MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40e8910e48e5bfde7fd30bbc51a1d371a378dc4a306ed2145990219554f80a4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40e8910e48e5bfde7fd30bbc51a1d371a378dc4a306ed2145990219554f80a4a
SHA3-384 hash: 784b2784138d701e01d1a256b12aa2cdf4c919bca0ee294ca0ba2067cd8f62ffe3d0bb7aa8b46ee12a57f94afae8c684
SHA1 hash: 0731ace285886c5c322741a97d5ed626dbd83b84
MD5 hash: 7a876151ca1230e8f58becae9d8cb903
humanhash: xray-floor-stream-monkey
File name:RFQ for Valves - TAG-A2R for SD job, PR 21-10.exe
Download: download sample
Signature Loki
Create hunting rule
File size:278'016 bytes
First seen:2021-05-04 05:55:47 UTC
Last seen:2021-06-10 09:24:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 3072:5tIsFibE+vZJKZ0Hz+eXyLp/ChdWKEsth6xElNCi/T0A2nWgEVseKpZKiGZcap7:5tmbD4QSeQ2NEi6xE3CiL0AcWgE72Kf
Threatray 3'092 similar samples on MalwareBazaar
TLSH 8E440112EE18F21AC8A5487E5EA5C6FC0731AE14AC12C7476CEC7FCF797A3697805192
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://thienphatgiao.org/OG/news/school/boy/choo/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://thienphatgiao.org/OG/news/school/boy/choo/fre.php https://threatfox.abuse.ch/ioc/28646/

Intelligence

File Origin
# of uploads :
4
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/149678/
Detection(s):
Win.Dropper.PlasmaRAT-9777359-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/709283
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
DLL reload attack detected
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 403567 Sample: RFQ for Valves - TAG-A2R fo... Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 8 other signatures 2->48 8 RFQ for Valves - TAG-A2R for SD job, PR 21-10.exe 3 8 2->8         started        process3 file4 30 RFQ for Valves - T...D job, PR 21-10.exe, PE32 8->30 dropped 32 RFQ for Valves - T...exe:Zone.Identifier, ASCII 8->32 dropped 34 RFQ for Valves - T...b, PR 21-10.exe.log, ASCII 8->34 dropped 36 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->36 dropped 50 Writes to foreign memory regions 8->50 52 Injects a PE file into a foreign processes 8->52 12 RFQ for Valves - TAG-A2R for SD job, PR 21-10.exe 54 8->12         started        16 wscript.exe 1 8->16         started        18 AdvancedRun.exe 1 8->18         started        20 AdvancedRun.exe 1 8->20         started        signatures5 process6 dnsIp7 38 thienphatgiao.org 103.221.222.24, 49721, 49722, 49723 FPT-AS-APTheCorporationforFinancingPromotingTechnolo Viet Nam 12->38 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->54 56 Tries to steal Mail credentials (via file access) 12->56 58 Tries to harvest and steal ftp login credentials 12->58 60 Tries to harvest and steal browser information (history, passwords, etc) 12->60 62 Wscript starts Powershell (via cmd or directly) 16->62 64 Adds a directory exclusion to Windows Defender 16->64 22 powershell.exe 26 16->22         started        40 192.168.2.1 unknown unknown 18->40 24 AdvancedRun.exe 18->24         started        26 AdvancedRun.exe 20->26         started        signatures8 process9 process10 28 conhost.exe 22->28         started       
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/40e8910e48e5bfde7fd30bbc51a1d371a378dc4a306ed2145990219554f80a4a/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-05-04 05:08:06 UTC
AV detection:
7 of 47 (14.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=idujcdsi4w75476tbo6fdiotogrxrxckgbxnefczsaqzkvhybjfa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
03ddd7fbc456dfe2408a00727347e029a2b2ad6bd870ff10c324d94baf57dcfa
Loki
15e84355978fd585af794a5aa1b61144a9197d1410219a4e129aca0ce953904d
Loki
5e7621b7f875f9e6c730454d916a2bc2acb7d8b1fbc1dbe7cdb1917d42f1590b
Loki
86d5516b71ddd68cf50273d5fa8a501c399be218b35dcfc09c29ef97f3afc111
Loki
916ba1be726e073d46ce02d5697723823362efc881a4d13aa803fd137fa63adf
Loki
b1c19db83bdddbc4d91689cf0c9f035bd7778492c164fa664f99552dedc1ee10
Loki
b1c1df9daeb93473a208117db8782e0a6245e3b8c6f13da6405a79a1e36ab821
Loki
b64ddd178d652c5432004449edc53fea2abdba8633259b4d8b329e1c8484e98a
Loki
c015de0626ba91b194a47d0c8d76594e1bddadae9d9a6891b26ff7c2bc0fade3
Loki
fdbd4ac1322e5a2c5ef5b808da68f48ca1ff111cd649c86aa0123c3d5538c7f0
Loki
+ 3'082 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210504-y4k4fv6jes/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Nirsoft
Lokibot
Malware Config
C2 Extraction:
https://thienphatgiao.org/OG/news/school/boy/choo/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
36cc992365b1d99baaf09b583833db193e3e08d5b3cb357a275ea31a3a75ee65
MD5 hash:
96bb0783c85dc017e50ce88bf89ef1ac
SHA1 hash:
fffa056175b5d5f3bd605efa3c08a9536174714f
Link:
https://www.unpac.me/results/9b26f126-47e8-4680-a08d-87c666f405f6/
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/9b26f126-47e8-4680-a08d-87c666f405f6/
SH256 hash:
cd25af2b32edbbb0d37fe8203bd227e6f0035153664c547f76f574918ea031de
MD5 hash:
c161292c3824dd05678a40feb88212a2
SHA1 hash:
1f85b7c90995d4220d73c94281c54169cdc5a459
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/9b26f126-47e8-4680-a08d-87c666f405f6/
SH256 hash:
29dd8eef89c3cf8f93e3418ea5f66b21f9d555108c66d63a3257e8a862600ee3
MD5 hash:
a3cb2626ef74a16657b4a71d128e72a5
SHA1 hash:
10e74b3a0a9e42147b63ca3c6487d844c3b9b918
Link:
https://www.unpac.me/results/9b26f126-47e8-4680-a08d-87c666f405f6/
SH256 hash:
40e8910e48e5bfde7fd30bbc51a1d371a378dc4a306ed2145990219554f80a4a
MD5 hash:
7a876151ca1230e8f58becae9d8cb903
SHA1 hash:
0731ace285886c5c322741a97d5ed626dbd83b84
Link:
https://www.unpac.me/results/9b26f126-47e8-4680-a08d-87c666f405f6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/40e8910e48e5bfde7fd30bbc51a1d371a378dc4a306ed2145990219554f80a4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/149678/

Comments