MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5156add523f08eb7eabb51f3ce648d6f93c646bec4c6cee7dd59d95e5b50b2b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 18

Intelligence 18 IOCs 1 YARA 6 File information Comments

SHA256 hash:	5156add523f08eb7eabb51f3ce648d6f93c646bec4c6cee7dd59d95e5b50b2b3
SHA3-384 hash:	fc8c7c25d1babfcbe203cc750795f337c60b11d61bd88334883dd59ba69a46580f244e51f1ec58b79a76ad98e42ff23d
SHA1 hash:	0712817e7fabe68e34d67ce4151728d9f2eb8cba
MD5 hash:	2360bb0b42650f2feb47a0e988ccc3ea
humanhash:	muppet-robin-massachusetts-arkansas
File name:	2360bb0b42650f2feb47a0e988ccc3ea.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	748'378 bytes
First seen:	2024-08-02 15:30:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep	12288:AcrNS33L10QdrX6O1nbGnBoX0DWdl3oV52aA8buKO01+0SOP1HvMKhv5KVwCaU0F:jNA3R5drX31bFXOul4qr8bK04BOP1Hvb
TLSH	T170F40201B7D684F2E6732E365D39E710A8BCB9301E34DA1FA7C4496DDA35191E224BB3
TrID	89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.5% (.EXE) Win64 Executable (generic) (10523/12/4) 2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 1.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	e845d3f83c9b46f4 (1 x Loki)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://94.156.66.169/shtfgdfgd/Panel/five/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://94.156.66.169/shtfgdfgd/Panel/five/fre.php	https://threatfox.abuse.ch/ioc/1306297/

Intelligence

File Origin

# of uploads :

# of downloads :

435

Origin country :

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

2360bb0b42650f2feb47a0e988ccc3ea.exe

Verdict:

Malicious activity

Analysis date:

2024-08-02 15:30:51 UTC

Tags:

lokibot stealer trojan

Link:

https://app.any.run/tasks/c58f2b3a-f2a5-412f-8097-95eb630c90b2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66acfbba037b02d0daed2516

Tags:

Encryption Execution Network Static Trojan

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% directory

Running batch commands

Creating a process from a recently created file

Creating a file

Reading critical registry keys

Launching the default Windows debugger (dwwin.exe)

Changing a file

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Enabling the 'hidden' option for recently created files

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Connection attempt to an infection source

Sending an HTTP POST request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

epmicrosoft_visual_cc fingerprint installer lolbin microsoft_visual_cc overlay packed setupapi sfx shdocvw shell32

Link:

https://www.filescan.io/uploads/66acfbbf4c5c17942a81d3c8/reports/2818048d-75aa-487a-bc58-d26359a2886d/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/5156add523f08eb7eabb51f3ce648d6f93c646bec4c6cee7dd59d95e5b50b2b3

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c36ff77b-28c8-4d20-a4e4-7ca44c922ef0

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1486914

Signature

AI detected suspicious sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has nameless sections

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses known network protocols on non-standard ports

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5156add523f08eb7eabb51f3ce648d6f93c646bec4c6cee7dd59d95e5b50b2b3

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/5156add523f08eb7eabb51f3ce648d6f93c646bec4c6cee7dd59d95e5b50b2b3/

Threat name:

Win32.Infostealer.LokiBot

Status:

Malicious

First seen:

2024-08-02 15:31:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kflk3vjd6chlp2v3khz44zenn6j4mrv6ytdm5z65lhmv4w2qwkzq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection credential_access discovery spyware stealer trojan

Link:

https://tria.ge/reports/240802-sx2bdszckn/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Credentials from Password Stores: Credentials from Web Browsers

Lokibot

Malware Config

C2 Extraction:

http://94.156.66.169:5888/shtfgdfgd/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/aef6c17c-1929-4d0e-a2ea-175a872c1734

Unpacked files

SH256 hash:

2947411a3e667939243f2811277cf35e7515769a065fbe05e80005b921ddec4a

MD5 hash:

07b6c5829147cd677012554fc1ae76fa

SHA1 hash:

ae2e2e7218f19381ee2dcccf9182aa16479a265d

Link:

https://www.unpac.me/results/240d0fc2-84d0-4c50-9d77-ae11c73c75fb/

SH256 hash:

46cf76fdf40a56cd454b0559a35aea15a5db88818ae0736ba885e5c1933f03aa

MD5 hash:

88c57cfd676c220fa1d5df55443ed4cd

SHA1 hash:

7e096da301d005526d8b5d3ee5edc3085831b232

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Lokibot

SUSP_XORed_URL_In_EXE

STEALER_Lokibot

Link:

https://www.unpac.me/results/240d0fc2-84d0-4c50-9d77-ae11c73c75fb/

SH256 hash:

18a5eedad76f960e2beb7603a2ef1a54a944abe9f34a7bf01b333af4a1fa47b2

MD5 hash:

1a5a2ab761d36b9b9378aee527b1812c

SHA1 hash:

53f93196f284fde3aa2cf29cbac22e726faa12a1

Link:

https://www.unpac.me/results/240d0fc2-84d0-4c50-9d77-ae11c73c75fb/

SH256 hash:

14294dff13988ad3efe1ef9ca884b98d554a2c94bab76671e8a724d489785059

MD5 hash:

03ac3991dbdb18d73bda731e1f9cdf7c

SHA1 hash:

96ab8e03593bf0591bae31487e89ac6b6e3c3a91

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

Link:

https://www.unpac.me/results/240d0fc2-84d0-4c50-9d77-ae11c73c75fb/

SH256 hash:

5156add523f08eb7eabb51f3ce648d6f93c646bec4c6cee7dd59d95e5b50b2b3

MD5 hash:

2360bb0b42650f2feb47a0e988ccc3ea

SHA1 hash:

0712817e7fabe68e34d67ce4151728d9f2eb8cba

Link:

https://www.unpac.me/results/240d0fc2-84d0-4c50-9d77-ae11c73c75fb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5156add523f08eb7eabb51f3ce648d6f93c646bec4c6cee7dd59d95e5b50b2b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SelfExtractingRAR Create hunting rule
Author:	Xavier Mertens
Description:	Detects an SFX archive with automatic script execution

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

exe 5156add523f08eb7eabb51f3ce648d6f93c646bec4c6cee7dd59d95e5b50b2b3

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3084846/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
GDI_PLUS_API	Interfaces with Graphics	gdiplus.dll::GdiplusStartup gdiplus.dll::GdiplusShutdown gdiplus.dll::GdipAlloc
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetSystemInfo KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::AllocConsole KERNEL32.dll::AttachConsole KERNEL32.dll::WriteConsoleW KERNEL32.dll::FreeConsole KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileMappingW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileW KERNEL32.dll::MoveFileExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample