256 hash:
2c4cd5dc3ad1f238e7e186c4ab0fd34c2fb2215c7aadbd85f45850a6dffcde14
MD5 hash:
8565799047b02aac532da2d0996e6c23
SHA1 hash:
67af810048271405a6f37bd06ad7da4bd2461b42
Link:
https://www.unpac.me/results/7f92f560-8c91-4518-87fb-cc07859dffd1/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

rar a8830e9bc9cb2ba72ab5b90c4496a676c3f2b96cad3006f6047d3531b030e7f8

Loki

Executable exe 2c4cd5dc3ad1f238e7e186c4ab0fd34c2fb2215c7aadbd85f45850a6dffcde14

(this sample)

  
Dropped by
MD5 3b3dad1e3352699bdd5c5763fdf77a5f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74456/
  
Dropped by
SHA256 a8830e9bc9cb2ba72ab5b90c4496a676c3f2b96cad3006f6047d3531b030e7f8

Comments