MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43b1be37a13f39bb1c1a60e32300fcffad776957814be8f63e85fab69d92a6a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs 2 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43b1be37a13f39bb1c1a60e32300fcffad776957814be8f63e85fab69d92a6a5
SHA3-384 hash: 9d15b658533dd798d974ebead506516d645e929e77b1eac1d620efedbc58db2697e4a7b84dcd023c7f380a7065ef3738
SHA1 hash: 200bb5c81980c7c123a64d33584b0eb99cea46ba
MD5 hash: 6108ed9a1f67abf372875495c4e13f2a
humanhash: island-orange-december-xray
File name:MT2055610357.exe
Download: download sample
Signature Loki
Create hunting rule
File size:188'928 bytes
First seen:2022-04-26 10:56:47 UTC
Last seen:2022-04-26 11:56:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:jm33+/B7bFH7XcksAY7ooovoycKyKyKyKyKyKy9uC7CvvvvvvgF7zujqlEYwS9wx:K+/BeklYh111111zzujqlEd
Threatray 7'552 similar samples on MalwareBazaar
TLSH T1C5041EA8F2E1E279C81782313A3CFC7347F50DBCD870D915A9ADF9E0D521EA61B22546
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 108088888c888010 (6 x AgentTesla, 3 x SnakeKeylogger, 3 x Formbook)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
37.0.11.6:141

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
37.0.11.6:141 https://threatfox.abuse.ch/ioc/534238/
http://37.0.11.6/tect/210/pin.php https://threatfox.abuse.ch/ioc/534239/

Intelligence

File Origin
# of uploads :
2
# of downloads :
292
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/266756/
Detection(s):
SecuriteInfo.com.Variant.Strictor.267587.28694.26777.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/6267d00079c6c1e67d30add7/reports/8c1b21b2-ec66-4315-9d82-a030826ff002/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/71007485-8f21-4472-8477-2844b204e184
Result
Threat name:
Lokibot NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/983170
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Internet Explorer form passwords
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 615658 Sample: MT2055610357.exe Startdate: 26/04/2022 Architecture: WINDOWS Score: 100 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 7 other signatures 2->65 8 MT2055610357.exe 16 7 2->8         started        13 Fxsflcst.exe 14 2 2->13         started        15 Host.exe 2->15         started        17 2 other processes 2->17 process3 dnsIp4 55 20.222.50.134, 49773, 49797, 49807 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->55 49 C:\Users\user\AppData\...\Fxsflcst.exe, PE32 8->49 dropped 51 C:\Users\...\Fxsflcst.exe:Zone.Identifier, ASCII 8->51 dropped 53 C:\Users\user\...\MT2055610357.exe.log, ASCII 8->53 dropped 91 Creates multiple autostart registry keys 8->91 19 MT2055610357.exe 1 5 8->19         started        22 cmd.exe 1 8->22         started        93 Multi AV Scanner detection for dropped file 13->93 95 Machine Learning detection for dropped file 13->95 file5 signatures6 process7 file8 39 C:\Users\user\AppData\...\FB_B304.tmp.exe, PE32 19->39 dropped 41 C:\Users\user\AppData\...\FB_A74B.tmp.exe, PE32 19->41 dropped 24 FB_B304.tmp.exe 3 19->24         started        28 FB_A74B.tmp.exe 54 19->28         started        31 conhost.exe 22->31         started        33 timeout.exe 1 22->33         started        process9 dnsIp10 45 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 24->45 dropped 75 Found evasive API chain (may stop execution after checking mutex) 24->75 77 Machine Learning detection for dropped file 24->77 79 Contains functionality to steal Internet Explorer form passwords 24->79 81 Contains functionality to steal Chrome passwords or cookies 24->81 35 Host.exe 3 2 24->35         started        57 37.0.11.6, 141, 49784, 49786 WKD-ASIE Netherlands 28->57 47 C:\Users\user\AppData\...\B52B3F.exe (copy), PE32 28->47 dropped 83 Antivirus detection for dropped file 28->83 85 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->85 87 Tries to steal Mail credentials (via file registry) 28->87 89 3 other signatures 28->89 file11 signatures12 process13 file14 43 C:\Users\user\AppData\Roaming\...\sqlite3.dll, PE32 35->43 dropped 67 Found evasive API chain (may stop execution after checking mutex) 35->67 69 Machine Learning detection for dropped file 35->69 71 Found stalling execution ending in API Sleep call 35->71 73 4 other signatures 35->73 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43b1be37a13f39bb1c1a60e32300fcffad776957814be8f63e85fab69d92a6a5/
Threat name:
ByteCode-MSIL.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2022-04-26 10:13:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ioy34n5bh443wha2mdrsgah476wxo2kxqff6r5r6qx5lnhmsu2sq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
2289816fa967e230968ffe986a76950ba4938c6f0c3b27912ec480bf5c0e62d5
Loki
3851e1c8c896ecae1035576a4b37d1fafa0690df428e255ed709c155cf77279c
Loki
4dd4e59368f5e310bdebc4f7ee60778446873c9b930f16366592b471a86f3718
Loki
50cb7b0b1d15d89428745bd508343b52d5f197b5f57cdf83a077973bae3d1ec1
Loki
7fe467ef6f392039c0ce5edaadf85c19a8406a0b0b7332131e2b2ddc9f074bb6
Loki
9740fa7b19f17e4c6df857ec1240c243a77ad689894ecaa92bd112709c242664
Loki
bc4e9db6c6cc42bb03d7257abbf2105e1ed6c4fe24ccaabcd3db84fe8a935c1b
Loki
+ 7'542 additional samples on MalwareBazaar
Result
Malware family:
netwire
Create hunting rule
Score:
  10/10
Tags:
family:lokibot family:netwire botnet collection persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220426-m19t2scbd5/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
NetWire RAT payload
Netwire
Malware Config
C2 Extraction:
http://37.0.11.6/tect/210/pin.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
43b1be37a13f39bb1c1a60e32300fcffad776957814be8f63e85fab69d92a6a5
MD5 hash:
6108ed9a1f67abf372875495c4e13f2a
SHA1 hash:
200bb5c81980c7c123a64d33584b0eb99cea46ba
Link:
https://www.unpac.me/results/579f240e-6083-42b0-840a-9649322c5fbb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/43b1be37a13f39bb1c1a60e32300fcffad776957814be8f63e85fab69d92a6a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:LokiBot
Create hunting rule
Author:kevoreilly
Description:LokiBot Payload
Rule name:malware_Lokibot_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/266756/

Comments