MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e463d547c3fe2e2d5214eca84e332494658db3d43d8acae0b57f763fe90c373. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 3 File information Comments

SHA256 hash:	3e463d547c3fe2e2d5214eca84e332494658db3d43d8acae0b57f763fe90c373
SHA3-384 hash:	1bcdd1081c4c76a68cb6383f9c1ea60e35ec6ed2f77e2d147603596f6877c5a32558a2ba23d264de26c65b7568183468
SHA1 hash:	cc4906eea25b2bd049c86fb6b3596d4f93099daf
MD5 hash:	ce3bbea42ef57ec2e46bf953082e4a94
humanhash:	gee-juliet-idaho-black
File name:	DSCTTIGev0anK9o.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	898'560 bytes
First seen:	2021-09-09 21:30:26 UTC
Last seen:	2021-09-09 23:22:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:fC+Q2q5MD3ViwN6lQ1wrqluXIW9hTQgTCtoHsVkFceqCcNBapaKsbh9RlpNsmsUK:fCi6lNrWuYUSgtHwl
Threatray	4'656 similar samples on MalwareBazaar
TLSH	T1AD15F9283AE6705EF173EE758EE43C96EA5EB6733707D40B1053038A4E1EA82DE51176
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://zamloki.xyz/co/uo/BO.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://zamloki.xyz/co/uo/BO.php	https://threatfox.abuse.ch/ioc/191739/

Intelligence

File Origin

# of uploads :

# of downloads :

153

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DSCTTIGev0anK9o.exe

Verdict:

Malicious activity

Analysis date:

2021-09-09 21:31:03 UTC

Tags:

trojan lokibot stealer

Link:

https://app.any.run/tasks/a26f98e2-0174-4a7d-bb5c-49b8abc59a21

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/186741/

Detection(s):

SecuriteInfo.com.Suspicious.Win32.Save.a.565.2786.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Reading critical registry keys

Changing a file

Replacing files

Connection attempt to an infection source

Creating a file in the %AppData% subdirectories

Deleting a recently created file

Stealing user critical data

Query of malicious DNS domain

Moving of the original file

Sending an HTTP POST request to an infection source

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8ecd7380-f889-4afe-b3c1-d16af5d38dfa

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/848458

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Performs DNS queries to domains with low reputation

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/3e463d547c3fe2e2d5214eca84e332494658db3d43d8acae0b57f763fe90c373/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-09-09 21:31:05 UTC

AV detection:

19 of 45 (42.22%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hzdd2vd4h7rofvjbj3fijyzsjfdfrwz5ipmkzlqlk73wh7uqynzq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot spyware stealer trojan

Link:

https://tria.ge/reports/210909-1c2qesggg3/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Lokibot

Malware Config

C2 Extraction:

http://zamloki.xyz/co/uo/BO.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565

MD5 hash:

29db2e114b88ae1f6a00c9aa71690043

SHA1 hash:

ec82db71443556a5b320357b0b8b09e70ec1db9c

Link:

https://www.unpac.me/results/e8e43978-bf84-4a3f-a4e4-e1e073144844/

SH256 hash:

5c63943fddcbd0bb51f1f1c3809564d9a824ed82e06a8879f61ae0a50ee38190

MD5 hash:

874adda481485b1437b9509cf78fce6c

SHA1 hash:

89b5e5075cb240dca0d39d31ae4195e634fd5e5e

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/e8e43978-bf84-4a3f-a4e4-e1e073144844/

Parent samples :

3ca91b1dd03fbe8b040ae2397ff229dd9aeb2a7403f5eaeaffceb66077e6de3e
7ec6b541616cc3f1fb1c458dd16f7edffff13a9b3c954d33442231ff38704c29
3e463d547c3fe2e2d5214eca84e332494658db3d43d8acae0b57f763fe90c373
f93294f0f37b278214d23df45c7679992d9f9df89dc679a8090e8b9ab9701ce1

SH256 hash:

a5853b3c63d771d0bd65258d46fbfdb998ccf741c3f0b6a7068108cfab1eda91

MD5 hash:

2e8da2d97b35ccd97dffd552f0428037

SHA1 hash:

5ef77da66b9088ebe6641346c40a30add41d86a2

Link:

https://www.unpac.me/results/e8e43978-bf84-4a3f-a4e4-e1e073144844/

SH256 hash:

3e463d547c3fe2e2d5214eca84e332494658db3d43d8acae0b57f763fe90c373

MD5 hash:

ce3bbea42ef57ec2e46bf953082e4a94

SHA1 hash:

cc4906eea25b2bd049c86fb6b3596d4f93099daf

Link:

https://www.unpac.me/results/e8e43978-bf84-4a3f-a4e4-e1e073144844/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/3e463d547c3f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/3e463d547c3fe2e2d5214eca84e332494658db3d43d8acae0b57f763fe90c373

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/186741/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample