MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 307b462b554900aa1b0802f4e89752cde49cb4045bc83ac8708578d37ebdadb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 18

Intelligence 18 IOCs YARA 16 File information Comments

SHA256 hash:	307b462b554900aa1b0802f4e89752cde49cb4045bc83ac8708578d37ebdadb0
SHA3-384 hash:	82e32a0f6a2214fad97b78a32bfcb151c31a0d909b5f7c5259f2721de08175576c45b83b2805006369818ee8901ef8cf
SHA1 hash:	d3d256b5ad2497542dbad422e009e47ce939571f
MD5 hash:	9045d0b46b820ae46a56caea6c975791
humanhash:	mockingbird-angel-oven-magnesium
File name:	vbc.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	217'088 bytes
First seen:	2023-04-05 12:58:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	106eb5dbb7fdc2adeef530fb10849030 (1 x Loki, 1 x Stop)
ssdeep	3072:+o+RE8kRPEFQzvmpOXFBCdQ33nQYvaP1Q+T6QDy8as5vWpaT:6R6s+CdQH5aWCzD7maT
Threatray	4'036 similar samples on MalwareBazaar
TLSH	T1E824CE103AA0C4B3D51B42308867D6F46A7ABCB2DF9595CB33A42F7F2D722D16A76311
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	80909480c8603008 (1 x Loki)
Reporter	Anonymous
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

226

Origin country :

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

QUOTATION FORM MV. CHIANG LAAN TRADER.xls

Verdict:

Malicious activity

Analysis date:

2023-04-05 12:10:30 UTC

Tags:

opendir exploit cve-2017-11882 loader trojan lokibot

Link:

https://app.any.run/tasks/f1dfcfe2-95b7-4eeb-b0c3-28d7a20bb1c3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/380296/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Reading critical registry keys

Changing a file

Sending an HTTP POST request

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for analyzed file

Stealing user critical data

Moving of the original file

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/76649/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware khalesi lockbit packed redline ursnif xpack zusy

Link:

https://www.filescan.io/uploads/642d70986d5da9b446732bc9/reports/a598a245-2293-4ba2-b2eb-5b5c5d1c1d86/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/307b462b554900aa1b0802f4e89752cde49cb4045bc83ac8708578d37ebdadb0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ee5c21da-a151-4ee5-aa9f-8c24268855f8

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1208836

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/307b462b554900aa1b0802f4e89752cde49cb4045bc83ac8708578d37ebdadb0/

Threat name:

Win32.Trojan.Lockbit

Status:

Malicious

First seen:

2023-04-05 08:06:37 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gb5umk2vjeakugyial2orf2szxsjznaelpedvsdqqv4ng7v5vwya._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

0f6a0c8f4c9d3fa419bd22b2687328e7a721ad0b1ef504a64166b1c630997cee

Loki

26cfdd614196dd8f128f01480c55504960ecafad60991455a030cc5c73130f2a

Loki

4e12ca0674f72503e00f35b8b27aa98da0855baa9e25264b357bb934e31a2217

Loki

594a574211cffc47d78817221315092ab978403b71e1ff43922286ec9f60e188

Loki

7f0fcb4f3651ec6a3b273322857afe8aa8373f77964afd0bb592378a4a97fe1a

Loki

83ce4d12583639df7dcbe4d13b6e608bca3c42a58dc4fbb18c352fa93dec7800

Loki

a1f8dd874a1d63dfbd2cc504fbe6d5784eb00610b02fef44b606b7a127f41bc4

Loki

c3dea3389041968fad1157e83d29246d4cc7a34fc60adad44f75c5c1fab00956

Loki

+ 4'026 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230405-p724wseg78/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Lokibot

Malware Config

C2 Extraction:

http://185.246.220.85/fresh/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

07686bd3670d7660420f09f8771135bb16588e15b45561219ead1841952d38f1

MD5 hash:

046a6366921953d042f7a0ffcb26c50d

SHA1 hash:

2dd27e32320fc0277397f57d24ed4b13d99e09ac

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/204e556b-9296-4aef-a26b-4f43ec04200b/

Parent samples :

4de70d7c97aac4c236396bb488f748b432fda9537e06afa042a77235b1cb8117
36ffec829c35dbf09529550e086446cfd835b4a43c71014ab217783fde2bdb9f
dc77fa38dcbfa8304ae07b051d7658f367286bc92005d327a34c944975719b00
ae4a3ef24f5482b9344969457ac89e08d2598a3721f1725325e86039758f91a2
763fc70c680ac478f31474306d6bb7a0f34893f98d691e0a49b6948a800cf7d4
307b462b554900aa1b0802f4e89752cde49cb4045bc83ac8708578d37ebdadb0
db182e4d02790fa627a9d62e3b9439203d2dd5c88c44a5355a7681b7defe24da
93cc16dfe8c10579f28d8d70196f5c64044493818861f32c9d3e8f15cc3b7aaa
f85b9025ca21804e4ef484b69c89ab2f70de661606b5987e8ff32111256b2a70
90d7dc2cd673fb159368c95d06eb59523898f1498a6d9ce5eb8618690d93e724
15a2d3053598efc70f0ac04252def24ef4dcb216b0ef0a25a957916c8a42207c
72e9d6672de64aae16ae8f4433a9ed08171a7f86decb0d134a03123dd93035d8
21e0ec96d06a0b1e71712fd34ce50e1e4c5a937e8fe8c21f89c5eade948affd5
b6219cebfd6180b0278dc07062893751f3e9c056a23b0b876b2752513cc4a1a5
d3d3facae5e604eded7bf28b146dff57334aa0d9691f1f32eb6f0a30f819bcb8
b7af929b8d99a8a2ec29774cd6c8cf77071b4c865bfe140aedf8b181ce54df89
63b5c9b4340cab3bacf97fd686e3990fef6f00eb6e2f75770d2d8711d09c2464
da108473566740a4ecd7f86677ee7a22779808be300f3329ca4a6d8877d0fcdf
4e21a93e941a2e0899526af6e6196ab23b2c916bdd01a396a7c546122b1980df
d9b8816dc05c98d38419c94b02dc18ebd9494d13088ca2e1bb757f987001c1fd
0709f9e2f76a07b22aa5361179d7120bd8127fc42a0f5c289f73e8f764460092
07d199eaef476d20fa7fde86555086bc6193f7426f4b38513299928f06939d8f
1290e2fa7dd284fcddc2bf9caeac02ccbae1f1e715766eefd7644c245a6ecc53
35c38475ab2e902a2f2c56b2b17f27afb10b3b56365c853a8bb33a9c906366e8
48e32c11cf9fe47ee75f05a9cd9c1bf4598869fe1564eaf7c1bbabf309e823b1
9d19092e410ffb1914d7cd9271ec34b5aa8973eda65fd821851e53921a7017fe

SH256 hash:

307b462b554900aa1b0802f4e89752cde49cb4045bc83ac8708578d37ebdadb0

MD5 hash:

9045d0b46b820ae46a56caea6c975791

SHA1 hash:

d3d256b5ad2497542dbad422e009e47ce939571f

Link:

https://www.unpac.me/results/204e556b-9296-4aef-a26b-4f43ec04200b/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/307b462b5549/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/307b462b554900aa1b0802f4e89752cde49cb4045bc83ac8708578d37ebdadb0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	infostealer_loki Create hunting rule

Rule name:	infostealer_xor_patterns Create hunting rule
Author:	jeFF0Falltrades
Description:	The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.

Rule name:	Loki Create hunting rule
Author:	kevoreilly
Description:	Loki Payload

Rule name:	LokiBot Create hunting rule
Author:	kevoreilly
Description:	LokiBot Payload

Rule name:	malware_Lokibot_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	Suspicious_Macro_Presence Create hunting rule
Author:	Mehmet Ali Kerimoglu (CYB3RMX)
Description:	This rule detects common malicious/suspicious implementations.

Rule name:	Windows_Trojan_Lokibot_0f421617 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Lokibot_1f885282 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

exe 307b462b554900aa1b0802f4e89752cde49cb4045bc83ac8708578d37ebdadb0

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2598338/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/380296/

URLhaus

https://urlhaus.abuse.ch/url/2599147/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample