MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60697f7c17c442322eea32ac41ee4d4e152e61fcff29079f4522cfa8de122c71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60697f7c17c442322eea32ac41ee4d4e152e61fcff29079f4522cfa8de122c71
SHA3-384 hash: 9f3ef30b30a96295a3c7fd626c29ea055fca26f45e86261f4c6268235ef57d491ad22875c3e54f49ca87c32fc8e5b720
SHA1 hash: 1689dcaeb5f4f8181235f45b2fea2b71a58e2e22
MD5 hash: 7a2484277599f27801079f9bbda665c1
humanhash: oven-winner-uranus-monkey
File name:7a2484277599f27801079f9bbda665c1
Download: download sample
Signature Loki
Create hunting rule
File size:227'287 bytes
First seen:2021-08-25 12:55:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 35807dcde258f88fa3ce5c21adc607fb (5 x Loki, 4 x a310Logger, 2 x Formbook)
ssdeep 3072:riCuxk8o8iH7WyeLmKraSpzGmXTS3tZozdcQobfICn9DKHAwomU+3K11ma1farvh:riQPdHG1dTsZWkIkKHAwoU3KFGSDWJO0
Threatray 4'456 similar samples on MalwareBazaar
TLSH T1D22402B91782E549C102DB7B57DDEC508349CC5FEAE0A8EB41197820FBB5CE86DB35A0
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MINDRAY_RFQ Defribillators by SEA.xlsx
Verdict:
Malicious activity
Analysis date:
2021-08-25 11:57:45 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 trojan lokibot stealer loader
Link:
https://app.any.run/tasks/01fd30de-4dc8-4eeb-aa25-cc6702b572fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/182320/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.23680.15179.26152.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Reading critical registry keys
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Sending a UDP request
Stealing user critical data
Moving of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dimnie
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e1bb75d6-304d-40bb-9a2f-365ce9ba5899
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/839060
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 471495 Sample: 6HTHgkROcE Startdate: 25/08/2021 Architecture: WINDOWS Score: 100 12 Multi AV Scanner detection for domain / URL 2->12 14 Found malware configuration 2->14 16 Malicious sample detected (through community Yara rule) 2->16 18 6 other signatures 2->18 6 6HTHgkROcE.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started        10 6HTHgkROcE.exe 6->10         started       
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/60697f7c17c442322eea32ac41ee4d4e152e61fcff29079f4522cfa8de122c71/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-08-25 11:19:22 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mbux67axyrbdelxkgkwed3snjyks4yp474uqph2felh2rxqsfryq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
18da7b8849dbeced86dd4f093e8d0216863530820a22a3b69cc03806c1784630
Loki
37fc32834534585e428b56470b36be2b234b9813bf6d82cea9c1446fd72bc50c
Loki
5f9d22364554c8a0d96ce882e24da1f186f03a0b5769439fe9a3fd1f32d89356
Loki
7378348862e752850264984acef7fa776b6333bd9a770b60d787ba1675d89ece
Loki
793957d8deb9a28270f9e1d2ebce7285f2dd0398d27e86f5177eadd4e45b980e
Loki
92ad5c470a683171c46d3d5917c459540cfcac74287e037bc7744997e61f4ce1
Loki
a0baff0515a6ff0a42b19248dd7823063a25118963fc396c25f5e5cd6af3d59e
Loki
a4bbac6b142c63da7c64937cc5beda93009b5be72481e98d514d62ee29801b12
Loki
+ 4'446 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210825-thsqbdz95x/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://65.21.223.84/~t/i.html/m9vo3uzZGXz0z
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
62a79366ce25be99ef06991bc6c6925a3ddf7df228ad02c5cac4848bdce0659d
MD5 hash:
f55fa2308617787bcd4244ee09edbb12
SHA1 hash:
551edf767937faf5f2b37931abc57a34dc2cfab1
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/2995c220-28f3-4f83-ad34-38cd544b0588/
Parent samples :
be76239da7234a7e43d56d819e0558d91bdc872aef6e08db9f612ca30355bb9b
60697f7c17c442322eea32ac41ee4d4e152e61fcff29079f4522cfa8de122c71
243dee23b179d34c88b6494be767a9cafcb36a57ffeef9f21ebbd463d1220b24
SH256 hash:
60697f7c17c442322eea32ac41ee4d4e152e61fcff29079f4522cfa8de122c71
MD5 hash:
7a2484277599f27801079f9bbda665c1
SHA1 hash:
1689dcaeb5f4f8181235f45b2fea2b71a58e2e22
Link:
https://www.unpac.me/results/2995c220-28f3-4f83-ad34-38cd544b0588/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/60697f7c17c4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/60697f7c17c442322eea32ac41ee4d4e152e61fcff29079f4522cfa8de122c71

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 60697f7c17c442322eea32ac41ee4d4e152e61fcff29079f4522cfa8de122c71

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1563271/
Cape
Cape
https://www.capesandbox.com/analysis/182320/

Comments


Avatar
zbet commented on 2021-08-25 12:55:18 UTC

url : hxxp://107.173.192.144/pnb/vbc.exe