MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 4b9d6921c78211705daddc2842fd240d77a25a229980e2c2139ea34680a7f11b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Loki
Vendor detections: 9
| SHA256 hash: | 4b9d6921c78211705daddc2842fd240d77a25a229980e2c2139ea34680a7f11b |
|---|---|
| SHA3-384 hash: | 7bf1295974410ba3f707a75581a114553d8f8b8006fe594b8252be644b9effaa0bf49070cfe9bdd0ed86fc1eb60c11d0 |
| SHA1 hash: | 1e70dee588138b5f43f043187ab07b6ffa18eb6d |
| MD5 hash: | 371a120c6169703a934fa70021e2154f |
| humanhash: | robert-montana-mountain-orange |
| File name: | Remittance Advice-#103847854998543.exe |
| Download: | download sample |
| Signature | Loki |
| File size: | 747'008 bytes |
| First seen: | 2020-10-23 08:59:20 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 9a9a604add49b2c4a1781d20e7247f0f (6 x Loki, 1 x RemcosRAT, 1 x AgentTesla) |
| ssdeep | 12288:EvVpPk7WuYkn6Mhp5KuDHCsY3csg2+Ls5PFKuHd68sGZ8PFWus0PHSzTjnK02YBz:EDPk5lP/jDYfgFwVE8fOcuJgK02Gvl |
| Threatray | 1'740 similar samples on MalwareBazaar |
| TLSH | A6F49FE3E2BD4837C163163D9C1B5764A935FE502E28F9863BF51C4C9F38A913929287 |
| Reporter |  abuse_ch |
| Tags: | exe Loki |
abuse_ch
Malspam distributing Loki:HELO: dekomutfak.com
Sending IP: 83.149.106.6
From: Muhasebe Parsa <info@dekomutfak.com>
Subject: RE: Transfer Copy
Attachment: Remittance Advice-103847854998543.txt.gz (contains "Remittance Advice-#103847854998543.exe")
Intelligence
File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Unauthorized injection to a recently created process
Reading critical registry keys
Sending a UDP request
Changing a file
Replacing files
DNS request
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Moving of the original file
Result
Threat name:
Lokibot
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Threat name:
Win32.Backdoor.Androm
Status:
Malicious
First seen:
2020-10-23 08:11:09 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Similar samples:
+ 1'730 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Score:
10/10
Tags:
spyware trojan stealer family:lokibot
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://qataracfridgerepaire.com/wp-admin/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
4b9d6921c78211705daddc2842fd240d77a25a229980e2c2139ea34680a7f11b
MD5 hash:
371a120c6169703a934fa70021e2154f
SHA1 hash:
1e70dee588138b5f43f043187ab07b6ffa18eb6d
SH256 hash:
6c6384e2d70575a9d91a107ed8732ab202c0b737a9b41b5cd19724553dc68a39
MD5 hash:
0d4a738e721753ef3e7a01853c8de437
SHA1 hash:
7f9d9e712839f6cc0eafe47818708fed3fe14d52
Detections:
win_lokipws_g0
win_lokipws_auto
Parent samples :
33d9421e4e71fbd21729972746d586517926e7c2338ae53185d9438266978cda
9e5f987ad43b66c469e9fed02999cfb62feff01049b5f1ef33804918bead665c
0bd5d64782a5e667b4bdff972591924d34e653e636c2f9c21b14e844c3cf9b74
4b9d6921c78211705daddc2842fd240d77a25a229980e2c2139ea34680a7f11b
911f22d0fdceeec6e8e6426b0111c1632e6b70f21940584aa05345ac470c4c4f
dc92a5d042a719af5689f99b6423e6ab0a63a6617ac33ccc10781605158ba138
928d262c6531d61866ce87f23a2f67ce7e44071213275f697b7073e95c6e688c
806fb889e0c86660bda36857336402d09ec8b4af9145c7ad00c2e1607b26b290
9e5f987ad43b66c469e9fed02999cfb62feff01049b5f1ef33804918bead665c
0bd5d64782a5e667b4bdff972591924d34e653e636c2f9c21b14e844c3cf9b74
4b9d6921c78211705daddc2842fd240d77a25a229980e2c2139ea34680a7f11b
911f22d0fdceeec6e8e6426b0111c1632e6b70f21940584aa05345ac470c4c4f
dc92a5d042a719af5689f99b6423e6ab0a63a6617ac33ccc10781605158ba138
928d262c6531d61866ce87f23a2f67ce7e44071213275f697b7073e95c6e688c
806fb889e0c86660bda36857336402d09ec8b4af9145c7ad00c2e1607b26b290
Please note that we are no longer able to provide a coverage score for Virus Total.
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Email_stealer_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | Email in files like avemaria |
| Rule name: | Lokibot |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Lokibot in memory |
| Reference: | internal research |
| Rule name: | STEALER_Lokibot |
|---|---|
| Author: | Marc Rivero | McAfee ATR Team |
| Description: | Rule to detect Lokibot stealer |
| Rule name: | win_lokipws_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | autogenerated rule brought to you by yara-signator |
| Rule name: | with_sqlite |
|---|---|
| Author: | Julian J. Gonzalez <info@seguridadparatodos.es> |
| Description: | Rule to detect the presence of SQLite data in raw image |
| Reference: | http://www.st2labs.com |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.