MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fb23e7a8d39bc15fc97d7f216e8806bff57c1281ec73b44d74272e17dc0105b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 7


Intelligence 7 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fb23e7a8d39bc15fc97d7f216e8806bff57c1281ec73b44d74272e17dc0105b
SHA3-384 hash: 41f5278ca25f49283af654102e0a44e1119c3b3a763f67eb77bcaf782afaff77162095e4a22c2ca1dc21878176af42ea
SHA1 hash: e9b713a0a32f9283c047794aa63bf29ae8cbb976
MD5 hash: afbd392bc9394737b12f45caca9a0fd7
humanhash: purple-hawaii-uniform-virginia
File name:TNT Bill Of Lading Shipment Doc.exe
Download: download sample
Signature Loki
Create hunting rule
File size:366'080 bytes
First seen:2020-10-27 08:50:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:SrBiuZ6AMYb4FpwWAxdTZ4jk6p9dSuRxZI/i1ZQJ/uSKm9tIrrmU51uxxybN5Xq1:klzdTZ4rjNxG/i/OfFGr6lxDssTujXt
Threatray 367 similar samples on MalwareBazaar
TLSH 0B74AD716852596EC66A0631C469C0C0B9F62FC2FB948A0F719A7F0F3D319DBAB53247
Reporter abuse_ch
Tags:exe Loki TNT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: xmx0.501.awnex.ml
Sending IP: 68.183.85.42
From: TNT INTERNATIONAL <tnt@501.awnex.ml>
Subject: TNT Consignment Notification for 8048387461
Attachment: TNT Bill Of Lading Shipment Doc.gz (contains "TNT Bill Of Lading Shipment Doc.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/79704/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34950175.13252.2562.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Reading critical registry keys
Creating a file
Changing a file
Replacing files
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Connection attempt to an infection source
Moving of the original file
Sending an HTTP POST request to an infection source
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/513052
Signature
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5fb23e7a8d39bc15fc97d7f216e8806bff57c1281ec73b44d74272e17dc0105b/
Threat name:
ByteCode-MSIL.Trojan.OutBreak
Create hunting rule
Status:
Malicious
First seen:
2020-10-26 23:50:09 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l6zd46unhg6bl7ex27zbn2eanp7vpqjid3dtwrgxijzoc7oacbnq._file
Verdict:
unknown
Similar samples:
015f0cf04ffdca8141fd57bc67848a21dc11ab2fda0a91627f6deddcde2c0ca9
Loki
0edc105e9bc4e9b297487650e45b6ee0b0ca1e97e2194a2b455d657e428be977
Loki
13115d9faa05c1bfa921a587d03e71a727b6be5c589f83a458287691491ed378
Loki
4323dbb489f82a5a4906fbc6e0dc37a6589dc7b073f2fa0a569b7d3409314e15
Loki
538796eab271c26afcd8fbd9da301c3b0122b1f44ae02b976857ece6faf9a15c
Loki
6b2888cc6f4f233acad6a7548e72cfcce28ab97931c987cf8c1243a39b44aa34
Loki
8878c46875d3b0d420bd76508490e5c6df7a55359d1d039f0edb145e836addb1
Loki
91de70857ce9dbf596a67b2abad7552a467fcc2a155d349799261fb8585e6c18
Loki
95ccbdefafb7f4b5e2a505d3681803940a8fa7a5cae06ee56036009b4253c5ac
Loki
ef4c04da2b5fe6ce33597d1dbe44a8b84b156cb1bd03b3a3f8d8c9dabede075b
Loki
+ 357 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
trojan spyware stealer family:lokibot
Link:
https://tria.ge/reports/201027-tv9nmvg646/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Lokibot
Malware Config
C2 Extraction:
http://195.69.140.147/.op/cr.php/OxWthiADbKcbo
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_lokipws_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

gz f0912dc89cf132b72118b2e6ea634eb9b8b5109929e2e849d204347944e07ef3

Loki

Executable exe 5fb23e7a8d39bc15fc97d7f216e8806bff57c1281ec73b44d74272e17dc0105b

(this sample)

  
Dropped by
MD5 d6810043620766f942217bc0162de8b4
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f0912dc89cf132b72118b2e6ea634eb9b8b5109929e2e849d204347944e07ef3
Cape
Cape
https://www.capesandbox.com/analysis/79704/

Comments