MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4eec9ac382b6fcbf861641137d9a597a04a891a47983252137a7b0fdbbeb842b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4eec9ac382b6fcbf861641137d9a597a04a891a47983252137a7b0fdbbeb842b
SHA3-384 hash: 765c098b36c21a147f961b306b8a4e2e563017dc6498c43ea48277cd0c01b8ad6c4d699b28a35b1586d959c67face785
SHA1 hash: 7d15d73f1e705b86c7d4556bd07117716e8dfcdc
MD5 hash: bdc5b9b1cd95fb24e2cbfa9047dd03df
humanhash: mirror-apart-island-carpet
File name:c1d25edc-2df8-449b-abe2-5185c1b9b0eb.exe
Download: download sample
Signature Loki
Create hunting rule
File size:738'928 bytes
First seen:2021-05-27 18:53:01 UTC
Last seen:2021-05-31 06:58:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3e7272567bf6719a2a90dbca5f3a4b3a (1 x Loki, 1 x NetWire, 1 x BitRAT)
ssdeep 12288:huxGeRhWzrlZe7q6OWA50P3TaD8vVKlWFn+yGMRNy:hyHWzrsOWxjQfELy
Threatray 3'221 similar samples on MalwareBazaar
TLSH 13F48C31A2E104B6C16A1F386C1B56548CA4BE703E24586637F96D4CAFBF3813D2E5E7
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://sanpauliomkop.sytes.net/UJQNIOjnf/Panel/five/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://sanpauliomkop.sytes.net/UJQNIOjnf/Panel/five/fre.php https://threatfox.abuse.ch/ioc/65661/

Intelligence

File Origin
# of uploads :
3
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c1d25edc-2df8-449b-abe2-5185c1b9b0eb.exe
Verdict:
Malicious activity
Analysis date:
2021-05-27 20:35:11 UTC
Tags:
installer
Link:
https://app.any.run/tasks/d76f7786-7840-4b3e-ab54-97bd42963318

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/162824/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Sending a UDP request
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Reading critical registry keys
Launching cmd.exe command interpreter
Changing a file
Replacing files
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Moving of the original file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/793384
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 425780 Sample: c1d25edc-2df8-449b-abe2-518... Startdate: 27/05/2021 Architecture: WINDOWS Score: 100 36 sanpauliomkop.sytes.net 2->36 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 7 other signatures 2->50 9 c1d25edc-2df8-449b-abe2-5185c1b9b0eb.exe 1 23 2->9         started        14 Nvykzt.exe 13 2->14         started        16 Nvykzt.exe 13 2->16         started        signatures3 process4 dnsIp5 42 abillamapetroleum.com 192.185.129.69, 443, 49708, 49710 UNIFIEDLAYER-AS-1US United States 9->42 34 C:\Users\Public34vykzt34vykzt.exe, PE32 9->34 dropped 60 Detected unpacking (changes PE section rights) 9->60 62 Detected unpacking (overwrites its own PE header) 9->62 64 Tries to steal Mail credentials (via file registry) 9->64 18 c1d25edc-2df8-449b-abe2-5185c1b9b0eb.exe 54 9->18         started        22 cmd.exe 1 9->22         started        66 Multi AV Scanner detection for dropped file 14->66 68 Machine Learning detection for dropped file 14->68 70 Injects a PE file into a foreign processes 14->70 24 Nvykzt.exe 14->24         started        26 Nvykzt.exe 16->26         started        file6 signatures7 process8 dnsIp9 38 sanpauliomkop.sytes.net 41.217.36.207, 49716, 49717, 49718 SpectranetNG Nigeria 18->38 40 192.168.2.1 unknown unknown 18->40 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->52 54 Tries to steal Mail credentials (via file access) 18->54 56 Tries to harvest and steal ftp login credentials 18->56 58 Tries to harvest and steal browser information (history, passwords, etc) 18->58 28 cmd.exe 1 22->28         started        30 conhost.exe 22->30         started        signatures10 process11 process12 32 conhost.exe 28->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4eec9ac382b6fcbf861641137d9a597a04a891a47983252137a7b0fdbbeb842b/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-05-27 13:00:50 UTC
AV detection:
17 of 46 (36.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j3wjvq4cw36l7bqwiejx3gszpickrenepgbskijxu6yp3o7lqqvq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
02944dc72a15e92ec94c453c74c9564cb59ac7717dffcb25fa854a2e587fb737
Loki
235602d2819de318cb16c1653d3e2500b64688ad18f8f4e960dff1ab0b7e4b74
Loki
58adea14242f62fb2c40adee3aa2c4888e228d9003bae5145caf3916bc27226a
Loki
7a192e61d40bed06f4bad4e004d2a1152f3c1955c4cbe6dcbe4076f400670374
Loki
8e7beef41d120fd5f547fec2a8bfdd75ab7a8c45a19b8a16c7ad20c8fc67a96f
Loki
99a2d4cae6d4e47b8eb87e544b01beb80c5bf1cd399e3d9bdbf51ac96747bbaa
Loki
d378f6971357840b8cf71b654d7ff91eb0edb08b1415fcba5b8d9aedaebcebb5
Loki
e01d70a2ddf0c706a1f5e4847f8c099ffdc821b188f98dc15f528c8bf34a6630
Loki
eaa14ff5cdf3ec428bd1b0c2689272996741a4c93f3c1289934057c3c5cafc78
Loki
f22c7b400f9e06797188424e3a849218cb7a1fd76437a988f60391fa5e17dfca
Loki
+ 3'211 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot persistence spyware stealer trojan
Link:
https://tria.ge/reports/210527-zzh8jjfljj/
Behaviour
Modifies registry key
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Lokibot
Malware Config
C2 Extraction:
http://sanpauliomkop.sytes.net/UJQNIOjnf/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4eec9ac382b6fcbf861641137d9a597a04a891a47983252137a7b0fdbbeb842b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_0be3f393d1ef0272aed0e2319c1b5dd0
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/162824/

Comments