MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6339585ae21633ce485f2b874c9797c84c5326b325847a44361e6978da77b758. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6339585ae21633ce485f2b874c9797c84c5326b325847a44361e6978da77b758
SHA3-384 hash: 54f166b26a7c1be997aac80089ff58012944dfbe678faee0f57f4698e8d874bb429c0b86b631228b771ea629deb1f8a6
SHA1 hash: b0d03bef9343a92b5aedd36ccd2779503726073c
MD5 hash: 76c9524b0664e304862bed6a3477ba7d
humanhash: fruit-enemy-beryllium-lithium
File name:76c9524b0664e304862bed6a3477ba7d.exe
Download: download sample
Signature Loki
Create hunting rule
File size:655'872 bytes
First seen:2020-10-21 10:49:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:jRzOE+QXT8EWdV0m/SDHhtKzmHR2ltE4NXndz9PWrYcCGeToCO5R:QdVrekhn97G
Threatray 1'736 similar samples on MalwareBazaar
TLSH C4D4861539BB900DF273AF7ADEC471A28A6BF7722606E56D2052C3060613B87DF8D539
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://195.69.140.147/.op/cr.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74099/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.39482.1268.25008.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Launching a process
Creating a file
Reading critical registry keys
Changing a file
Replacing files
Deleting a recently created file
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Connection attempt to an infection source
Moving of the original file
Sending an HTTP POST request to an infection source
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/505728
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 301934 Sample: jZzy87Emk0.exe Startdate: 21/10/2020 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for dropped file 2->45 47 9 other signatures 2->47 7 jZzy87Emk0.exe 1 4 2->7         started        11 chlomx.exe 1 2->11         started        13 chlomx.exe 2->13         started        process3 file4 25 C:\Users\user\AppData\Roaming\...\chlomx.exe, PE32 7->25 dropped 27 C:\Users\user\...\chlomx.exe:Zone.Identifier, ASCII 7->27 dropped 29 C:\Users\user\AppData\...\jZzy87Emk0.exe.log, ASCII 7->29 dropped 49 Tries to steal Mail credentials (via file registry) 7->49 51 Adds a directory exclusion to Windows Defender 7->51 53 Injects a PE file into a foreign processes 7->53 15 jZzy87Emk0.exe 54 7->15         started        19 powershell.exe 25 7->19         started        21 chlomx.exe 53 11->21         started        signatures5 process6 dnsIp7 31 195.69.140.147, 49765, 49766, 49767 XSGGE Georgia 15->31 23 conhost.exe 19->23         started        33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->33 35 Tries to steal Mail credentials (via file access) 21->35 37 Tries to harvest and steal ftp login credentials 21->37 39 Tries to harvest and steal browser information (history, passwords, etc) 21->39 signatures8 process9
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6339585ae21633ce485f2b874c9797c84c5326b325847a44361e6978da77b758/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 06:27:31 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mm4vqwxccyz44sc7foduzf4xzbgfgjvtewchurbwdzuxrwtxw5ma._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
199528b69b42d1af70f525973be5e53bcd16c19b39a117cfaa27ba1a515723f8
Loki
5434b3121b379bde98f409a5d00c6da0be9f001b73e73860ca0c530386e002c6
Loki
58bd9279e5ef2a3c1a55c9257c276f8203b69c79e29008399c6629eaf8ca6d56
Loki
6490275833a54ddb21377ef003cacd595697c7659c1b7c6fc24a285fec1946ee
Loki
7f0424ffbe5b0d339a9164c0417ede65b33ec131a6b7f178102a6384640ee1eb
Loki
8867e72aaf3985ed148d3049c628d73ba0024e3129e466c17bd6a665be9e84f0
Loki
96ff361eeb8ab440652d1cbb8b28146f8dd9ee8cf9885f84ff4592b2551da57f
Loki
eb3f9e33686ca1ff7ea50e18303b97a19ed46d985f91d20dca5b4c2aadf45f24
Loki
f5744fe38455554d445847e8dd1794570176bab8fc9b56f9bdd9406a59010a7e
Loki
f94e8615fb3b739ab3ad8ec81511b5439a72d4e865a5f9975aa524ac6036d3c2
Loki
+ 1'726 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
persistence spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/201021-eshrjkfg9a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://195.69.140.147/.op/cr.php/qhFNNougCkZa1
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
6339585ae21633ce485f2b874c9797c84c5326b325847a44361e6978da77b758
MD5 hash:
76c9524b0664e304862bed6a3477ba7d
SHA1 hash:
b0d03bef9343a92b5aedd36ccd2779503726073c
Link:
https://www.unpac.me/results/1fd1cf1e-4f8e-4541-a74b-c255c8d6c329/
SH256 hash:
8223e49ed284080112da0b5d84511960d54252340e2f2cb1a5ac2336561e239e
MD5 hash:
b9a42337e12bfe39e51984455e019268
SHA1 hash:
e31c4ffe4fa402d06fe145b373ed15d495bf1a46
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/1fd1cf1e-4f8e-4541-a74b-c255c8d6c329/
SH256 hash:
79a1f7470eb72806d8f9289afeb09a353d447c4127f7f18800fe3b5ef3275200
MD5 hash:
fa66cecf22f8ad58d31ac84f8b358d0b
SHA1 hash:
4d73512228cd2a7549027178ccde8022f829fc10
Link:
https://www.unpac.me/results/1fd1cf1e-4f8e-4541-a74b-c255c8d6c329/
SH256 hash:
c77b8e0c86ae52d19d31d70bd7add6f85b3baee6f39250b06242344937bfa3df
MD5 hash:
9487f12add5f6c191b7ca4deb03c2ec7
SHA1 hash:
d1f2eb7aa9f799ac6ab4067dc3860fb0ba7bd73a
Link:
https://www.unpac.me/results/1fd1cf1e-4f8e-4541-a74b-c255c8d6c329/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 6339585ae21633ce485f2b874c9797c84c5326b325847a44361e6978da77b758

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/74099/
  
URLhaus
https://urlhaus.abuse.ch/url/727614/
  
Delivery method
Distributed via web download

Comments