MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ad292ab37e9e518d9d0ecab0cc469dd9d7fe4f1fc553ffc9eafa9afba79e586. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 2 File information Comments

SHA256 hash:	3ad292ab37e9e518d9d0ecab0cc469dd9d7fe4f1fc553ffc9eafa9afba79e586
SHA3-384 hash:	9321386737293f99a7e2c233a10762e5e6e6f9aff99d4af5832e95ac0b92efdea1245291ae1116a6a0426b12132dbe1d
SHA1 hash:	733fd0448d31ad06871c6b7ee6d79fe7ada5b82c
MD5 hash:	254b1c8bb5194adf77c5ea62ab063d07
humanhash:	west-delta-nitrogen-nebraska
File name:	103680.pdf.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	768'000 bytes
First seen:	2022-09-30 10:01:36 UTC
Last seen:	2022-10-06 23:36:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:yTI2SqdJ7VwILWzKaPChxpW8RoLd1Z+8hEDEqgi3pTfZmX:F2SqtLQwWW78hA
TLSH	T10AF4CF2A3AD9664FC017E53989D0CEB1E755AC22D21BC383A6C72D2FF44D596CF213A1
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	c198989999e9b179 (16 x SnakeKeylogger, 13 x AgentTesla, 8 x Formbook)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://lokiz.org/gold/vx/wa.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://lokiz.org/gold/vx/wa.php	https://threatfox.abuse.ch/ioc/858652/

Intelligence

File Origin

# of uploads :

# of downloads :

336

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/315106/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.389.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6336be9ddace43a378f3c6b7/reports/db3fa913-9bb3-4c07-a736-ea8bec0ab43d/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/997a72bd-9314-4638-92cd-2b701f51cf3c

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1080777

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/3ad292ab37e9e518d9d0ecab0cc469dd9d7fe4f1fc553ffc9eafa9afba79e586/

Threat name:

Win32.Spyware.SnakeLogger

Status:

Malicious

First seen:

2022-09-30 10:02:21 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hljjfkzx5hsrrwoq5svqzrdj3wox7zhr7rkt77e6v6u27otz4wda._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/220930-l2srgsebbn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://lokiz.org/gold/vx/wa.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/49e6808d-eeb7-4edd-8870-feaee01e2849

Unpacked files

SH256 hash:

bd75065ac526697bbbb0cedf585d8d45428ed17811ab547053172fbb504ef716

MD5 hash:

a00a3697a7510ae39851668ff158b9f7

SHA1 hash:

f63597d4d34e334815412edc6301a44459f59469

Link:

https://www.unpac.me/results/5e414496-54d8-452e-8453-c44bf2b62f31/

SH256 hash:

0d43d99399293c1dd298397096f6f8e9041075a92a3e3a35f21ad15207e6fafc

MD5 hash:

c563eb28404283bacd64285bd3dcf504

SHA1 hash:

e9654541f8894e1825416134bff0c8213d3dabf0

Link:

https://www.unpac.me/results/5e414496-54d8-452e-8453-c44bf2b62f31/

SH256 hash:

31589c9f1abc3d115942b798dcf9a535023112e02b2970d24e76c7c8dd1d6e3b

MD5 hash:

b0f56df1888baede5efbcb89cc8f982e

SHA1 hash:

81f940d405a5aec2cde410d710f7474a0c921dae

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/5e414496-54d8-452e-8453-c44bf2b62f31/

Parent samples :

8889a80ba52046a9980a2575191afbf1eed046dccc770acb32542e648e1dd7a1
3ad292ab37e9e518d9d0ecab0cc469dd9d7fe4f1fc553ffc9eafa9afba79e586

SH256 hash:

2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af

MD5 hash:

c3a1924684ca30ed22234ce1d9111dfc

SHA1 hash:

7347706241422758c06440fd6044ae4e042b456b

Link:

https://www.unpac.me/results/5e414496-54d8-452e-8453-c44bf2b62f31/

SH256 hash:

edadc813f4440ada276da601d8f31780e5e138b8ee392e3f49a509322a1fb51e

MD5 hash:

574597554c69083c1af2b742a97a92b6

SHA1 hash:

043eea660b8650c5a0042f842fd8db3516d37a2c

Link:

https://www.unpac.me/results/5e414496-54d8-452e-8453-c44bf2b62f31/

SH256 hash:

3ad292ab37e9e518d9d0ecab0cc469dd9d7fe4f1fc553ffc9eafa9afba79e586

MD5 hash:

254b1c8bb5194adf77c5ea62ab063d07

SHA1 hash:

733fd0448d31ad06871c6b7ee6d79fe7ada5b82c

Link:

https://www.unpac.me/results/5e414496-54d8-452e-8453-c44bf2b62f31/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3ad292ab37e9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/3ad292ab37e9e518d9d0ecab0cc469dd9d7fe4f1fc553ffc9eafa9afba79e586

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/315106/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample