MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63b5c9b4340cab3bacf97fd686e3990fef6f00eb6e2f75770d2d8711d09c2464. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments 1

SHA256 hash:	63b5c9b4340cab3bacf97fd686e3990fef6f00eb6e2f75770d2d8711d09c2464
SHA3-384 hash:	a15fc67ebcf502afdab8800884e88d4384413dfcd885b88ac5b92cabde42d7fb8d9a078ea1896652c0a716d99bae5f1d
SHA1 hash:	81a4d36f6db4cb5fa5f2436ac7369fceb95e581d
MD5 hash:	0be154b22d831552551fc0bc74aae9dc
humanhash:	alaska-avocado-cola-robert
File name:	0be154b22d831552551fc0bc74aae9dc
Download:	download sample
Signature	Loki Create hunting rule
File size:	580'096 bytes
First seen:	2023-05-24 10:18:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:j2N8jiZ4zypIPsEEtPplTY6RhKuuOaW8REroGPpsEjlGf5ZNubk:j2N8jiZ4zypIPsEEJTDEt+oZc6PND
Threatray	4'161 similar samples on MalwareBazaar
TLSH	T177C40288A67E6B4AD87B93F5045415B8433E9C6AB572E3470EC3B0DE5A64B041F42F3B
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter	zbetcheckin
Tags:	32 exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

289

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

0be154b22d831552551fc0bc74aae9dc

Verdict:

Malicious activity

Analysis date:

2023-05-24 10:21:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fd76b68e-b8b3-487a-8c57-bb2b5cb4eb33

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/391121/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.5433.20382.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lolbin packed

Link:

https://www.filescan.io/uploads/646de498cf634b8f311af86b/reports/c3b6c90f-71a9-4f92-99ab-ef1e5acc606a/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/63b5c9b4340cab3bacf97fd686e3990fef6f00eb6e2f75770d2d8711d09c2464

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a4f42718-6223-48b5-9bf7-8b81852d6c84

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1241538

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/63b5c9b4340cab3bacf97fd686e3990fef6f00eb6e2f75770d2d8711d09c2464/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-05-24 10:19:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 23 (73.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mo24tnbubsvtxlhzp7liny4zb7xw6ahlnyxxk5ynfwdrdue4ersa._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

0af4bdeb4de3a9f8cac5601c872cd4d9a7e9fb06a4fc0a7ed4fb60d6cb64b957

Loki

0f6a0c8f4c9d3fa419bd22b2687328e7a721ad0b1ef504a64166b1c630997cee

Loki

4e12ca0674f72503e00f35b8b27aa98da0855baa9e25264b357bb934e31a2217

Loki

594a574211cffc47d78817221315092ab978403b71e1ff43922286ec9f60e188

Loki

79866667d5cd578a1c6eda54a748ff9d316fff39064eecd282bc2a9ad8a5ac7d

Loki

7f0fcb4f3651ec6a3b273322857afe8aa8373f77964afd0bb592378a4a97fe1a

Loki

a1f8dd874a1d63dfbd2cc504fbe6d5784eb00610b02fef44b606b7a127f41bc4

Loki

f3797cb6054ef9d5de1b4ecb2745424ef0481c5cb28ec2f2384d2591019e1650

Loki

+ 4'151 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230524-mchqnace8t/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://185.246.220.85/fresh/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

a14abed5633b7c382e3d1b842986f552f7061079e1630867fb4d6f982d2a31e2

MD5 hash:

702f65d6f4dc87cec9ae9c3c7c9a39fe

SHA1 hash:

ef4bf2136367960a9897b5609e11b296eb66db95

Link:

https://www.unpac.me/results/0ff4dd38-51f8-40f2-b4e6-5f536150db2f/

SH256 hash:

16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d

MD5 hash:

fb4ed205b442f470bbf10913128efdcb

SHA1 hash:

9a0a4c5ae429769e3253a9a3daefa24270b87a5b

Link:

https://www.unpac.me/results/0ff4dd38-51f8-40f2-b4e6-5f536150db2f/

Parent samples :

ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e

SH256 hash:

a518e0fddabae1e59f933566cb54e592331404d5362976f3ef81a1432dac4ffb

MD5 hash:

de906fce89f615f303ddfb80c1b37b35

SHA1 hash:

3568e3f9f0731da9a3294f4f8de61f95dc3eec31

Link:

https://www.unpac.me/results/0ff4dd38-51f8-40f2-b4e6-5f536150db2f/

SH256 hash:

07686bd3670d7660420f09f8771135bb16588e15b45561219ead1841952d38f1

MD5 hash:

046a6366921953d042f7a0ffcb26c50d

SHA1 hash:

2dd27e32320fc0277397f57d24ed4b13d99e09ac

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/0ff4dd38-51f8-40f2-b4e6-5f536150db2f/

Parent samples :

4de70d7c97aac4c236396bb488f748b432fda9537e06afa042a77235b1cb8117
36ffec829c35dbf09529550e086446cfd835b4a43c71014ab217783fde2bdb9f
dc77fa38dcbfa8304ae07b051d7658f367286bc92005d327a34c944975719b00
ae4a3ef24f5482b9344969457ac89e08d2598a3721f1725325e86039758f91a2
763fc70c680ac478f31474306d6bb7a0f34893f98d691e0a49b6948a800cf7d4
307b462b554900aa1b0802f4e89752cde49cb4045bc83ac8708578d37ebdadb0
db182e4d02790fa627a9d62e3b9439203d2dd5c88c44a5355a7681b7defe24da
93cc16dfe8c10579f28d8d70196f5c64044493818861f32c9d3e8f15cc3b7aaa
f85b9025ca21804e4ef484b69c89ab2f70de661606b5987e8ff32111256b2a70
90d7dc2cd673fb159368c95d06eb59523898f1498a6d9ce5eb8618690d93e724
15a2d3053598efc70f0ac04252def24ef4dcb216b0ef0a25a957916c8a42207c
72e9d6672de64aae16ae8f4433a9ed08171a7f86decb0d134a03123dd93035d8
21e0ec96d06a0b1e71712fd34ce50e1e4c5a937e8fe8c21f89c5eade948affd5
b6219cebfd6180b0278dc07062893751f3e9c056a23b0b876b2752513cc4a1a5
d3d3facae5e604eded7bf28b146dff57334aa0d9691f1f32eb6f0a30f819bcb8
b7af929b8d99a8a2ec29774cd6c8cf77071b4c865bfe140aedf8b181ce54df89
63b5c9b4340cab3bacf97fd686e3990fef6f00eb6e2f75770d2d8711d09c2464
da108473566740a4ecd7f86677ee7a22779808be300f3329ca4a6d8877d0fcdf
4e21a93e941a2e0899526af6e6196ab23b2c916bdd01a396a7c546122b1980df
d9b8816dc05c98d38419c94b02dc18ebd9494d13088ca2e1bb757f987001c1fd
0709f9e2f76a07b22aa5361179d7120bd8127fc42a0f5c289f73e8f764460092
07d199eaef476d20fa7fde86555086bc6193f7426f4b38513299928f06939d8f
1290e2fa7dd284fcddc2bf9caeac02ccbae1f1e715766eefd7644c245a6ecc53
35c38475ab2e902a2f2c56b2b17f27afb10b3b56365c853a8bb33a9c906366e8
48e32c11cf9fe47ee75f05a9cd9c1bf4598869fe1564eaf7c1bbabf309e823b1
9d19092e410ffb1914d7cd9271ec34b5aa8973eda65fd821851e53921a7017fe

SH256 hash:

0461c9bf133011d5f0813ae4f9c741b20733dc2902fbbdabb700ac2fe68f5d98

MD5 hash:

21c07244914281bd8bdf6c2ebf4eacdd

SHA1 hash:

2cf80bee67b6b3bc13fbf73578657254d2bf50c2

Link:

https://www.unpac.me/results/0ff4dd38-51f8-40f2-b4e6-5f536150db2f/

SH256 hash:

63b5c9b4340cab3bacf97fd686e3990fef6f00eb6e2f75770d2d8711d09c2464

MD5 hash:

0be154b22d831552551fc0bc74aae9dc

SHA1 hash:

81a4d36f6db4cb5fa5f2436ac7369fceb95e581d

Link:

https://www.unpac.me/results/0ff4dd38-51f8-40f2-b4e6-5f536150db2f/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/63b5c9b4340c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/63b5c9b4340cab3bacf97fd686e3990fef6f00eb6e2f75770d2d8711d09c2464

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

exe 63b5c9b4340cab3bacf97fd686e3990fef6f00eb6e2f75770d2d8711d09c2464

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/391121/

URLhaus

https://urlhaus.abuse.ch/url/2640009/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-05-24 10:18:28 UTC

url : hxxp://103.14.224.41/370/INT_CACHE.exe