MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381
SHA3-384 hash: 352ebacd64050d4299547e8387809d1d52c3e18e5883ed0b5774fd841f8b9ba44fd9f4e5d0497814b53ec72b56fbd781
SHA1 hash: 005e61ccfa9a0840d788bcff2a95cff7ec88d6db
MD5 hash: c27bf6db51f64901ba56cf64003cabd2
humanhash: shade-kentucky-romeo-december
File name:C27BF6DB51F64901BA56CF64003CABD2.exe
Download: download sample
Signature Loki
Create hunting rule
File size:751'396 bytes
First seen:2024-12-08 07:50:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 12288:WcrNS33L10QdrX2mVnCGoe0cZKqMEF0JCEharfH0uceMTLlW44UdLZeZ:FNA3R5drXbVCGoRcZDMEwC9UucrjLc
TLSH T111F40142F7D2C8B2D17329364E39BB24A97DB9201F34DA5EA3C44D7D8A71481A125FB3
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10522/11/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon d0a6a24969b3d6e8 (1 x Loki)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://www.stipamana.com/dftjedrshyyj/Panel/five/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://www.stipamana.com/dftjedrshyyj/Panel/five/fre.php https://threatfox.abuse.ch/ioc/1353501/

Intelligence

File Origin
# of uploads :
1
# of downloads :
470
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
C27BF6DB51F64901BA56CF64003CABD2.exe
Verdict:
Malicious activity
Analysis date:
2024-12-08 07:53:20 UTC
Tags:
lokibot stealer trojan
Link:
https://app.any.run/tasks/45c5edaa-af96-4a12-9a98-b3711738a4e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67554fe7fca9c44c24973daf
Tags:
virus shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Reading critical registry keys
Launching the default Windows debugger (dwwin.exe)
Changing a file
Connection attempt to an infection source
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% directory
Running batch commands
Launching a process
Creating a process from a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Query of malicious DNS domain
Sending an HTTP POST request to an infection source
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Uztuby
Link:
https://www.hybrid-analysis.com/sample/3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/19992163-0b7f-4ce6-b4bf-ee041e2a8572
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1570840
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1570840 Sample: zZeXr4mg0S.exe Startdate: 08/12/2024 Architecture: WINDOWS Score: 100 46 x1.i.lencr.org 2->46 48 www.stipamana.com 2->48 50 2 other IPs or domains 2->50 66 Suricata IDS alerts for network traffic 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 7 other signatures 2->72 10 zZeXr4mg0S.exe 3 9 2->10         started        signatures3 process4 file5 44 C:\Users\user\AppData\Roaming\segzs.sfx.exe, PE32 10->44 dropped 13 cmd.exe 1 10->13         started        15 Acrobat.exe 81 10->15         started        process6 process7 17 segzs.sfx.exe 7 13->17         started        21 conhost.exe 13->21         started        23 AcroCEF.exe 106 15->23         started        file8 42 C:\Users\user\AppData\Roaming\segzs.exe, PE32 17->42 dropped 64 Multi AV Scanner detection for dropped file 17->64 25 segzs.exe 1 17->25         started        28 AcroCEF.exe 4 23->28         started        signatures9 process10 dnsIp11 74 Multi AV Scanner detection for dropped file 25->74 76 Tries to steal Mail credentials (via file registry) 25->76 78 Machine Learning detection for dropped file 25->78 31 segzs.exe 25->31         started        36 segzs.exe 25->36         started        38 segzs.exe 25->38         started        52 23.47.168.24, 443, 49764 AKAMAI-ASUS United States 28->52 signatures12 process13 dnsIp14 54 www.stipamana.com 94.156.167.57, 49752, 49757, 49760 SARNICA-ASBG Bulgaria 31->54 40 C:\Users\user\AppData\...\31437F.exe (copy), PE32 31->40 dropped 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->56 58 Tries to steal Mail credentials (via file / registry access) 31->58 60 Tries to harvest and steal ftp login credentials 31->60 62 Tries to harvest and steal browser information (history, passwords, etc) 31->62 file15 signatures16
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381/
Threat name:
Win32.Infostealer.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2024-12-05 21:28:00 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gq46v77b37ldjndkfhxh6dutrnnql6ohqqjdu4fzj6punkrxaoaq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
error
Loki
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection discovery spyware stealer trojan
Link:
https://tria.ge/reports/241208-jptf5ssmfq/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Lokibot
Lokibot family
Malware Config
C2 Extraction:
https://www.stipamana.com/dftjedrshyyj/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Malicious
Tags:
lokibot
YARA:
n/a
Link:
https://app.threat.zone/submission/3bc43aee-7731-4975-a77f-e93852e3e7f2
Unpacked files
SH256 hash:
4d4d5a2b33b8171dcea33ebad3e91cb17d0b9e2acf7e57e4a7baead696974479
MD5 hash:
0320126a1c43ceb5f36cb90d83eebb2e
SHA1 hash:
bb0d68cf62e2b56d3c21f45c396826698014f5b0
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Lokibot
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
STEALER_Lokibot
Create hunting rule
Link:
https://www.unpac.me/results/c207007a-e433-45f2-a67d-32683528a4e9/
SH256 hash:
842e7be23db5b832c7a2a4a52979ade61206af9cc2f696e567b0fdc68486c9e7
MD5 hash:
e7034846dcf857a9360b1459be7ab90e
SHA1 hash:
b9aedbef953daa8f8b0ee61e78e3deb0b6cbd0ec
Link:
https://www.unpac.me/results/c207007a-e433-45f2-a67d-32683528a4e9/
SH256 hash:
f442d36a0042f17ad5dcc8f66eeaff200a970ac52dadae4beb896949cba9076d
MD5 hash:
a939c7bad5379307cf8dc8c034a442bc
SHA1 hash:
7fccc8cb4602e3b48017e9657ad152afc1f64b28
Link:
https://www.unpac.me/results/c207007a-e433-45f2-a67d-32683528a4e9/
SH256 hash:
7782d5246a8cf7a2f8cef7252a489871c213f96126884ec68c41b964e77e07d8
MD5 hash:
6c176c19b5f3372c5f90645df6de7e31
SHA1 hash:
13e33f53be3d92e72e43adda7be588fcacc86e77
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_NET_NAME_ConfuserEx
Create hunting rule
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
INDICATOR_EXE_Packed_ConfuserEx_Custom
Create hunting rule
Link:
https://www.unpac.me/results/c207007a-e433-45f2-a67d-32683528a4e9/
SH256 hash:
1e8b8a1d2c6ec94db9aa967acc38df5834cf5f01848424d32af3bc6288f084ae
MD5 hash:
98290c6451f9e0e0e94f7c6a51b253d2
SHA1 hash:
c4575191d694b4f46f4530b22a306166b38ea033
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_NET_NAME_ConfuserEx
Create hunting rule
SUSP_OBF_NET_ConfuserEx_Packer_Jan24
Create hunting rule
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
INDICATOR_EXE_Packed_ConfuserEx_Custom
Create hunting rule
Link:
https://www.unpac.me/results/c207007a-e433-45f2-a67d-32683528a4e9/
SH256 hash:
3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381
MD5 hash:
c27bf6db51f64901ba56cf64003cabd2
SHA1 hash:
005e61ccfa9a0840d788bcff2a95cff7ec88d6db
Link:
https://www.unpac.me/results/c207007a-e433-45f2-a67d-32683528a4e9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/3439eaffe1dfd634b46a29ee7f0e938b5b05f9c784123a70b94f9f46aa370381

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments