MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f08769032eeb76936ff40ea7f4e195977220b372799af15febc6484640956cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 2 File information Comments

SHA256 hash:	3f08769032eeb76936ff40ea7f4e195977220b372799af15febc6484640956cd
SHA3-384 hash:	33c5b578f27917b4963ee51d88ff10eb9da8d0c80bac55d536048b29f803eaf40d8861669cde0ee06d8b74fc4844f0e6
SHA1 hash:	5b47eda1bd9b646d823aa8c2c6aca0397aedc4c5
MD5 hash:	af885bcaa4c526f0716748906ec7c32a
humanhash:	stairway-batman-july-glucose
File name:	AWB 09458765346.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	890'368 bytes
First seen:	2022-10-05 14:09:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:oUc2iNAR0eO8cf5G4niw6r16A5VBCzCCiEDmiZE4ve:41peOB5Gxfz/HCiEqEE4ve
Threatray	10'537 similar samples on MalwareBazaar
TLSH	T10C15CF21C3A2DA4AD0161338DDF2D3F16FE85E65E5B9C60B4FE9BD2BB4260935603C85
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://162.0.223.13/?oTWpxPBp8jPKmiIpZe60rg2knpeKuIXTCTi9JUyRdoCzHlZGz5G

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://162.0.223.13/?oTWpxPBp8jPKmiIpZe60rg2knpeKuIXTCTi9JUyRdoCzHlZGz5G	https://threatfox.abuse.ch/ioc/870787/

Intelligence

File Origin

# of uploads :

# of downloads :

293

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/316927/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Stealing user critical data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

packed

Link:

https://www.filescan.io/uploads/633d903bd089a0c15dd5554b/reports/e910f454-192d-43bc-8302-07c0b8723e73/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c70eee9e-e1fe-4667-9403-5eebdbe4b52c

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1084178

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/3f08769032eeb76936ff40ea7f4e195977220b372799af15febc6484640956cd/

Threat name:

ByteCode-MSIL.Trojan.Leonem

Status:

Malicious

First seen:

2022-10-05 14:11:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=h4ehnebs523wsnx7idvh6tqzlf3seczxe6m26fp6xrsiizajk3gq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

4e12ca0674f72503e00f35b8b27aa98da0855baa9e25264b357bb934e31a2217

Loki

7f0fcb4f3651ec6a3b273322857afe8aa8373f77964afd0bb592378a4a97fe1a

Loki

def88fc364ed03678d528bfd6bc39f19ff1831b098aaf0705fa13063c4044a2a

Loki

ec2a93f1858ba7e0de894944d57fb4b2f3021e5574d1b3594bfd8ffe32f7b029

Loki

f998a60cb95f390ca201950cf41b1764646f2f8ca91f13c05fbf78282518e741

Loki

fa4058c30f37d1cdb72e5bbcc467ff8f9b584b090bfdf723ac1f04817980096a

Loki

+ 10'527 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/221005-rgpf8aeed4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://162.0.223.13/?oTWpxPBp8jPKmiIpZe60rg2knpeKuIXTCTi9JUyRdoCzHlZGz5G
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ae7f7b58-aca0-405b-b9aa-c2ca958129e5

Unpacked files

SH256 hash:

9d690ac59e3f89f5c5abd8f51273f851989b21e902af33f082a4a35f3c5166d2

MD5 hash:

3afee3bf728f15eda60e46e7026879c3

SHA1 hash:

f941b70602959deb75b0d85b1bebc18ddf2414db

Link:

https://www.unpac.me/results/c3618ecf-76b9-42d4-b716-5ac68bf9ea18/

SH256 hash:

d97616a4be3f1f339044f9ac6b7a955cec57bc3cca6ec38f0418b06609a4f07a

MD5 hash:

1cc2927fe3e212bdaed8f202764cd57c

SHA1 hash:

9c851ac74aa436f099f54c4c0d6923553b3d9f2e

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/c3618ecf-76b9-42d4-b716-5ac68bf9ea18/

Parent samples :

1aebe5d59997e78b81ad714be8dfd697665381018041c62a40a55f0ce215ea35
3f08769032eeb76936ff40ea7f4e195977220b372799af15febc6484640956cd
e46b29e73da9b6301763e29451926153ee4390538e3253b7b9db85f915be8f98
6b79e320399d6349c33a999ae7a8c2009020133f8ed06ba257032b4423dce8b0

SH256 hash:

5fbdcb76c77563ed3d729fdca3396169c54443253001cf9b1b6b75a0f75cdcb4

MD5 hash:

629c31e71cfa6aab7a62bef45298816c

SHA1 hash:

932da9270d08d3b97ad1fb75e3d3180481f91096

Link:

https://www.unpac.me/results/c3618ecf-76b9-42d4-b716-5ac68bf9ea18/

SH256 hash:

1c72b07583076e8d9e9a4db78d606c9f93c18c72c11882e16024dc0620e7671f

MD5 hash:

f9899b5c5c3c034ed9444e14ff85ffac

SHA1 hash:

859fc6498b146bb605adc71ad36f933788f09a13

Link:

https://www.unpac.me/results/c3618ecf-76b9-42d4-b716-5ac68bf9ea18/

SH256 hash:

e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee

MD5 hash:

35cb29046968faca7f3f3b4463449b6c

SHA1 hash:

088c8c30ec1bece0a4b5bbfe3982b073f8b95598

Link:

https://www.unpac.me/results/c3618ecf-76b9-42d4-b716-5ac68bf9ea18/

SH256 hash:

3f08769032eeb76936ff40ea7f4e195977220b372799af15febc6484640956cd

MD5 hash:

af885bcaa4c526f0716748906ec7c32a

SHA1 hash:

5b47eda1bd9b646d823aa8c2c6aca0397aedc4c5

Link:

https://www.unpac.me/results/c3618ecf-76b9-42d4-b716-5ac68bf9ea18/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3f08769032ee/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3f08769032eeb76936ff40ea7f4e195977220b372799af15febc6484640956cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/316927/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample