MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4065b5b4d3bceafc210edd1747a3a7679521285b885a253efeb7cace4c97ab3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	4065b5b4d3bceafc210edd1747a3a7679521285b885a253efeb7cace4c97ab3a
SHA3-384 hash:	a8dcf4fc02a7824eea2de8dd4cc07d67c2fb182009752d03e39724da37ef78a95d1c7c19cd97900a96f81bd2475171e9
SHA1 hash:	d8bfd92437de81f2627a79b23e8bd6a910f481c3
MD5 hash:	059b3bb4bbd095c9d7d64d287bfec5d4
humanhash:	high-september-autumn-april
File name:	SecuriteInfo.com.Win64.CrypterX-gen.21705.5431
Download:	download sample
Signature	Loki Create hunting rule
File size:	146'944 bytes
First seen:	2022-10-07 00:18:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	3072:pHT2Jno9HcoQUv3Uf2slY2XpIP5VXQbM3f4ZBuSj2O:pHT2DopvU+6vSPw6wp2
Threatray	18 similar samples on MalwareBazaar
TLSH	T1BAE35C5DA7DF7670DC14C53F062918E0295D2E48D90092BBEB1AA0F22AC7ED71C2ED79
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	SecuriteInfoCom
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

339

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/317445/

Detection(s):

SecuriteInfo.com.Win64.CrypterX-gen.21705.5431.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Changing a file

DNS request

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Sending a custom TCP request

Stealing user critical data

Query of malicious DNS domain

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/633f707790cb824e9da0348d/reports/fcae5893-46f3-4c43-a687-af4f9f386300/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/1d9d70ca-b16b-477d-881c-2255c4e7e004

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1085400

Signature

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4065b5b4d3bceafc210edd1747a3a7679521285b885a253efeb7cace4c97ab3a/

Threat name:

Win64.Trojan.Sdum

Status:

Malicious

First seen:

2022-10-06 23:14:14 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

13 of 26 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ibs3lngtxtvpyiio3ulupi5hm6ksckc3rbnckpx6w7fm4texvm5a._file

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/221007-al64dsbbd3/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Lokibot

Malware Config

C2 Extraction:

http://sempersim.su/gk23/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ef5d7753-1452-4c7a-832f-abe0108218a4

Unpacked files

SH256 hash:

4065b5b4d3bceafc210edd1747a3a7679521285b885a253efeb7cace4c97ab3a

MD5 hash:

059b3bb4bbd095c9d7d64d287bfec5d4

SHA1 hash:

d8bfd92437de81f2627a79b23e8bd6a910f481c3

Link:

https://www.unpac.me/results/4bd8804a-212a-4679-849d-c613402b7c84/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/4065b5b4d3bceafc210edd1747a3a7679521285b885a253efeb7cace4c97ab3a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/317445/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample