MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 555ef005b76db7d2c8bcd3364b02c0f282fbd5cf1da87524e2f2160a6ff7d642. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 555ef005b76db7d2c8bcd3364b02c0f282fbd5cf1da87524e2f2160a6ff7d642
SHA3-384 hash: 693a255b5dfda605adfa450c09d195b3b49f517ccde379ef989ac5adcf017616ac5f7014cd18bc81b99a15a6231bdb37
SHA1 hash: 1ec75b1ba3a8112b48ec7bf48cbab527b695f5a9
MD5 hash: 40caefae9655ee0c0726c76becde4743
humanhash: failed-vegan-may-ack
File name:IMG105677.exe
Download: download sample
Signature Loki
Create hunting rule
File size:197'928 bytes
First seen:2021-05-20 09:30:24 UTC
Last seen:2021-05-20 10:15:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:UBj6K0QdseKpNK3N6zuVHCTrEETmqayLp/ChdWKEsth6xChK:FSuKOuurKE2NEi6x0K
Threatray 223 similar samples on MalwareBazaar
TLSH 1F14DF05963C59E1FA9D4CB6A1CAD31443A1DF814833CA1BE49B73C0EA373E7E9162D6
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://74.201.28.138/kpi/03/pin.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://74.201.28.138/kpi/03/pin.php https://threatfox.abuse.ch/ioc/49717/

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMG105677.exe
Verdict:
No threats detected
Analysis date:
2021-05-20 09:35:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/98f5775c-ebbb-420c-8852-fed2349fe409

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/159515/
Detection(s):
SecuriteInfo.com.Variant.Bulz.480898.4983.10815.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/786011
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 418413 Sample: IMG105677.exe Startdate: 20/05/2021 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->32 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 9 other signatures 2->38 8 IMG105677.exe 3 14 2->8         started        process3 file4 22 C:\Users\user\AppData\Roaming\...\adob.exe, PE32 8->22 dropped 24 C:\Users\user\AppData\Local\...\IMG105677.exe, PE32 8->24 dropped 26 C:\Users\user\...\adob.exe:Zone.Identifier, ASCII 8->26 dropped 28 3 other malicious files 8->28 dropped 40 Creates an undocumented autostart registry key 8->40 42 Writes to foreign memory regions 8->42 44 Allocates memory in foreign processes 8->44 46 Injects a PE file into a foreign processes 8->46 12 IMG105677.exe 54 8->12         started        16 wscript.exe 1 8->16         started        signatures5 process6 dnsIp7 30 74.201.28.138, 49708, 49709, 49710 DEDIPATH-LLCUS United States 12->30 48 Multi AV Scanner detection for dropped file 12->48 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->50 52 Tries to steal Mail credentials (via file registry) 12->52 58 4 other signatures 12->58 54 Wscript starts Powershell (via cmd or directly) 16->54 56 Adds a directory exclusion to Windows Defender 16->56 18 powershell.exe 26 16->18         started        signatures8 process9 process10 20 conhost.exe 18->20         started       
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/555ef005b76db7d2c8bcd3364b02c0f282fbd5cf1da87524e2f2160a6ff7d642/
Threat name:
ByteCode-MSIL.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-05-20 09:31:12 UTC
AV detection:
9 of 46 (19.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kvppabnxnw35fsf42m3ewawa6kbpxvopdwuhkjhc6ilau37x2zba._file
Verdict:
unknown
Similar samples:
2800f779fcf9eb82626c08e19c5c2a46a149a1a0d046ef79c6c9ac1a44c6017e
Loki
331722d514ec20d655c7df7d57f01803eba14f1ef2b661b8c61a41b154aa2723
Loki
4a2311968fb73e55620ce972659fc74159f8127ebccb826d3150bc6d19c0f793
Loki
53bcd055cbd5e6095af4dd15128a0a065d1ecd09e2f5882a240fc243ac04a2fe
Loki
86b4bb9ea11ac97ecf7390c0e4e2979b69c294c22c65931ff734926c9540a0fd
Loki
8e46babf39c3c93defecf2d1956b1911a95ab4f30f7afd30a239789e1113fb92
Loki
acd2d368c51ecef353154266a25f69f42d067b0c329ab3f503eb3e73c6c59665
Loki
b2f7371dbc4fb27739f11a5fbf9aa878f118d1f8659025422bc614e7c5b60ff6
Loki
b33514e7b334b8aee694323114c7d2694f3cdb49c7614291ca8f064c23ff8542
Loki
c2915b4dd61e16f6da8aeb380a2732bdba70764af261819afa71e83481333004
Loki
+ 213 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210520-rtmanj7wxe/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://74.201.28.138/kpi/03/pin.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/555ef005b76db7d2c8bcd3364b02c0f282fbd5cf1da87524e2f2160a6ff7d642

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_03e9eb4dff67d4f9a554a422d5ed86f3
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 555ef005b76db7d2c8bcd3364b02c0f282fbd5cf1da87524e2f2160a6ff7d642

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/159515/
  
URLhaus
https://urlhaus.abuse.ch/url/1264427/
  
Delivery method
Distributed via web download

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-20 10:00:54 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0023] Execution::Install Additional Program