MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5679008fcf76aef9dabf388db1a4224a299e9cd9856d7beac6c113c23bc25801. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 9

Intelligence 9 IOCs 1 YARA File information Comments

SHA256 hash:	5679008fcf76aef9dabf388db1a4224a299e9cd9856d7beac6c113c23bc25801
SHA3-384 hash:	be0901077a3d06f4e88734719f432531495b8e42dd1f056cd601d46d375876f43fb33383a8a8061df189f4fbd0789115
SHA1 hash:	d8d95b001d62b9fc9ea0e2747780ce2184ed0ef8
MD5 hash:	ce6b5355f2953c7d215a442b6b2dbb36
humanhash:	foxtrot-pasta-minnesota-lamp
File name:	CE6B5355F2953C7D215A442B6B2DBB36.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	234'076 bytes
First seen:	2021-07-12 19:01:48 UTC
Last seen:	2021-07-12 19:35:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6e7f9a29f2c85394521a08b9f31f6275 (277 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep	6144:MMm4CCBQnmfKzTpsUqn365ou4YzqMbBMY:MMwi6muzZbSY
Threatray	3'545 similar samples on MalwareBazaar
TLSH	T10134C030B702C886F56214F88833D7A960D69EA51FB5C259E6E7376AF9F53022C4F14B
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://mxrz.xyz/tker3/w2/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://mxrz.xyz/tker3/w2/fre.php	https://threatfox.abuse.ch/ioc/116383/

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.21240.32694.12066.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/482cc36a-8380-49a4-b821-2e22ca100724

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/815106

Signature

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5679008fcf76aef9dabf388db1a4224a299e9cd9856d7beac6c113c23bc25801/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2021-07-08 07:54:57 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kz4qbd6po2xptwv7hcg3djbcjiuz5hgzqvwxx2wgyej4eo6claaq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

47aa20a304624dbf8b71da1804f3f848ab12f2797390d0788067b542dc2c6a9c

Loki

82b4deebf79267e382a6fb39d382a224aa72172e14edb7c52ad190e3dd2909ea

Loki

98ee9eb5449562fdfe5e0a448cec7ef60f315e5f8a7c65c40a5b61290bcbe97d

Loki

d29732d660ad3b3e1f478b179c69afae0274e5e40354e5136e22376371e795b6

Loki

d2f93b7d525085e9a3c6b170835d52e545a2daf771b0ce1172bfb0586e9d1103

Loki

de3292924ba69a7f7dfd5b6687d6c774a7aecf8e2ac1368d30ce81c61a14e73f

Loki

+ 3'535 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot spyware stealer trojan

Link:

https://tria.ge/reports/210712-jv5ef2jhza/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Lokibot

Malware Config

C2 Extraction:

http://mxrz.xyz/tker3/w2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

d3bae84edb1f2ad90f531a3e14fbf2bccd95110f3732cca0e47d968a5ca993e7

MD5 hash:

ef08465532b038db625e09da1767cc1b

SHA1 hash:

83a58adca22e0891d5e02069da90efc7daedb99e

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/4c53e5d7-f0df-4731-9f9a-fd42d2db6e23/

Parent samples :

072bd5a94f8b5ac064311a5005243038e7851123321fe309a1b8320aae64030a
e8ff02a0c3ef623bed6098ffee7befbd2595f1f7736971dc98954f88a40c087d
5679008fcf76aef9dabf388db1a4224a299e9cd9856d7beac6c113c23bc25801

SH256 hash:

bdd8cd041309f1bcd71714859c48b996f98310d5ba0fabc17b7bba0e971fc036

MD5 hash:

fd1f8fd806711b93db7756ef4def7edc

SHA1 hash:

6acf351fcf01ffd38c59b0a39462b2326ca01e59

Link:

https://www.unpac.me/results/4c53e5d7-f0df-4731-9f9a-fd42d2db6e23/

SH256 hash:

f2a4d662ed8ef2fbfbdeef78fc2f2afd13b0f36e75073911d403e835400fae43

MD5 hash:

030de5ac498692c46d71ff79bca925fd

SHA1 hash:

920dd0a4767682ddff09ea937a19fa61655a1969

Link:

https://www.unpac.me/results/4c53e5d7-f0df-4731-9f9a-fd42d2db6e23/

SH256 hash:

5679008fcf76aef9dabf388db1a4224a299e9cd9856d7beac6c113c23bc25801

MD5 hash:

ce6b5355f2953c7d215a442b6b2dbb36

SHA1 hash:

d8d95b001d62b9fc9ea0e2747780ce2184ed0ef8

Link:

https://www.unpac.me/results/4c53e5d7-f0df-4731-9f9a-fd42d2db6e23/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.47

Link:

https://yomi.yoroi.company/submissions/5679008fcf76aef9dabf388db1a4224a299e9cd9856d7beac6c113c23bc25801

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample