MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 504cd80cc305c3f7bb57d8ea839779e554daaf03f8c108898b8e7a4c300c4494. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 504cd80cc305c3f7bb57d8ea839779e554daaf03f8c108898b8e7a4c300c4494
SHA3-384 hash: edd86e6aafd7b9a59f218e70561c7ea35708243f5e5681aa4c393679fd3de5287dc27aef0a87c845fa6a1703fb952a8a
SHA1 hash: 8f5613c034f370974bdd26c0f7f86ff94b00555f
MD5 hash: 2b782d8bdc0487882a3294e343acd511
humanhash: edward-green-nevada-three
File name:2b782d8bdc0487882a3294e343acd511.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'886'208 bytes
First seen:2022-05-16 11:40:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:+aaqs3xGa0u042GAJQkWJ+gDY/fan6eFQ8ZO1bGPcQtIh+O5IWDwmfIxt9f5nw:+rqel04rYU10/VDG+W5
Threatray 7'758 similar samples on MalwareBazaar
TLSH T14595C60E12D54F51C8608E76DAF31F5EDF53DB6ADC51234AF2863729942A3BB0A007B6
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 20b1b8b0b8b0328c (1 x Loki)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://goodboxx.in/Smeed/PWS/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://goodboxx.in/Smeed/PWS/fre.php https://threatfox.abuse.ch/ioc/571635/

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
2b782d8bdc0487882a3294e343acd511.exe
Verdict:
Malicious activity
Analysis date:
2022-05-16 11:49:24 UTC
Tags:
lokibot trojan stealer
Link:
https://app.any.run/tasks/965eb5a6-c645-4b74-923a-0fa18a04b5f2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/271067/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Launching a process
Сreating synchronization primitives
Reading critical registry keys
Changing a file
DNS request
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/628238586b2a366ce414ddfe/reports/2aab55de-74ab-497a-a6b6-1563d133a9f9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6fa41f1e-c026-4d8e-97e0-aa0ab3ae497a
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/994855
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 627351 Sample: hVe3Bc3a67.exe Startdate: 16/05/2022 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic 2->46 48 Multi AV Scanner detection for domain / URL 2->48 50 Found malware configuration 2->50 52 10 other signatures 2->52 6 svchost.exe 1 2->6         started        9 hVe3Bc3a67.exe 1 3 2->9         started        12 svchost.exe 2->12         started        14 4 other processes 2->14 process3 dnsIp4 64 Antivirus detection for dropped file 6->64 66 System process connects to network (likely due to code injection or exploit) 6->66 68 Multi AV Scanner detection for dropped file 6->68 70 Machine Learning detection for dropped file 6->70 17 svchost.exe 53 6->17         started        34 C:\Users\user\AppData\Local\svchost.exe, PE32 9->34 dropped 36 C:\Users\user\...\svchost.exe:Zone.Identifier, ASCII 9->36 dropped 38 C:\Users\user\AppData\...\hVe3Bc3a67.exe.log, ASCII 9->38 dropped 72 Writes to foreign memory regions 9->72 74 Drops PE files with benign system names 9->74 76 Injects a PE file into a foreign processes 9->76 22 MSBuild.exe 54 9->22         started        24 MSBuild.exe 9->24         started        26 MSBuild.exe 9->26         started        28 svchost.exe 12->28         started        30 svchost.exe 12->30         started        42 127.0.0.1 unknown unknown 14->42 44 192.168.2.1 unknown unknown 14->44 file5 signatures6 process7 dnsIp8 32 C:\Users\user\AppData\...\B52B3F.exe (copy), PE32 17->32 dropped 54 System process connects to network (likely due to code injection or exploit) 17->54 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->56 58 Tries to steal Mail credentials (via file / registry access) 17->58 62 2 other signatures 17->62 40 goodboxx.in 103.116.16.4, 49793, 49796, 49798 IHNET-AS-APIHNetworksLLCSG United States 22->40 60 Tries to steal Mail credentials (via file registry) 24->60 file9 signatures10
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/504cd80cc305c3f7bb57d8ea839779e554daaf03f8c108898b8e7a4c300c4494/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-05-11 18:13:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kbgnqdgdaxb7po2x3dvihf3z4vknvlyd7daqrcmlrz5eymamiska._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
12943fc8f2a6c50269500379f4bd7c1e9eff514178699dcc90b0447f1bf4d75b
Loki
19a74b73bfbb078a9a9fe5c0789d7d011ea547dc2f6a8e17f44efe7c5dffcf57
Loki
3664c59f198b6e3ec2bc254b9758fe20046b4cddd0a35f3e9c8fbf631c5a8a50
Loki
604cfa1c1f0957f81456dca9dc28be711eacdb2b64ec0023b8dad52e9627ff00
Loki
791b2bf682699cf97e3925dee40ddd5c2cb728e80f798225a7fb0b713c1b1544
Loki
89135baf5191bcfa7b3f317fb12da0a30c2f3cdb320fe0c31b22e5dbbb2b472a
Loki
dd9194cf20f72e8f2f0b2fd08c9a4175e222b18de4738b43aa9274f5111cb01b
Loki
f366cb892570b264ce73bd7c818ee214f0e5f00dc008a4dac5fa5cdc095ddab7
Loki
+ 7'748 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220516-ntek1aaac8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
https://goodboxx.in/Smeed/PWS/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
be4a2c51c976789a113a9eaba672eea5f53e81c1697c6c0574f7fdb02ff0133a
MD5 hash:
8d5c72379372eb3f4c41431a8e6e61bb
SHA1 hash:
f63a3ba408e60bb8da14d57b8f3d722da0cb709b
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/7c253618-9f58-428f-9371-c52da0db01a7/
SH256 hash:
ba48cb3e01bce633241830cb086aae48138b7f4343ce67e388cdd720ec696641
MD5 hash:
8d07e24f7a444f75bae5b1019e8753b6
SHA1 hash:
74e368d872ab723dbc157f565b68d102cb2dcd2e
Link:
https://www.unpac.me/results/7c253618-9f58-428f-9371-c52da0db01a7/
SH256 hash:
41d6db70858a428dad6e07122f357c4e08a45cbdbd2785368d0bf2af7f0e61da
MD5 hash:
7bd1b2b1d1c934c94d0d283e41523541
SHA1 hash:
25b9701fa11084f7cb2f7b879fb689664905c377
Link:
https://www.unpac.me/results/7c253618-9f58-428f-9371-c52da0db01a7/
SH256 hash:
504cd80cc305c3f7bb57d8ea839779e554daaf03f8c108898b8e7a4c300c4494
MD5 hash:
2b782d8bdc0487882a3294e343acd511
SHA1 hash:
8f5613c034f370974bdd26c0f7f86ff94b00555f
Link:
https://www.unpac.me/results/7c253618-9f58-428f-9371-c52da0db01a7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/504cd80cc305c3f7bb57d8ea839779e554daaf03f8c108898b8e7a4c300c4494

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/271067/

Comments