MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c7cc3586c0ff5da2f3bd6911717e8a1ce15daa3c1d0e9729fd0bb5b07fe146a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 14

Intelligence 14 IOCs YARA 13 File information Comments 1

SHA256 hash:	3c7cc3586c0ff5da2f3bd6911717e8a1ce15daa3c1d0e9729fd0bb5b07fe146a
SHA3-384 hash:	44df075efa65175c89665c5fccc69c35d230f98823e2225aa6747f9d625d2f1d7cbc1da2c29623ca3cc54431dd821846
SHA1 hash:	5386dedf2b0584522fe02fb365fdd0dfd31e780e
MD5 hash:	40cdcc9d27361a0721fc24e5a74107ed
humanhash:	nebraska-bravo-cola-cola
File name:	40cdcc9d27361a0721fc24e5a74107ed
Download:	download sample
Signature	Loki Create hunting rule
File size:	343'552 bytes
First seen:	2021-10-06 19:30:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'754 x AgentTesla, 19'660 x Formbook, 12'251 x SnakeKeylogger)
ssdeep	6144:BjZeQ+3HwOPU2QbfqVyeXCotPpoBzqQ+1RDf5YwAGHTAcb:boPzQbfBBSTfhYQHT
Threatray	4'892 similar samples on MalwareBazaar
TLSH	T1AF74E094A3B7871EDD34C7F52414B2621BF6642B212AC3385EC5A4FD2863FB16AD0D93
Reporter	zbetcheckin
Tags:	32 exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

342

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

40cdcc9d27361a0721fc24e5a74107ed

Verdict:

Malicious activity

Analysis date:

2021-10-06 19:32:50 UTC

Tags:

trojan lokibot stealer

Link:

https://app.any.run/tasks/8a766f73-13c8-41b3-b197-06c9ac19d69b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/195535/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/615df97eb95458900cdd6770/reports/97801694-2626-40a9-9bf2-14e8b35e3aa2/overview

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d02e53e7-fe79-49d0-8025-54e25859b78b

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/865829

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/3c7cc3586c0ff5da2f3bd6911717e8a1ce15daa3c1d0e9729fd0bb5b07fe146a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-10-06 19:24:04 UTC

AV detection:

15 of 28 (53.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hr6mgwdmb725ulz322irof7iuhhblwvdyhios4u72c5vwb76crva._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot spyware stealer trojan

Link:

https://tria.ge/reports/211006-x8ezrabed4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://checkvim.com/fd4/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

2cf409f8118930987ab4dd551c491ced6e96387e6a3b82dbfd29c90cad9d541a

MD5 hash:

cc709db3e0b49a140ed475123898f048

SHA1 hash:

46611cf1e99da9b1bb4c08e8bbe44dc012f1dd34

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/0d9271a0-19c6-4358-a897-66e186b1625c/

Parent samples :

30cac5dddc6d9c235c35ae552ec995845eb34d82f9fdb74af722f193d8f53fcb
e9caf6704d5037f6a738897160fe43f3b49384174f62b37b68d5b28ce862b0b4
8e8611d4f594d003a87db801b69a0c132114fea33aca39c7fcc8a18cb17d1985
3c7cc3586c0ff5da2f3bd6911717e8a1ce15daa3c1d0e9729fd0bb5b07fe146a
1f0573284ea83d62476e97156074ba2a7a1f046e21cbe82244234725999e1bbf
7532843070bc15b8f344e854f792fd7238819519a9c6bd048030a3575bc2c891
895a3f8a366ed73ca1cab8ef49582ada6382880654ab28e95b2902cde46e3726
711d41ba139f51e91bbb8f691f91e55655a0ad5a40f61a6bfebd9fe3d1ae2e37
61469a1a12ec1dadb9f884a0f07c23d7de89e77cb687bb6919c555de6ca8dc22
4e51be51b27ae05959149ff78aa3ebdf1010ce97def9882590b843816318faa9
5276828cc9b76bee177d1ff0f6fa4209a00f01a7e8aa70561cc520f0adc4d856
4f28f8460abcaaf087c8f7ac3980916768846e60a096763429bc66bed1e62f57
6065a675d7139a622ce9b68fbd2b6909ce47acc09a24afcf697b170b8ed53b3b
a000b23522b61426cc40661c7a0d46b2e897d95c010f9496bbcd848576d64dc2

SH256 hash:

fe8637d821a39a8b74abce7e043007d38cb9c5cfcb7098af9846cfd98185ac03

MD5 hash:

c380b6831f456ac5cac08c78c0e4dada

SHA1 hash:

3e241a0b9d96c1dfbadd7ee1a8c5ee6d74eba11c

Link:

https://www.unpac.me/results/0d9271a0-19c6-4358-a897-66e186b1625c/

SH256 hash:

96d9ca86b93eb9b5636c3933feecc821a2f22c6d2cc57ddb0e5edd67678ec679

MD5 hash:

fb073be3d8b598ef75d56ca8082b62b2

SHA1 hash:

1aed98bd9a46cb4de09cff6ff4a896c8c4c2542f

Link:

https://www.unpac.me/results/0d9271a0-19c6-4358-a897-66e186b1625c/

SH256 hash:

3c7cc3586c0ff5da2f3bd6911717e8a1ce15daa3c1d0e9729fd0bb5b07fe146a

MD5 hash:

40cdcc9d27361a0721fc24e5a74107ed

SHA1 hash:

5386dedf2b0584522fe02fb365fdd0dfd31e780e

Link:

https://www.unpac.me/results/0d9271a0-19c6-4358-a897-66e186b1625c/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/3c7cc3586c0f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/3c7cc3586c0ff5da2f3bd6911717e8a1ce15daa3c1d0e9729fd0bb5b07fe146a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	infostealer_loki Create hunting rule

Rule name:	infostealer_xor_patterns Create hunting rule
Author:	jeFF0Falltrades
Description:	The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.

Rule name:	Loki Create hunting rule
Author:	kevoreilly
Description:	Loki Payload

Rule name:	Lokibot Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

exe 3c7cc3586c0ff5da2f3bd6911717e8a1ce15daa3c1d0e9729fd0bb5b07fe146a

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1658642/

Cape

https://www.capesandbox.com/analysis/195535/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2021-10-06 19:30:58 UTC

url : hxxp://103.167.90.177/0789/vbc.exe