MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65309f9f8c2b26c74b9c77c1fc4cb88843021b7e2b6c4c8ed1c2ac743b200bed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 13 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65309f9f8c2b26c74b9c77c1fc4cb88843021b7e2b6c4c8ed1c2ac743b200bed
SHA3-384 hash: 47830d0d27b80f96ab3e9136e7e04a2274872ac8b1177ca0763b87a25dcf591041dbb759f28fe0bd90eb1b69f507534f
SHA1 hash: ffda5f6875d7784572342082d8ed58dec657b5bb
MD5 hash: 346cf0402aa3f87e686a16da0d73e419
humanhash: beer-triple-october-early
File name:346cf0402aa3f87e686a16da0d73e419.exe
Download: download sample
Signature Loki
Create hunting rule
File size:197'120 bytes
First seen:2021-04-29 11:16:35 UTC
Last seen:2021-04-29 12:18:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 20a3b8299db6e8582c3eb04a6c72e959 (2 x ArkeiStealer, 2 x RedLineStealer, 1 x Loki)
ssdeep 3072:TjWsLkxCJiC8g4Lm1TKIso1ayHeHolqQzEwhgFE6LrXENH5hyUh:/XLSop4oTKfoFjzZ2K6Lr0ZyUh
Threatray 2'888 similar samples on MalwareBazaar
TLSH B214BE1535C6C0B2C096267A8565CB758EBF786125237A8F6FE909FD4F287A2DB3030D
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://amrp.tw/chud/gate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://amrp.tw/chud/gate.php https://threatfox.abuse.ch/ioc/22258/

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/146616/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.5773.4005.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Reading critical registry keys
Changing a file
DNS request
Replacing files
Sending a UDP request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Connection attempt to an infection source
Moving of the original file
Sending an HTTP POST request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/702078
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found C&C like URL pattern
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65309f9f8c2b26c74b9c77c1fc4cb88843021b7e2b6c4c8ed1c2ac743b200bed/
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2021-04-29 08:52:05 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=muyj7h4mfmtmos44o7a7ytfyrbbqeg36fnwezdwrykwhiozabpwq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
296828d37dd5732fa8bc85dd59c8032bdcbbf5aff62399ae72cabdd1989c475b
Loki
52be9c6c04342ea2394ea5585b2b29b1626527957577c970a76abc7476fce541
Loki
5d5c83ef1689244a96edcffb1c59f88a164b2f6c0881214e4338b82c61b28072
Loki
85261f175271fe271ff3010d3eb2ec251f1d14aae84a25cddcd189b81b32b415
Loki
8ab0599e3f141523358e5b60ef3cd9a2fb1fdbde52cb693e675a9004a25ff007
Loki
c58fbeb3e1e201cc858d6ed409bd855badf5cc28532dee064eea488eaa5eb130
Loki
dbaa398de1b40abb82f8e4edb5e4490cfecd975f005818a49e5dd309075b8994
Loki
def77e7d904351666d811474ea382080dde5326273039b91c1ee91113d5d7006
Loki
eaa14ff5cdf3ec428bd1b0c2689272996741a4c93f3c1289934057c3c5cafc78
Loki
f0e0dc565de7848f2843a5b465929a00816554232479641f4e2259065a5ee5f1
Loki
+ 2'878 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210429-8n8qb1tate/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Lokibot
Malware Config
C2 Extraction:
http://amrp.tw/chud/gate.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
ea20a33a61ee3caf6ed3a02e8c2a71013f26e4e325d92ef9b85ba50957484c1c
MD5 hash:
c2c7a4aa2ef2d76ad9afa03b3828aa83
SHA1 hash:
fc7fb3cae3498900109d2e9554bf3af1fc97ac46
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/f3fdfc0d-313a-4e0f-9468-7e6e930d1a9a/
Parent samples :
65309f9f8c2b26c74b9c77c1fc4cb88843021b7e2b6c4c8ed1c2ac743b200bed
b1c19db83bdddbc4d91689cf0c9f035bd7778492c164fa664f99552dedc1ee10
SH256 hash:
65309f9f8c2b26c74b9c77c1fc4cb88843021b7e2b6c4c8ed1c2ac743b200bed
MD5 hash:
346cf0402aa3f87e686a16da0d73e419
SHA1 hash:
ffda5f6875d7784572342082d8ed58dec657b5bb
Link:
https://www.unpac.me/results/f3fdfc0d-313a-4e0f-9468-7e6e930d1a9a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65309f9f8c2b26c74b9c77c1fc4cb88843021b7e2b6c4c8ed1c2ac743b200bed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_pony
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 65309f9f8c2b26c74b9c77c1fc4cb88843021b7e2b6c4c8ed1c2ac743b200bed

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/146616/
  
URLhaus
https://urlhaus.abuse.ch/url/1182833/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1182844/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-29 12:06:46 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
1) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
2) [C0049] File System Micro-objective::Get File Attributes
3) [C0051] File System Micro-objective::Read File
4) [C0052] File System Micro-objective::Writes File
5) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
6) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
7) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
8) [C0040] Process Micro-objective::Allocate Thread Local Storage
9) [C0041] Process Micro-objective::Set Thread Local Storage Value
10) [C0018] Process Micro-objective::Terminate Process
11) [C0039] Process Micro-objective::Terminate Thread