MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2eb81e5ef35729ff5cd330b41347350298e20cce4b1ebffcdba90be70b84590f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2eb81e5ef35729ff5cd330b41347350298e20cce4b1ebffcdba90be70b84590f
SHA3-384 hash: b7b05235e1b906a5daa2f6700f14086d701541441557fd63418a201ba5e84a0d547d3a21b5beae0f787e9104a5faf03e
SHA1 hash: e7710230b537181fd5bda7466697b58dbeb1e9c9
MD5 hash: 4d74c8a3ea965a15fa1903e17ab291c7
humanhash: one-item-pennsylvania-five
File name:2eb81e5ef35729ff5cd330b41347350298e20cce4b1ebffcdba90be70b84590f
Download: download sample
Signature Loki
Create hunting rule
File size:593'920 bytes
First seen:2023-08-09 10:40:03 UTC
Last seen:2023-08-09 10:40:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 12288:nuYiIoFwIrG3XCCaoYGjzHZVGD1WreOx3zICzn27AUm6H0v:uHIcTrGCcXHZUD1/OS827Xm6H
Threatray 3'927 similar samples on MalwareBazaar
TLSH T14EC412A95EA48E6BC67D1BF4092077F6A37DBEE63061E24F2D52B4CDF852F4C8521201
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 37c39995b4b4154b (6 x AgentTesla, 4 x Loki, 4 x Formbook)
Reporter adrian__luca
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
322
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
2eb81e5ef35729ff5cd330b41347350298e20cce4b1ebffcdba90be70b84590f
Verdict:
Malicious activity
Analysis date:
2023-08-09 14:58:50 UTC
Tags:
lokibot trojan
Link:
https://app.any.run/tasks/4a447e9a-4a09-4c46-851e-dfd27edf4b69

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/441589/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.738.11324.24461.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/2eb81e5ef35729ff5cd330b41347350298e20cce4b1ebffcdba90be70b84590f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e3bd1864-e875-42b4-bc16-9c676f6bf33b
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1288460
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1288460 Sample: x0Qw4iMGvT.exe Startdate: 09/08/2023 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 8 other signatures 2->47 7 x0Qw4iMGvT.exe 7 2->7         started        11 sGzdWE.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\Roaming\sGzdWE.exe, PE32 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp4C85.tmp, XML 7->37 dropped 49 Uses schtasks.exe or at.exe to add and modify task schedules 7->49 51 Adds a directory exclusion to Windows Defender 7->51 53 Injects a PE file into a foreign processes 7->53 13 x0Qw4iMGvT.exe 54 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        55 Antivirus detection for dropped file 11->55 57 Multi AV Scanner detection for dropped file 11->57 59 Tries to steal Mail credentials (via file registry) 11->59 61 Machine Learning detection for dropped file 11->61 21 schtasks.exe 1 11->21         started        23 sGzdWE.exe 11->23         started        25 sGzdWE.exe 11->25         started        27 2 other processes 11->27 signatures5 process6 dnsIp7 39 138.68.56.139, 80 DIGITALOCEAN-ASNUS United States 13->39 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->63 65 Tries to steal Mail credentials (via file / registry access) 13->65 67 Tries to harvest and steal ftp login credentials 13->67 69 Tries to harvest and steal browser information (history, passwords, etc) 13->69 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        signatures8 process9
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2eb81e5ef35729ff5cd330b41347350298e20cce4b1ebffcdba90be70b84590f/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2023-07-25 05:40:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f24b4xxtk4u76xgtgc2bgrzvakmoedgojmpl77g3vef6oc4elehq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
87315498a98e525f805959cc316405bb4f937ee28b087c68838033ecd3cd0dd5
Loki
9e87a118ff99af8fa1ae32be359992f8872d632ee4e838e27d5b5137fef34cfc
Loki
af4bdead217cfc83478637fe18f218c3eee2f6e7c0005f0cde43cd7af1031114
Loki
c8ad050630ea954712c67d5c27e8f75542d78e7d43c81554c0a652da9218a880
Loki
e2357821cf4c5c1991d7751e1ddad32d833979c37dcb9c51013b9bf403f615bf
Loki
+ 3'917 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/230809-mqjvwacc5v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://138.68.56.139/?p=9198360515
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
aec4fa842cba931664f2e13b002970cff4ad0ea83baab568e6eef81d99107d55
MD5 hash:
39e53820872a3c83671e35c2c07479b7
SHA1 hash:
cff9ef6261aa1ed974bc0aad1fed763e4b2058b8
Link:
https://www.unpac.me/results/fa7c3119-a018-4ad9-914a-d96b2a382066/
SH256 hash:
e4dca30624222fe9b48e512a5db728db501a2000df2ebc845442f102611f1713
MD5 hash:
06d2e5f6c47b9ed233e7346b16d67814
SHA1 hash:
4f13f8599f8639d7f1702ccb90da94a1e30de145
Link:
https://www.unpac.me/results/fa7c3119-a018-4ad9-914a-d96b2a382066/
SH256 hash:
a92f2fcb90ac6724f4a6bbcdff52cbb39825badcf050c084b1db8e4fae0bac84
MD5 hash:
9c96fea52e113cd0f120102140bed23f
SHA1 hash:
4c2cbebeb2586d98097b2e4029787aa4f60a8f45
Link:
https://www.unpac.me/results/fa7c3119-a018-4ad9-914a-d96b2a382066/
SH256 hash:
fe3bd8c55d03026d8e0243a71dc411488661fe41ca7de43649ff61b1d53b2510
MD5 hash:
528b0f2b2231328acc1fd9c50e575c9f
SHA1 hash:
0f924f3bd115273d2b504b5c6132c89a38010f44
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/fa7c3119-a018-4ad9-914a-d96b2a382066/
Parent samples :
ef954e69e445fd7a4ef88db4ec43f0b9ab80985e2de23d1fc6dfe89a8dc88970
d60d94a1edcdab800f81abe6f72248469547a1b55f89cd872acda4cc6d7dee61
39962d783ceca0f8d0250660179c45b22e74097cf20eacb5464342fbcfcac61a
8615a11492e27f4a2d4b3028ef8a94f179d7e4b2f8d81f3088172378db2e9df2
127c29b65ebf2143b66e5c60fcdbae43c4789c836e273e4f996efd0e56040e8f
9e87a118ff99af8fa1ae32be359992f8872d632ee4e838e27d5b5137fef34cfc
2eb81e5ef35729ff5cd330b41347350298e20cce4b1ebffcdba90be70b84590f
SH256 hash:
2eb81e5ef35729ff5cd330b41347350298e20cce4b1ebffcdba90be70b84590f
MD5 hash:
4d74c8a3ea965a15fa1903e17ab291c7
SHA1 hash:
e7710230b537181fd5bda7466697b58dbeb1e9c9
Link:
https://www.unpac.me/results/fa7c3119-a018-4ad9-914a-d96b2a382066/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2eb81e5ef357/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2eb81e5ef35729ff5cd330b41347350298e20cce4b1ebffcdba90be70b84590f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/441589/

Comments