MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bb1ec5f6be562ca2beec31d45c6cce4b811283b225e3f2654dbfbe5cc8f07de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 9

Intelligence 9 IOCs YARA 12 File information Comments

SHA256 hash:	5bb1ec5f6be562ca2beec31d45c6cce4b811283b225e3f2654dbfbe5cc8f07de
SHA3-384 hash:	0cffc8ce32e357ed617feae5952b523fa5819ecdcf004752038c6d89cab4279b2e392ae9b257dc305a8a509362628c2b
SHA1 hash:	0ff3c7fa8d918de66675e72c23917656969af4ae
MD5 hash:	7b68b43f14bff45ad706488b5b3e8414
humanhash:	magazine-pizza-three-asparagus
File name:	http___103.89.90.94_suket_wininit.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	877'056 bytes
First seen:	2021-07-13 08:46:46 UTC
Last seen:	2021-07-13 12:09:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:Kd4aaGfu0EKaZk18HBgtOqML5N2LxV03yAq8dLLgkbY4s0AvQZO/oXXN5GnTOdUA:JCa1BgtOhL5AQCAlLhbY48QZcoIi
Threatray	3'550 similar samples on MalwareBazaar
TLSH	T14415492C23BDA039F2F6FE719F90A2849F56667F9125910919F4CE0A7433D80AD7E931
Reporter	Racco42
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

126

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/171317/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.925-1.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fab5449b-b99c-4529-878b-2c96fc800502

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/815392

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5bb1ec5f6be562ca2beec31d45c6cce4b811283b225e3f2654dbfbe5cc8f07de/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-13 08:47:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=loy6yx3l4vrmuk7oymoulrwm4s4bckb3ejpd6jsu3p56ltepa7pa._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot spyware stealer trojan

Link:

https://tria.ge/reports/210713-y32nhvpqk6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Lokibot

Malware Config

C2 Extraction:

http://185.227.139.18/dsaicosaicasdi.php/S4wFP8QBww9Tp
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

5f5257e30cfc2caab058013ffc60f90fb8a5d780a14834e1371054290b7658e4

MD5 hash:

b0e14c3526d6623ae9b7b5f5e0efde76

SHA1 hash:

f7d127bff2dfb1100ebd55fdd12dfb7a2b382fdc

Link:

https://www.unpac.me/results/d2e8fec0-3634-44c0-9bb9-422e9d73b2ac/

SH256 hash:

d1fcb35b59707f5d7e35a040a65158a3050028ca1149bc1255f7e0f733560c05

MD5 hash:

2e4b6afb4e2c466d1bd96ef0f08e00ad

SHA1 hash:

e08ecad6e40aa268c5025e173be1d3584c22ad09

Link:

https://www.unpac.me/results/d2e8fec0-3634-44c0-9bb9-422e9d73b2ac/

SH256 hash:

43093cddb931e5bf874135b40112e0f37f1ff40182477991e4d5b5a2e73b56e6

MD5 hash:

3f65d8d085281347fcdb0883390573e3

SHA1 hash:

afbbf7b3e770c6db3a62492964e1ce6a083a159f

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/d2e8fec0-3634-44c0-9bb9-422e9d73b2ac/

Parent samples :

9a199e2b4e80ae388fb016bd30162720cd9da81274ac9eac15d4dcffd9be28dc
5bb1ec5f6be562ca2beec31d45c6cce4b811283b225e3f2654dbfbe5cc8f07de
9078e729496a2a7b25e83d386d6ac997e128d25fad90b22864e121aa6419980b

SH256 hash:

8e67bbce46045543be7148b71ddd1a9376386225809fc4f6d6e917b763742b33

MD5 hash:

9ad9290959f8c068c462e892d65ebf5d

SHA1 hash:

38d427008ba8c4c29e1faa616fd666fdda08b955

Link:

https://www.unpac.me/results/d2e8fec0-3634-44c0-9bb9-422e9d73b2ac/

SH256 hash:

5bb1ec5f6be562ca2beec31d45c6cce4b811283b225e3f2654dbfbe5cc8f07de

MD5 hash:

7b68b43f14bff45ad706488b5b3e8414

SHA1 hash:

0ff3c7fa8d918de66675e72c23917656969af4ae

Link:

https://www.unpac.me/results/d2e8fec0-3634-44c0-9bb9-422e9d73b2ac/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5bb1ec5f6be562ca2beec31d45c6cce4b811283b225e3f2654dbfbe5cc8f07de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	infostealer_loki Create hunting rule

Rule name:	infostealer_xor_patterns Create hunting rule
Author:	jeFF0Falltrades
Description:	The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.

Rule name:	Loki Create hunting rule
Author:	kevoreilly
Description:	Loki Payload

Rule name:	Lokibot Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/1449952/

Cape

https://www.capesandbox.com/analysis/171317/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample