MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ef528f41c74b287a3bc8bcb4cf1cde16d54b0fbdffe11e845e5aa2b656dc961. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ef528f41c74b287a3bc8bcb4cf1cde16d54b0fbdffe11e845e5aa2b656dc961
SHA3-384 hash: 5e97a48d58e124c240abce0bce6d365c6950686e460c847c97734bb8b256ba9dbe28d5cb8c54239a0eb0ccd848816ac3
SHA1 hash: 1f4213eeaf0990d62b6c46ea8f29026c1555bc1a
MD5 hash: b31fdfb032644bcb1f8b072f4dc5e11a
humanhash: edward-solar-oxygen-maine
File name:b31fdfb032644bcb1f8b072f4dc5e11a.exe
Download: download sample
Signature Loki
Create hunting rule
File size:202'400 bytes
First seen:2022-01-20 15:38:00 UTC
Last seen:2022-01-20 18:04:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 49b15580bd181e45d4d97bbfb270c139 (3 x Loki, 1 x Pony, 1 x GuLoader)
ssdeep 1536:HhsFidcwgFEDQN9aF5kqTwn5wwBq1hYKkoCQl0kzuKnIKSEHQFo/dWP342:2Fccwgt9tyw57kMKN/2kZnr/3/Oo2
Threatray 8'736 similar samples on MalwareBazaar
TLSH T1F614F771B440605EF172BF3168BCB355A8193CBE0521697BBDC17B4A19331D3E0A6BAB
File icon (PE):PE icon
dhash icon 1003873d31213f10 (149 x DarkCloud, 132 x GuLoader, 132 x a310Logger)
Reporter abuse_ch
Tags:exe Loki signed

Code Signing Certificate

Organisation:vgavisen
Issuer:vgavisen
Algorithm:sha256WithRSAEncryption
Valid from:2022-01-20T06:31:37Z
Valid to:2023-01-20T06:31:37Z
Serial number: 00
Intelligence: 332 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 77e435c505124adbeec2dff936aa99eb4a3d96d51b76886f1f80607d0ee62445
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Loki C2:
http://windowssecuritycheck.gdn/gx/l/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://windowssecuritycheck.gdn/gx/l/fre.php https://threatfox.abuse.ch/ioc/306773/
http://windowssecuritycheck.gdn/gx/p/gate.php https://threatfox.abuse.ch/ioc/306774/

Intelligence

File Origin
# of uploads :
2
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Detection:
GuLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/221152/
Detection(s):
SecuriteInfo.com.ArtemisB31FDFB03264.3235.24258.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61e981e10f8c757253d11262/reports/df181c01-86b4-49f2-9e88-b8965d77d357/overview
Gathering data
Result
Threat name:
GuLoader Lokibot
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/924502
Signature
Drops PE files with a suspicious file extension
GuLoader behavior detected
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
pony
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4ef528f41c74b287a3bc8bcb4cf1cde16d54b0fbdffe11e845e5aa2b656dc961/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-01-20 12:09:34 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j32sr5a4oszipi54rpfuz4on4fwvjmh3377bd2cf4wvcwzlnzfqq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
7afa7c7724abb034d3155e1e1fc1fd3f9961e56fd6119428d975d8aaee3070f9
Loki
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
Loki
ab2261ddf24d2524a3ffe99044fac988f6178be9bc78d28cd5db289c414c3a4f
Loki
c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
Loki
c6e5156c311412210237810450648947699d1c4862536a4e86b778e899627292
Loki
de2346e7683a4ed34d62a2954a38949335e6c1b27085a1cc82c08b0c6aec514e
Loki
+ 8'726 additional samples on MalwareBazaar
Result
Malware family:
pony
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:lokibot family:pony collection discovery downloader persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220120-s23d9aaed8/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks QEMU agent file
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Sets service image path in registry
Guloader,Cloudeye
Lokibot
Pony,Fareit
Malware Config
C2 Extraction:
http://windowssecuritycheck.gdn/gx/l/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://windowssecuritycheck.gdn/gx/p/gate.php
Unpacked files
SH256 hash:
4ef528f41c74b287a3bc8bcb4cf1cde16d54b0fbdffe11e845e5aa2b656dc961
MD5 hash:
b31fdfb032644bcb1f8b072f4dc5e11a
SHA1 hash:
1f4213eeaf0990d62b6c46ea8f29026c1555bc1a
Link:
https://www.unpac.me/results/0b0d4297-d03f-44a3-bde7-7e3eaab033b9/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4ef528f41c74/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4ef528f41c74b287a3bc8bcb4cf1cde16d54b0fbdffe11e845e5aa2b656dc961

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 4ef528f41c74b287a3bc8bcb4cf1cde16d54b0fbdffe11e845e5aa2b656dc961

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1992950/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/221152/

Comments