MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59e3d88395cd8c96d5417565ba343cb43c0f336ba9b7099e9314d3fe1795ef51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59e3d88395cd8c96d5417565ba343cb43c0f336ba9b7099e9314d3fe1795ef51
SHA3-384 hash: c083634919d4384e20384a818e592bea2a654d928510a04825944bde2bc54311be9d756dcdf799aa201b7b9e5db296ac
SHA1 hash: edce6f58ff6f4ec1014c9d5f2bde5cca31312861
MD5 hash: 024713eb480a2559a6929387a8af8791
humanhash: oklahoma-mango-twelve-music
File name:PO 201006-14A.exe
Download: download sample
Signature Loki
Create hunting rule
File size:865'792 bytes
First seen:2020-10-06 06:29:50 UTC
Last seen:2020-10-06 08:12:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 12288:lh/iXiDxVmAttLDpyPMcqqWuDZEeXrpuXHAhQb9o7vjL:HDtt0kaHaO3mbk
Threatray 1'560 similar samples on MalwareBazaar
TLSH 0605BF11968C0267F232D038A237D5786BB5DD855A08D2D52DE69CBFFACFE98B4D024C
Reporter abuse_ch
Tags:exe geo KOR Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: mail-smail-vm28.hanmail.net
Sending IP: 203.133.180.210
From: 구매부 김승준 과장 <yhm0235@daum.net>
Subject: 견적 요청
Attachment: PO 201006-14A.cab (contains "PO 201006-14A.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68482/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Reading critical registry keys
Creating a file
Changing a file
Replacing files
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Connection attempt to an infection source
Moving of the original file
Sending an HTTP POST request to an infection source
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/482459
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59e3d88395cd8c96d5417565ba343cb43c0f336ba9b7099e9314d3fe1795ef51/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 04:17:07 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lhr5ra4vzwgjnvkbovs3unb4wq6a6m3lvg3qthutctj74f4v55iq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
02e8ccb362f76aeb28273e88c3538254effce7f5aa752e17373c1de1c34e3d24
Loki
17347ea4da31247415f8d87423d8b0b03eac3c25c4bed8fac50723eaba2f6b04
Loki
25da7474b9a3f44d1cd3d378bdfde80fc2f6896a38321e1d642d3dccd4f5a010
Loki
441da56bd7e61ce353b6cf4be1510e44983465620fab6130c648bb99e15ab190
Loki
510c68882ff2fed7d2045040f45c79980ebaa58c9c074d59390edc72c1bbca68
Loki
64c4d370517d05b2add478ca85855bf94c4c51ed05e9e02a92afecc04459ea38
Loki
79a794aa53cfb22103d08a8cfa1bb158e2a23bbaa6f73abee590083ae45b560f
Loki
8600c1896f8c6835a9a5c44631ac45b319c0cc9b2e0a50a72bb37436a84ea96a
Loki
986b212acea3c00ed30bba3e1a12519bb601d47f5b0ba61ddb68f5e82eff5d53
Loki
d9c78a21a8344b6cc4768d7fa1b9ff128437267f1b7d1d29fccca4a5751d7ed6
Loki
+ 1'550 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/201006-d4fxmlmnke/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://79.124.8.8/plesk-site-preview/coautomaquinaria.com/http/79.124.8.8/kiriko/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
59e3d88395cd8c96d5417565ba343cb43c0f336ba9b7099e9314d3fe1795ef51
MD5 hash:
024713eb480a2559a6929387a8af8791
SHA1 hash:
edce6f58ff6f4ec1014c9d5f2bde5cca31312861
Link:
https://www.unpac.me/results/c1508f51-5313-411c-bcdd-3dc6da59fe41/
SH256 hash:
e2c252b4fcd06e8f9d567537fa18d85ce8ee17271de274e58f23cc2b3e6ff1ca
MD5 hash:
9d52d9beaf666eb81023396f324c90bb
SHA1 hash:
1eeda090e43008e27fecba157b4c88b25a4702e1
Link:
https://www.unpac.me/results/c1508f51-5313-411c-bcdd-3dc6da59fe41/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/c1508f51-5313-411c-bcdd-3dc6da59fe41/
SH256 hash:
db062545b1f734963c6e4d2614132495e37f7d7b295f25fa1033bb6a687acca8
MD5 hash:
e84ef5e5e9a5ce278c8e249aa9ef10bd
SHA1 hash:
823b72caafeb855dde1704ed9017f73544d15693
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/c1508f51-5313-411c-bcdd-3dc6da59fe41/
Parent samples :
59e3d88395cd8c96d5417565ba343cb43c0f336ba9b7099e9314d3fe1795ef51
5f10fec31121883e725f46663c338b79694ad5de1636f974a724961aed9a16ff
95aa19eb5f26f4bc344f51d934138cb3f9a435fccb29a1d53277b06ecbb926cd
SH256 hash:
103d46858dfdb80d9ca945be4269612681d862ed7afdd468978430051c7ea9d7
MD5 hash:
d418b36c533453ba49957d2fe781f7ec
SHA1 hash:
9bef8cbad95e5cc0b27a8687661585002de465be
Link:
https://www.unpac.me/results/c1508f51-5313-411c-bcdd-3dc6da59fe41/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/59e3d88395cd8c96d5417565ba343cb43c0f336ba9b7099e9314d3fe1795ef51

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

cab 608dcf1e21feeec9eecd8146de20590a8cba4280f849b6d0dff3ea3cbc8bb99b

Loki

Executable exe 59e3d88395cd8c96d5417565ba343cb43c0f336ba9b7099e9314d3fe1795ef51

(this sample)

  
Dropped by
MD5 f1c0eb2308aabede98745268d3c16c5a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 608dcf1e21feeec9eecd8146de20590a8cba4280f849b6d0dff3ea3cbc8bb99b
Cape
Cape
https://www.capesandbox.com/analysis/68482/

Comments