MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5689e6baf4a5e10b19eb7dc78f65f421e964d49548fdcc6a7751acae7c14ddda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5689e6baf4a5e10b19eb7dc78f65f421e964d49548fdcc6a7751acae7c14ddda
SHA3-384 hash: 08eef1a812c1788cffd374fbb91521e80c54284619366c6117afd8b3e629bbd42162e0c0ee6c1a5dcf5bc049b9461adb
SHA1 hash: a782ed308dce106c10c5b97a62dc88fe93970d03
MD5 hash: 4f4246a4ef74d7539bc6dccaefd4f89e
humanhash: east-lemon-three-football
File name:SecuriteInfo.com.PWS-FCUF4F4246A4EF74.22626.10392
Download: download sample
Signature Loki
Create hunting rule
File size:1'537'536 bytes
First seen:2021-06-03 07:45:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:14QbjBsU5EHLFL3TDTECb58GAMF0hk8kyVkr4:qKjBmdLtDb0Sr
Threatray 3'132 similar samples on MalwareBazaar
TLSH 3065C692B7998F38E28D8A734EDF581C4EBC81F516016F794FB376482F12356C53898A
Reporter SecuriteInfoCom
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.PWS-FCUF4F4246A4EF74.22626.10392
Verdict:
Malicious activity
Analysis date:
2021-06-03 07:48:38 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/01b63e07-1feb-457f-8096-5758c89d84fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164314/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/796503
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5689e6baf4a5e10b19eb7dc78f65f421e964d49548fdcc6a7751acae7c14ddda/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-03 04:09:10 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k2e6noxuuxqqwgplpxdy6zpuehuwjvevjd64y2txkgwk47au3xna._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
44e32cacf45f4d123ecdee7dcde7f7b3280834aeb576d58fdd0bf78c8028db4c
Loki
4afef235bc6027a2319e50fb91190cc64db8b461095626f1bf5ecdf218d5836a
Loki
4bd404cc5efe7bdc3d393752fb5c96da7b4c0c57f2143c50b411e180f2fea3d8
Loki
93b54f00313eead297d3e2d93c4f84d023f862e524509dd31cd5bf58dfcd0631
Loki
a4273258f20011ca2466a27ca652b8cb2febf6ef5cfea22c608cd17be702834e
Loki
ac18abbd515d29a3f7d05962c5639bd05067215d21a04a2cbd2266e1c99007c1
Loki
b37be7f126109ef6a823dd28be1cf9dd9dc1513bad982eb3fae486db27b1250a
Loki
cc348d59b645b999a5f3b83240e6459338c605d8c0b5ec6b47f82baae02a316b
Loki
e848b76b3e985c2074d4d4e0b7129f56424b6f6e3b3c1ca0e0c83b82ca3f6938
Loki
edee1e323f450c8f4f1997fca28ef88b8e7077a4a63d2eccc6476872742a3a79
Loki
+ 3'122 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot evasion spyware stealer trojan
Link:
https://tria.ge/reports/210603-ke42kv5aaa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Lokibot
Malware Config
C2 Extraction:
http://173.208.204.37/k.php/tfqt7RifXPW3W
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
1e7c66f6da06a0ea81371fb98d0e76424a600518b808140279c7ba8e06541ac5
MD5 hash:
8fe0389e4b903545421e42b628186cd2
SHA1 hash:
f6adc3d1a4ac995fad2a49474243d896b0236c2b
Link:
https://www.unpac.me/results/2c5ad82d-b909-4f89-9c9a-94a99f73857d/
SH256 hash:
5689e6baf4a5e10b19eb7dc78f65f421e964d49548fdcc6a7751acae7c14ddda
MD5 hash:
4f4246a4ef74d7539bc6dccaefd4f89e
SHA1 hash:
a782ed308dce106c10c5b97a62dc88fe93970d03
Link:
https://www.unpac.me/results/2c5ad82d-b909-4f89-9c9a-94a99f73857d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5689e6baf4a5e10b19eb7dc78f65f421e964d49548fdcc6a7751acae7c14ddda

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/164314/

Comments