MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5919ae288790c1f2e0f81d6016f5f6c037738b9887d0dacfd259cac766d8e882. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 18

Intelligence 18 IOCs YARA 15 File information Comments

SHA256 hash:	5919ae288790c1f2e0f81d6016f5f6c037738b9887d0dacfd259cac766d8e882
SHA3-384 hash:	379d5baf27f3f1b15f5cfe2a6af5b2feafcd08e866ca0b3fbcea1195e92906189420148babd4d8e5134ffccd6b9104e5
SHA1 hash:	b2b4dfec7c439253abf2ded7ad4e5befcdc41a39
MD5 hash:	9918a3899c2682851d23d07e10a7153e
humanhash:	twelve-pizza-beryllium-gee
File name:	PTT-20230706-WA25016pdf.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	3'745'792 bytes
First seen:	2023-07-06 05:46:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	24576:c12J/ToakWT1kuSWUpP53m0Q4fAGkqWJvc111kTFdSegrgJYuepHYUtVsJ6nPbQ8:82poaCuCpx20Q4fAGkn
Threatray	3'943 similar samples on MalwareBazaar
TLSH	T1AB064B93B64794E1F4471B3AC99AB82C0371F4D366D3F91926CE23148E47B762A49E0F
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	dc9898d898285458 (2 x AgentTesla, 1 x Loki, 1 x QuasarRAT)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://198.98.54.161/b3/300/pin.php

Intelligence

File Origin

# of uploads :

# of downloads :

223

Origin country :

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

PTT-20230706-WA25016pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-07-06 06:02:45 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/9e6ba860-f203-4bf6-99f2-827ac91d6c3b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/408749/

Detection(s):

SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %AppData% directory

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Changing a file

Sending an HTTP POST request

Sending a custom TCP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control lokibot lolbin

Link:

https://www.filescan.io/uploads/64a65559ed99345aa0c43bb4/reports/1fae9779-74e4-4606-9b2b-cf8c37b2a235/overview

Verdict:

Malicious

Labled as:

Ser.MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/5919ae288790c1f2e0f81d6016f5f6c037738b9887d0dacfd259cac766d8e882

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d88a7427-b507-4b53-a1dc-a156d0d00b0f

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1268832

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected aPLib compressed binary

Yara detected Costura Assembly Loader

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/5919ae288790c1f2e0f81d6016f5f6c037738b9887d0dacfd259cac766d8e882/

Threat name:

Win32.Infostealer.Primarypass

Status:

Malicious

First seen:

2023-07-06 00:40:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 37 (62.16%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lem24kehsda7fyhydvqbn5pwya3xhc4yq7invt6slhfmozwy5cba._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection persistence spyware stealer trojan

Link:

https://tria.ge/reports/230706-ggv9naae4x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://198.98.54.161/b3/300/pin.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

77cc65d44cb3a55830173a2556e19b1c1ee3274482cc3919575915d5b1537b2f

MD5 hash:

b77307033bcbf89ec37f28c5a346a76f

SHA1 hash:

eb4910509a74d99af9248a28f13d3dd4516b2167

Link:

https://www.unpac.me/results/8252fcdd-fcd4-4189-9502-40df0ec77626/

SH256 hash:

945889f1ae5134b211e2e8f88a64ab979ead6947794563ac75961e09232e901e

MD5 hash:

efca2b9d21d603033c43cc2dcb2dfda6

SHA1 hash:

cef7d15266f9f389f5e21b030b2a7b0d9beacd68

Link:

https://www.unpac.me/results/8252fcdd-fcd4-4189-9502-40df0ec77626/

SH256 hash:

c52334abf263bc64a2d3175285b617654e8c64fea93f128f55ee63f71e661ea2

MD5 hash:

a92ecbae12292508be356de58f5191e3

SHA1 hash:

606afe560b6b30c93e7353de985bb97721916f4f

Link:

https://www.unpac.me/results/8252fcdd-fcd4-4189-9502-40df0ec77626/

SH256 hash:

66789c0b020f18ffe1fe16e3fe1068baf85edb3fcbedcbd92031c084d6dda038

MD5 hash:

9c45a982b8d86160a0c4210f1fdff905

SHA1 hash:

26f49a95fe798fcb7ada55eaa6e3b8a407cdd4eb

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/8252fcdd-fcd4-4189-9502-40df0ec77626/

SH256 hash:

77cc65d44cb3a55830173a2556e19b1c1ee3274482cc3919575915d5b1537b2f

MD5 hash:

b77307033bcbf89ec37f28c5a346a76f

SHA1 hash:

eb4910509a74d99af9248a28f13d3dd4516b2167

Link:

https://www.unpac.me/results/8252fcdd-fcd4-4189-9502-40df0ec77626/

SH256 hash:

77cc65d44cb3a55830173a2556e19b1c1ee3274482cc3919575915d5b1537b2f

MD5 hash:

b77307033bcbf89ec37f28c5a346a76f

SHA1 hash:

eb4910509a74d99af9248a28f13d3dd4516b2167

Link:

https://www.unpac.me/results/8252fcdd-fcd4-4189-9502-40df0ec77626/

SH256 hash:

945889f1ae5134b211e2e8f88a64ab979ead6947794563ac75961e09232e901e

MD5 hash:

efca2b9d21d603033c43cc2dcb2dfda6

SHA1 hash:

cef7d15266f9f389f5e21b030b2a7b0d9beacd68

Link:

https://www.unpac.me/results/8252fcdd-fcd4-4189-9502-40df0ec77626/

SH256 hash:

77cc65d44cb3a55830173a2556e19b1c1ee3274482cc3919575915d5b1537b2f

MD5 hash:

b77307033bcbf89ec37f28c5a346a76f

SHA1 hash:

eb4910509a74d99af9248a28f13d3dd4516b2167

Link:

https://www.unpac.me/results/8252fcdd-fcd4-4189-9502-40df0ec77626/

SH256 hash:

945889f1ae5134b211e2e8f88a64ab979ead6947794563ac75961e09232e901e

MD5 hash:

efca2b9d21d603033c43cc2dcb2dfda6

SHA1 hash:

cef7d15266f9f389f5e21b030b2a7b0d9beacd68

Link:

https://www.unpac.me/results/8252fcdd-fcd4-4189-9502-40df0ec77626/

SH256 hash:

945889f1ae5134b211e2e8f88a64ab979ead6947794563ac75961e09232e901e

MD5 hash:

efca2b9d21d603033c43cc2dcb2dfda6

SHA1 hash:

cef7d15266f9f389f5e21b030b2a7b0d9beacd68

Link:

https://www.unpac.me/results/8252fcdd-fcd4-4189-9502-40df0ec77626/

SH256 hash:

c52334abf263bc64a2d3175285b617654e8c64fea93f128f55ee63f71e661ea2

MD5 hash:

a92ecbae12292508be356de58f5191e3

SHA1 hash:

606afe560b6b30c93e7353de985bb97721916f4f

Link:

https://www.unpac.me/results/8252fcdd-fcd4-4189-9502-40df0ec77626/

SH256 hash:

66789c0b020f18ffe1fe16e3fe1068baf85edb3fcbedcbd92031c084d6dda038

MD5 hash:

9c45a982b8d86160a0c4210f1fdff905

SHA1 hash:

26f49a95fe798fcb7ada55eaa6e3b8a407cdd4eb

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/8252fcdd-fcd4-4189-9502-40df0ec77626/

SH256 hash:

c52334abf263bc64a2d3175285b617654e8c64fea93f128f55ee63f71e661ea2

MD5 hash:

a92ecbae12292508be356de58f5191e3

SHA1 hash:

606afe560b6b30c93e7353de985bb97721916f4f

Link:

https://www.unpac.me/results/8252fcdd-fcd4-4189-9502-40df0ec77626/

SH256 hash:

c52334abf263bc64a2d3175285b617654e8c64fea93f128f55ee63f71e661ea2

MD5 hash:

a92ecbae12292508be356de58f5191e3

SHA1 hash:

606afe560b6b30c93e7353de985bb97721916f4f

Link:

https://www.unpac.me/results/8252fcdd-fcd4-4189-9502-40df0ec77626/

SH256 hash:

66789c0b020f18ffe1fe16e3fe1068baf85edb3fcbedcbd92031c084d6dda038

MD5 hash:

9c45a982b8d86160a0c4210f1fdff905

SHA1 hash:

26f49a95fe798fcb7ada55eaa6e3b8a407cdd4eb

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/8252fcdd-fcd4-4189-9502-40df0ec77626/

SH256 hash:

66789c0b020f18ffe1fe16e3fe1068baf85edb3fcbedcbd92031c084d6dda038

MD5 hash:

9c45a982b8d86160a0c4210f1fdff905

SHA1 hash:

26f49a95fe798fcb7ada55eaa6e3b8a407cdd4eb

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/8252fcdd-fcd4-4189-9502-40df0ec77626/

SH256 hash:

5919ae288790c1f2e0f81d6016f5f6c037738b9887d0dacfd259cac766d8e882

MD5 hash:

9918a3899c2682851d23d07e10a7153e

SHA1 hash:

b2b4dfec7c439253abf2ded7ad4e5befcdc41a39

Link:

https://www.unpac.me/results/8252fcdd-fcd4-4189-9502-40df0ec77626/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5919ae288790/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5919ae288790c1f2e0f81d6016f5f6c037738b9887d0dacfd259cac766d8e882

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	infostealer_loki Create hunting rule

Rule name:	infostealer_xor_patterns Create hunting rule
Author:	jeFF0Falltrades
Description:	The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.

Rule name:	Loki Create hunting rule
Author:	kevoreilly
Description:	Loki Payload

Rule name:	LokiBot Create hunting rule
Author:	kevoreilly
Description:	LokiBot Payload

Rule name:	malware_Lokibot_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	Windows_Trojan_Lokibot_0f421617 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Lokibot_1f885282 Create hunting rule
Author:	Elastic Security

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/408749/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample