MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191
SHA3-384 hash: 2cfd6cc18f990bc0a4b87b4359945f5ff7ee32c4663b0aa03aba4976c1d8961e9979372efe41a96d92f64251fa25eaaf
SHA1 hash: d4b46c959754f8f00e136783429455feb434e373
MD5 hash: d91d3dba1e492cdc999cd2f7d8a22c2e
humanhash: magazine-five-may-twelve
File name:497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'910'940 bytes
First seen:2024-09-11 01:32:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:p1PIEUo4HUzX3NZIYAaNtMMSmtS5Mu2AukpycABfB71cx:/hUnsQYAaNtnzS5/2xcAJhY
TLSH T1BF95230154F1C5E5EBCCC3FA4AB6F2E0A96851C9D9A977F5D03C6220EC66325C6C21AF
TrID 35.4% (.EXE) Win64 Executable (generic) (10523/12/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4504/4/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 05a54f0530100218 (1 x Loki)
Reporter Chainskilabs
Tags:exe Loki

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://idp.vn/wp-includes/js/crop/Panel/five/fre.php https://threatfox.abuse.ch/ioc/1323273/

Intelligence

File Origin
# of uploads :
1
# of downloads :
433
Origin country :
US US
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe
Verdict:
Malicious activity
Analysis date:
2024-09-11 01:34:21 UTC
Tags:
lokibot xor-url generic sality stealer trojan
Link:
https://app.any.run/tasks/2574b0a7-0fbb-4e29-a919-f8ab40bdbb03

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.MSIL11.BUIS.11666.4488.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e0f35176bc4542b0496312
Tags:
Encryption Generic Network Stealth Msil
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2ec3eef3-116c-4b98-960b-d691b4ac7e5a
Result
Threat name:
ADWIND, Lokibot, Ramnit, Sality
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1509118
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to check if a debugger is attached (DbgSetDebugFilterState,NtSetDebugFilterState)
Contains functionality to inject threads in other processes
Creates autorun.inf (USB autostart)
Deletes keys which are related to windows safe boot (disables safe mode boot)
Detected ADWIND Rat
Disables UAC (registry)
Disables user account control notifications
DLL reload attack detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Exploit detected, runtime environment starts unknown processes
Found malware configuration
Injects a PE file into a foreign processes
Java source code contains strings found in CrossRAT
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Modifies the windows firewall notifications settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Renames NTDLL to bypass HIPS
Sigma detected: Adwind RAT / JRAT File Artifact
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected AdWind RAT
Yara detected AdWind RATs dll
Yara detected aPLib compressed binary
Yara detected Lokibot
Yara detected Ramnit
Yara detected Sality
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1509118 Sample: BCNFNjvJNq.exe Startdate: 11/09/2024 Architecture: WINDOWS Score: 100 159 yeni.antalyahilal.com 2->159 161 idp.vn 2->161 163 7 other IPs or domains 2->163 171 Multi AV Scanner detection for domain / URL 2->171 173 Suricata IDS alerts for network traffic 2->173 175 Found malware configuration 2->175 177 26 other signatures 2->177 11 BCNFNjvJNq.exe 3 9 2->11         started        15 svchost.exe 2->15         started        17 svchost.exe 2->17         started        signatures3 process4 dnsIp5 149 C:\Windows\SysWOW64\build.exe, PE32 11->149 dropped 151 C:\Users\user\AppData\Roaming\svchost.exe, PE32 11->151 dropped 153 C:\Users\user\...\svchost.exe:Zone.Identifier, ASCII 11->153 dropped 155 C:\Users\user\AppData\...\BCNFNjvJNq.exe.log, ASCII 11->155 dropped 205 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->205 207 Drops PE files with benign system names 11->207 20 build.exe 156 75 11->20         started        25 svchost.exe 2 3 11->25         started        27 javaw.exe 24 11->27         started        29 javaw.exe 9 11->29         started        31 WerFault.exe 15->31         started        33 WerFault.exe 15->33         started        157 127.0.0.1 unknown unknown 17->157 file6 signatures7 process8 dnsIp9 165 idp.vn 210.211.113.136, 49732, 49733, 49736 VTDC-AS-VNVietel-CHTCompamyLtdVN Viet Nam 20->165 167 businecessity.com 208.100.26.245, 49730, 49742, 50685 STEADFASTUS United States 20->167 169 3 other IPs or domains 20->169 123 C:\xiytb.exe, PE32 20->123 dropped 125 C:\Windows\SysWOW64\buildmgr.exe, PE32 20->125 dropped 127 C:\Users\user\AppData\...\31437F.exe (copy), PE32 20->127 dropped 137 2 other malicious files 20->137 dropped 187 Multi AV Scanner detection for dropped file 20->187 189 Tries to steal Mail credentials (via file registry) 20->189 191 Creates autorun.inf (USB autostart) 20->191 197 11 other signatures 20->197 35 buildmgr.exe 1 20->35         started        49 2 other processes 20->49 193 Drops executables to the windows directory (C:\Windows) and starts them 25->193 195 Injects a PE file into a foreign processes 25->195 39 svchost.exe 25->39         started        41 javaw.exe 25->41         started        43 javaw.exe 25->43         started        45 build.exe 25->45         started        129 C:\Users\...\Retrive4181787204658846419.vbs, ASCII 27->129 dropped 131 C:\Users\...\Retrive2930289155740434447.vbs, ASCII 27->131 dropped 47 java.exe 27->47         started        51 3 other processes 27->51 133 C:\Users\...\Retrive8471442068624954522.vbs, ASCII 29->133 dropped 135 C:\Users\...\Retrive7483135341638995293.vbs, ASCII 29->135 dropped 53 3 other processes 29->53 file10 signatures11 process12 file13 105 C:\Users\user\AppData\Local\...\~TM5786.tmp, PE32 35->105 dropped 179 Multi AV Scanner detection for dropped file 35->179 181 DLL reload attack detected 35->181 183 Renames NTDLL to bypass HIPS 35->183 185 Contains functionality to check if a debugger is attached (DbgSetDebugFilterState,NtSetDebugFilterState) 35->185 55 WerFault.exe 35->55         started        107 C:\Users\user\AppData\...\svchostmgr.exe, PE32 39->107 dropped 57 svchostmgr.exe 39->57         started        109 C:\Users\...\Retrive6032256279915421195.vbs, ASCII 41->109 dropped 111 C:\Users\...\Retrive2789117549917165554.vbs, ASCII 41->111 dropped 61 java.exe 41->61         started        65 2 other processes 41->65 121 2 other malicious files 43->121 dropped 63 java.exe 43->63         started        67 2 other processes 43->67 113 C:\Users\...\Retrive893243571788724931.vbs, ASCII 47->113 dropped 115 C:\Users\...\Retrive8690734724373909103.vbs, ASCII 47->115 dropped 69 3 other processes 47->69 71 5 other processes 51->71 117 C:\Users\...\Retrive7044508509435403534.vbs, ASCII 53->117 dropped 119 C:\Users\...\Retrive3741839341780674319.vbs, ASCII 53->119 dropped 73 7 other processes 53->73 signatures14 process15 file16 139 C:\Users\user\AppData\Local\...\~TM6AB1.tmp, PE32 57->139 dropped 199 Multi AV Scanner detection for dropped file 57->199 201 DLL reload attack detected 57->201 203 Renames NTDLL to bypass HIPS 57->203 75 WerFault.exe 57->75         started        141 C:\Users\...\Retrive5253398443316689082.vbs, ASCII 61->141 dropped 143 C:\Users\...\Retrive3071120704094597653.vbs, ASCII 61->143 dropped 77 cmd.exe 61->77         started        81 2 other processes 61->81 145 C:\Users\...\Retrive5547769364716278713.vbs, ASCII 63->145 dropped 147 C:\Users\...\Retrive3087322264079494159.vbs, ASCII 63->147 dropped 83 2 other processes 63->83 85 5 other processes 65->85 87 3 other processes 67->87 89 4 other processes 69->89 79 Conhost.exe 71->79         started        91 4 other processes 73->91 signatures17 process18 process19 93 conhost.exe 77->93         started        95 cscript.exe 77->95         started        97 conhost.exe 81->97         started        99 cscript.exe 81->99         started        101 conhost.exe 83->101         started        103 cscript.exe 83->103         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191/
Threat name:
ByteCode-MSIL.Trojan.Mardom
Create hunting rule
Status:
Malicious
First seen:
2017-08-11 07:03:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jf72m6csr6g4px5oxz3pomdblapwehk6wlwqnygixe32sey6sgiq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Result
Malware family:
sality
Create hunting rule
Score:
  10/10
Tags:
family:adwind family:lokibot family:ramnit family:sality backdoor banker collection credential_access discovery evasion persistence spyware stealer trojan upx worm
Link:
https://tria.ge/reports/240911-byjdjavgpp/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops autorun.inf file
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Credentials from Password Stores: Credentials from Web Browsers
AdWind
Class file contains resources related to AdWind
Lokibot
Modifies firewall policy service
Ramnit
Sality
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
http://idp.vn/wp-includes/js/crop/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f2319e67-ea5b-4dee-902c-a5e93467035c
Unpacked files
SH256 hash:
2e4e816f5839e007149a8987d871776a64b5eeea9a3df7f71b0db12b9ed8d517
MD5 hash:
57cde8ddd4261277272a6151855f8966
SHA1 hash:
9afc39cfad97a3ce12949b65c05f438025fdbac2
Detections:
INDICATOR_EXE_Packed_SimplePolyEngine
Create hunting rule
Sality_Malware_Oct16
Create hunting rule
Link:
https://www.unpac.me/results/88df81c6-685c-47f1-889c-c707753d10f1/
Parent samples :
bdb1b6c2151038f1023b551d26ef4eab2d5321066d3352d5357b8bee301b67b0
d69e20f3df6a35c1e51faef8fca17243fbee2c86d085aaeca466041af0d52c95
4ee41060b8f1c5679b10bebb8378f353ea62eb38ab27f041e3727dd8cb06b19d
f3dda8f48606c448d22a7b407f61757605acc028d3deddd0ad8c1e2742efcf86
39a77ef363317beea8cad0c8dfe80791ee12647f61396cbfa0128b73113bab8d
1a01e198f114dda369db7002b3ab6689c015405ed3837b458eb914eb48b0be45
537b10cf8e13513c59002c768458b911fb39b95a9d5d7cf28455577b26f86af3
eb88869b7f1bc3f33bb3cd56d6cf4d81fbb0beb590cb9678cc1acf3206f3056f
11df6b403ee5a2e308eff2382fe7ec896a087d14bbee47ed8a02c0a4d940bccf
40f6ef54f565857eedc2823d556b6e48f446526b2f8e490f473d79c5b8534849
50d803405e13a8749bbbc53185cc4e3d104ab2dd1d85e3c4c375a95697908ba1
48029d524b58b030cbe0e7dfed75a17aab0f68a316b26bf3f99f59a3f94cb248
db7d41592820a1b25476bdc4abcde914f4be174429866e26af9aed84a71f10e3
a4ef531f35ec95d7ea3310eb9a2ded322d2cdbf57eabe96aa491b8202a420c24
69735cd8499cfbf56dab45602c168d9ce3bec18f106935f17b311c0b17e5ec37
497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191
aae8a9852809300d5ee4f5a8031f42f660dff3e427aef081d9aeabb2dca84058
30a9291c7713404a55cc3025689f8305aaf31fb9492a5612841b80f1d2aa45ad
SH256 hash:
00f4f4b81c6f83f070325f959b2cb2d1ca03bf4f3cc4844c992c89b79b42d06e
MD5 hash:
48b509fb36e3a89d26c903317a2f4a3e
SHA1 hash:
76b2e7375bce1f6e194c6df32dd312c9d3c88422
Link:
https://www.unpac.me/results/88df81c6-685c-47f1-889c-c707753d10f1/
SH256 hash:
b50d9afa7c5174764362bd14d4e821fb2cccbc64bff32582ebceb5e9541e86dc
MD5 hash:
3024c1d046fa31b07a151ded2e04d31c
SHA1 hash:
de54b16bef69ab5b71dcca771228e881c3bc8965
Detections:
Lokibot
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
STEALER_Lokibot
Create hunting rule
Link:
https://www.unpac.me/results/88df81c6-685c-47f1-889c-c707753d10f1/
SH256 hash:
b4c4bcea103daf2558e86867cc519fe649f1e6f6c0dc9d188b568798a637b320
MD5 hash:
a0d43c86dd81fa6032a33d9eac1dda46
SHA1 hash:
0b6a50f6e5cd113c9601ae46a76f2b2430409589
Detections:
lokibot
Create hunting rule
win_lokipws_g0
Create hunting rule
Lokibot
Create hunting rule
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
STEALER_Lokibot
Create hunting rule
Link:
https://www.unpac.me/results/88df81c6-685c-47f1-889c-c707753d10f1/
SH256 hash:
d34b4e7472d1df3603be48d10c4a267281bc3d39ea64c424de408f0876a3035a
MD5 hash:
31de33a273cf87952e94d3534335a9b1
SHA1 hash:
4df636d4de33d549a3a6e27ca75e8eb60e77c77a
Link:
https://www.unpac.me/results/88df81c6-685c-47f1-889c-c707753d10f1/
SH256 hash:
497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191
MD5 hash:
d91d3dba1e492cdc999cd2f7d8a22c2e
SHA1 hash:
d4b46c959754f8f00e136783429455feb434e373
Link:
https://www.unpac.me/results/88df81c6-685c-47f1-889c-c707753d10f1/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/497fa678528f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments