MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56f5ee46db740dea60147de78f53e5e9ff12c4c5cb22b5521cecfe10a94453a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 14

Intelligence 14 IOCs YARA 13 File information Comments

SHA256 hash:	56f5ee46db740dea60147de78f53e5e9ff12c4c5cb22b5521cecfe10a94453a6
SHA3-384 hash:	af11560bd4f204f43542ddae9410319824e0066bfefdf92c2ececc1d529fb056479e163bdaa068c63333bbca9289eff7
SHA1 hash:	537b6e801fd59d935bdb591693218fdf03b8fab9
MD5 hash:	cff6bfb30240c8d1939f24b50ba191da
humanhash:	fifteen-emma-twelve-apart
File name:	cff6bfb30240c8d1939f24b50ba191da.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	688'128 bytes
First seen:	2021-11-17 15:18:13 UTC
Last seen:	2021-11-17 16:29:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:jrx5jPdUREEudmk+gKK7z9f3yykM7JoyARKFqXg62SNGOZoRxTCyvlNs1MqtD00:nxxPdZ/x50ykM7q+0XI7ZRNCKoMqC0
Threatray	5'467 similar samples on MalwareBazaar
TLSH	T1DEE4015033EC6B82E17987F58172A07143B27C6A6A72D18E1EC365DF25B0F102AE5F67
Reporter	abuse_ch
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

134

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cff6bfb30240c8d1939f24b50ba191da.exe

Verdict:

Malicious activity

Analysis date:

2021-11-17 15:39:46 UTC

Tags:

trojan lokibot stealer

Link:

https://app.any.run/tasks/d67eb1ed-aac1-4082-8539-c59fca71d7a9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

SecuriteInfo.com.ArtemisCFF6BFB30240.17551.7709.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Changing a file

Sending an HTTP POST request

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for analyzed file

Stealing user critical data

Moving of the original file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61951d684912a8c920a18987/reports/078dfeae-8d82-4193-ab05-9a660c9ff94b/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/50793622-7398-4e83-b194-ddde8b7b71ab

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/891337

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/56f5ee46db740dea60147de78f53e5e9ff12c4c5cb22b5521cecfe10a94453a6/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-11-17 15:19:09 UTC

AV detection:

17 of 28 (60.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=k3264rw3oqg6uyaupxty6u7f5h7rfrgfzmrlkuq45t7bbkkekota._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer suricata trojan

Link:

https://tria.ge/reports/211117-sp6wxaabaq/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://samkoproducts.xyz/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

86fe170cc6dd3a576807c1192a06ead68bf210f9ccd14f1a81d4f44c2dbcc25f

MD5 hash:

bf5c170790a9378101dbc312303925e3

SHA1 hash:

bddaf21c02ba5cec7c4dfd1b1f289e23714a8ba8

Link:

https://www.unpac.me/results/c1353e38-72a0-4e82-9e5a-e1d3ef3ddc53/

SH256 hash:

8c804b4a7f77564178020b85fe9d516f35368f5b549b2aea399708c790c71eec

MD5 hash:

bff2918d8c1fbf3290ca68e10ec4bb5a

SHA1 hash:

88e056a94fa70853d5684246674ebfe71c080dbd

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/c1353e38-72a0-4e82-9e5a-e1d3ef3ddc53/

Parent samples :

ebec47078803f8b6e5668902184c54d84b6da89634d295e5faf5a14e0331c5ed
27a4f353a9a69e6ba36eb461e8eaa25c4bf68f05793b77675bb999e30b490a35
56f5ee46db740dea60147de78f53e5e9ff12c4c5cb22b5521cecfe10a94453a6

SH256 hash:

fa9bd718c77806554d662d11a96192dbe5bfaf52492ed8d8b6b59703c5d249b1

MD5 hash:

8f13e2d30358e166c890bc6b3450a8fb

SHA1 hash:

709b148ce3c41e8f52e930a7997a9de5c3144551

Link:

https://www.unpac.me/results/c1353e38-72a0-4e82-9e5a-e1d3ef3ddc53/

SH256 hash:

f2d4b45e19377162210928711bb496340f403c710fd29f03b66ecf9ffbffbfc1

MD5 hash:

999f650e2e48279129f601726ac25bec

SHA1 hash:

56448e0a169be88e6daffb918252543ba1baccb1

Link:

https://www.unpac.me/results/c1353e38-72a0-4e82-9e5a-e1d3ef3ddc53/

SH256 hash:

56f5ee46db740dea60147de78f53e5e9ff12c4c5cb22b5521cecfe10a94453a6

MD5 hash:

cff6bfb30240c8d1939f24b50ba191da

SHA1 hash:

537b6e801fd59d935bdb591693218fdf03b8fab9

Link:

https://www.unpac.me/results/c1353e38-72a0-4e82-9e5a-e1d3ef3ddc53/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/56f5ee46db74/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/56f5ee46db740dea60147de78f53e5e9ff12c4c5cb22b5521cecfe10a94453a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	infostealer_loki Create hunting rule

Rule name:	infostealer_xor_patterns Create hunting rule
Author:	jeFF0Falltrades
Description:	The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.

Rule name:	Loki Create hunting rule
Author:	kevoreilly
Description:	Loki Payload

Rule name:	Lokibot Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

exe 56f5ee46db740dea60147de78f53e5e9ff12c4c5cb22b5521cecfe10a94453a6

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1795041/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/206911/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample