MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d566be76db8dde4b26fc6647932d65750edfb47b46d909ec4d4ef3c6e12dadb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 13


Intelligence 13 IOCs YARA 11 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d566be76db8dde4b26fc6647932d65750edfb47b46d909ec4d4ef3c6e12dadb
SHA3-384 hash: ebd86364fd7aa31e87475241931b858a8900889ee609d3fb6f4f8397e1b971b769588956c54396e6bba3f43693bc7956
SHA1 hash: 3c8f2f0861ee575558ab8d8b6affd50863048945
MD5 hash: 44af6dd32a5f7d9077f00fd4d0d97bc4
humanhash: lithium-quebec-summer-sad
File name:44af6dd32a5f7d9077f00fd4d0d97bc4
Download: download sample
Signature Loki
Create hunting rule
File size:180'736 bytes
First seen:2021-09-23 14:05:31 UTC
Last seen:2021-09-23 16:59:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e7d6aacdbba2eaeadcddfcf1af169f5c (2 x DanaBot, 1 x CryptBot, 1 x Loki)
ssdeep 3072:6swVLA2YtpE+DhIGOQOQVe4qQUi6YbC75RUVfiM2L//W4:b3BNJhOx4qQXUKf4L//
Threatray 4'760 similar samples on MalwareBazaar
TLSH T19B04AD2E76F1D572D6A31A7048B0C7A02E7BB8326B75534F27681B6E3F613C08A65317
File icon (PE):PE icon
dhash icon 1072c293b0381906 (17 x RedLineStealer, 5 x Stop, 4 x DanaBot)
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ10092-23-09-2021.xlsx
Verdict:
Malicious activity
Analysis date:
2021-09-23 12:46:20 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 lokibot stealer trojan loader
Link:
https://app.any.run/tasks/a4a6d8a8-ca77-4f7c-94cb-f442ec62a95c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190785/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.20591.19734.UNOFFICIAL
Create hunting rule

Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/044cfc29-d2cd-4400-8b10-81ed1208ca4a
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856584
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4d566be76db8dde4b26fc6647932d65750edfb47b46d909ec4d4ef3c6e12dadb/
Threat name:
Win32.Trojan.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 14:03:04 UTC
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jvlgxz3nxdo6jmtpyzshsmwwk5io362hwrwzbhwe2txty3qs3lnq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
04006279e16979c72a6ffa4266149e911d3f3399183b387ccfc7e0632c91f32d
Loki
322d1102ed98c04de52a497d092cfd2adbec5eb974a77537601f90ad5eadf6db
Loki
47335767127792ab5cd98cc998c3f148bae889769741a28e151263f4d4dddd23
Loki
51fcc5eebacd36d6c7d517b0fe8d73404bc475a114739be7d734f336212f7157
Loki
6a65000d2899ac262440e41a15b5cd30f196cde449bcc5bb4af7824a253dfdfc
Loki
78a4072c06fb761e449186c822a647cc74425180151f98f371af8e242cb515d0
Loki
7ccb5892ec9e7f4ebd5fb854bda2a447818da6b1d471fa239b41fbed38cb32d5
Loki
a63a02227983a288a44ec484b3a641fae13b66754bcc8317fdc23c0a3dd111ed
Loki
e272af98ac66fa088b63aa66caeec5ea402966a2c78bb3df09d139168437cb0f
Loki
+ 4'750 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210923-refrasefd6/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://136.243.159.53/~element/page.php?id=475
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
35345c8777aa8ecd5257d44bc0b2cb2ff9cae106caf5ee174fe5655625b37f2e
MD5 hash:
8a29d2431d43cf80fb534a0ed540ecf0
SHA1 hash:
f141b98493cbd182fb1233e2065b86fca570726b
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/c2424738-26ad-416e-8f71-fa87c92ac1c0/
Parent samples :
4d566be76db8dde4b26fc6647932d65750edfb47b46d909ec4d4ef3c6e12dadb
8680641d5644828bf4ed6bb714bf7fc8a018748e912b56745875e471e136c953
7986de346479a9d3203949e22f990d9e8fadf86b7cdcf573ff9a2da2d7d9867c
e3efaf72472faf918f7ff2a430db45cf5ffc2eb595e1b96d4dc403603b0acced
35a1292dcbbe0e8db0893318e876fefbceb3559abe32144604c5ff66ba4dbf18
fbf8573e839732a10b86926f7431ec61f95b328db6bb074dd0f8173cbea75f2e
SH256 hash:
4d566be76db8dde4b26fc6647932d65750edfb47b46d909ec4d4ef3c6e12dadb
MD5 hash:
44af6dd32a5f7d9077f00fd4d0d97bc4
SHA1 hash:
3c8f2f0861ee575558ab8d8b6affd50863048945
Link:
https://www.unpac.me/results/c2424738-26ad-416e-8f71-fa87c92ac1c0/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4d566be76db8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d566be76db8dde4b26fc6647932d65750edfb47b46d909ec4d4ef3c6e12dadb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 4d566be76db8dde4b26fc6647932d65750edfb47b46d909ec4d4ef3c6e12dadb

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1640901/
Cape
Cape
https://www.capesandbox.com/analysis/190785/

Comments


Avatar
zbet commented on 2021-09-23 14:05:31 UTC

url : hxxp://192.227.225.173/wed/vbc.exe