MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44af7302c97eab1187371407735c5192c41b07f4e5ead51adb620f1066d076e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 7


Intelligence 7 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44af7302c97eab1187371407735c5192c41b07f4e5ead51adb620f1066d076e9
SHA3-384 hash: e1831a1f0b99424064c89d1850089fbaa3d8eba4eec57b39d2444a5d0f466f65d366e582f206ed08010c56e5f7ff669f
SHA1 hash: 5dd72a9e265b808ff056ed17e2a44304bf93bbfc
MD5 hash: edabe5d164ffe9d49046045eb80e3d22
humanhash: nebraska-freddie-vermont-mobile
File name:Arshehkar Co November Order Request 778988647TGTT.scr
Download: download sample
Signature Loki
Create hunting rule
File size:1'241'792 bytes
First seen:2020-11-05 09:26:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eb7f24d623823df7a34ad95dfb8bfd95 (15 x ModiLoader, 1 x AveMariaRAT, 1 x Loki)
ssdeep 24576:g0S5Bo6taFaaRKDZAI89d6yzEJR4qpQSMlVHfoj:gpjExRbzEJuqpRMlE
Threatray 28 similar samples on MalwareBazaar
TLSH 3C455B72F640D431E42229755D1AC6FCA43ABDB02D24940A7BE9EF5C2E372D3B936247
Reporter abuse_ch
Tags:BitRAT Loki nVpn RAT scr


Avatar
abuse_ch
Malspam distributing Loki:

HELO: mik0.g1economia.com
Sending IP: 185.132.53.49
From: Elham Farnam <home@g1economia.com>
Subject: Arshehkar Co November Order Request 778988647TGT
Attachment: Arshehkar Co November Order Request 778988647TGTT.rar (contains "Arshehkar Co November Order Request 778988647TGTT.scr")

Loki C2:
http://www.zi-chem.co/Panel/five/fre.php

BitRAT C2:
nexty.dnsupdate.info:8070 (91.193.75.108)

Pointing to nVpn:

% Information related to '91.193.75.0 - 91.193.75.255'

% Abuse contact for '91.193.75.0 - 91.193.75.255' is 'abuse@privacyfirst.sh'

inetnum: 91.193.75.0 - 91.193.75.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-KG
country: KG
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
abuse-c: ACRO34258-RIPE
mnt-by: PRIVACYFIRST-MNT
mnt-by: RIPE-NCC-END-MNT
org: ORG-KHd1-RIPE
sponsoring-org: ORG-MW1-RIPE
status: ASSIGNED PI
created: 2012-06-04T11:05:55Z
last-modified: 2020-09-04T11:35:48Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/83152/
Detection(s):
SecuriteInfo.com.Fareit-FZO82C53D0CF1F4.16975.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
DNS request
Connection attempt
Sending a TCP request to an infection source
Result
Threat name:
AgentTesla AveMaria BitRAT Lokibot ModiLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/521168
Signature
Antivirus detection for dropped file
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Fodhelper UAC Bypass
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected aPLib compressed binary
Yara detected AveMaria stealer
Yara detected BitRAT
Yara detected Lokibot
Yara detected ModiLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 309685 Sample: Arshehkar Co November Order... Startdate: 05/11/2020 Architecture: WINDOWS Score: 100 60 nexty.dnsupdate.info 2->60 74 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->74 76 Multi AV Scanner detection for domain / URL 2->76 78 Found malware configuration 2->78 80 18 other signatures 2->80 10 Arshehkar Co November Order Request 778988647TGTT.exe 1 16 2->10         started        15 Qfeadrv.exe 14 2->15         started        17 Qfeadrv.exe 14 2->17         started        signatures3 process4 dnsIp5 66 storage.urown.cloud 194.15.36.155, 443, 49734, 49759 MYLOC-ASIPBackboneofmyLocmanagedITAGDE Germany 10->66 58 C:\Users\user\AppData\Local\...\Qfeadrv.exe, PE32 10->58 dropped 88 Writes to foreign memory regions 10->88 90 Creates a thread in another existing process (thread injection) 10->90 92 Injects a PE file into a foreign processes 10->92 19 Arshehkar Co November Order Request 778988647TGTT.exe 1 17 10->19         started        24 notepad.exe 4 10->24         started        68 192.168.2.1 unknown unknown 15->68 94 Multi AV Scanner detection for dropped file 15->94 26 Qfeadrv.exe 15->26         started        file6 signatures7 process8 dnsIp9 62 nexty.dnsupdate.info 91.193.75.108, 49757, 8070 DAVID_CRAIGGG Serbia 19->62 64 storage.urown.cloud 19->64 50 C:\Users\user\AppData\...\oritel4[1].exe, PE32 19->50 dropped 52 C:\Users\user\AppData\Local\...\build[1].exe, PE32 19->52 dropped 54 C:\Users\user\AppData\Local:05-11-2020, ASCII 19->54 dropped 82 Creates files in alternative data streams (ADS) 19->82 84 Hides threads from debuggers 19->84 86 Injects a PE file into a foreign processes 19->86 28 Arshehkar Co November Order Request 778988647TGTT.exe 54 19->28         started        32 Arshehkar Co November Order Request 778988647TGTT.exe 2 12 19->32         started        56 C:\Users\Public56atso.bat, ASCII 24->56 dropped 34 cmd.exe 1 24->34         started        36 cmd.exe 1 24->36         started        file10 signatures11 process12 dnsIp13 70 zi-chem.co 217.195.154.94, 49769, 49770, 49771 SHOCK-1US Netherlands 28->70 72 www.zi-chem.co 28->72 96 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->96 98 Tries to steal Mail credentials (via file access) 28->98 100 Tries to harvest and steal ftp login credentials 28->100 102 Tries to harvest and steal browser information (history, passwords, etc) 28->102 38 iexplore.exe 32->38         started        40 conhost.exe 34->40         started        42 reg.exe 1 1 34->42         started        44 conhost.exe 36->44         started        signatures14 process15 process16 46 iexplore.exe 38->46         started        48 iexplore.exe 38->48         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44af7302c97eab1187371407735c5192c41b07f4e5ead51adb620f1066d076e9/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-11-04 05:44:33 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=isxxgawjp2vrdbzxcqdxgxcrslcbwb7u4xvnkgw3mihrazwqo3uq._file
Verdict:
suspicious
Similar samples:
159676d64d4a593ffa25f69875f6dc59f05f75f3b135825b5ebda6c67adc475e
Loki
2ca6ec7b8f70c8d16ad384a61e4c1cbb9ec02bd51e21648aa5f6af3fd40abd92
Loki
4d322ecc6fcc290df5cad72839e39862e84be629b7debc71474f5760e4430019
Loki
80b60b15186be0ecab7ea836bbe4e42477d1c9dfa1d984b1f9ae8670cf7380a1
Loki
97b34cb713e879fb7cfe158a3180b73d1c71b71446368f242a0c004d0c3462dd
Loki
9f6b63a12d79521712f768014b6b5f67b363c7a1dc4d42d356056b69979ac293
Loki
ab9041fe7e0a4a439521d6eb01cc16d74c00a0427c86b067120ac453ba7329d9
Loki
af84cf642737e0b62537d9a78861cc129fbc0e68a34770cb70c6ccaa3f553687
Loki
f8608a3ef512bce8dbb388a81890968676d99a89e11ca282bcc846ed19fdc6ca
Loki
f91dac6b3f959138295d2a16c4ff1ea413dd37c221ce0bd3cec5c680c00548a3
Loki
+ 18 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:lokibot family:modiloader persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201105-g9fq2t8qan/
Behaviour
Modifies registry key
Modifies system certificate store
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
ModiLoader Second Stage
Lokibot
ModiLoader, DBatLoader
Malware Config
C2 Extraction:
http://www.zi-chem.co/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
44af7302c97eab1187371407735c5192c41b07f4e5ead51adb620f1066d076e9
MD5 hash:
edabe5d164ffe9d49046045eb80e3d22
SHA1 hash:
5dd72a9e265b808ff056ed17e2a44304bf93bbfc
Link:
https://www.unpac.me/results/389cebfa-6e1e-489d-9033-298ff22df517/
SH256 hash:
0a70c2f1d70aa0ebf46163c63acb5a7b3d3ca169a018017bdc19e642a6d24506
MD5 hash:
b4564fdf1e9aeeb933b045ce40b058fd
SHA1 hash:
437ee744b0ef530851a751f57c38b0a42363e3fc
Link:
https://www.unpac.me/results/389cebfa-6e1e-489d-9033-298ff22df517/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_bit_rat_w0
Create hunting rule
Author:KrabsOnSecurity
Description:String-based rule for detecting BitRAT malware payload
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

rar d6487c0491aba5361781daa23c5420c609d9f3ee840acded4c85e26f38766a4f

Loki

Executable exe 44af7302c97eab1187371407735c5192c41b07f4e5ead51adb620f1066d076e9

(this sample)

  
Dropped by
MD5 f1e7eeba16bc81fadb4e543617ef651a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/83152/
  
Dropped by
SHA256 d6487c0491aba5361781daa23c5420c609d9f3ee840acded4c85e26f38766a4f

Comments