MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69efd675ee6737f614a8ea14f4b125b25c9b3d80ab901d2dd0024837e0e5ac29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 17

Intelligence 17 IOCs YARA 16 File information Comments

SHA256 hash:	69efd675ee6737f614a8ea14f4b125b25c9b3d80ab901d2dd0024837e0e5ac29
SHA3-384 hash:	57c8ee21f6602b756a53b113fef1eb09a6e7bc316a2de78f06bab95f2fafc3492ea8418a1c45fb7acff337eb6e668ed6
SHA1 hash:	4b4eaeb0eb6990e5af8d2ebdfdba6cf1ade07304
MD5 hash:	1c77d9b43c4770cf84c41a5c4a53f098
humanhash:	july-mockingbird-kilo-crazy
File name:	Mintech-PI-31032023PDF.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	562'688 bytes
First seen:	2023-04-03 05:30:15 UTC
Last seen:	2023-04-03 06:34:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:u3tzLwrgXK87/s33htGMZr3zso/xf4l+rvslA:VUXK8DsHhtGE3zn/xNvw
Threatray	4'013 similar samples on MalwareBazaar
TLSH	T11BC4128D3A5C5A2BC71E46FFA072910943B99935E916C3DA0CC57CBE1AF3B984406EC7
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://64.227.48.212/?page_id=3328

Intelligence

File Origin

# of uploads :

# of downloads :

248

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

Mintech-PI-31032023PDF.exe

Verdict:

Malicious activity

Analysis date:

2023-04-03 05:33:16 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/3dae4a1b-e0d2-4af2-939a-236a80d63891

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/379474/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lokibot packed

Link:

https://www.filescan.io/uploads/642a64975a075383fbff294b/reports/04ff2289-2d38-459d-88dc-005da8771d9f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/69efd675ee6737f614a8ea14f4b125b25c9b3d80ab901d2dd0024837e0e5ac29

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/266b1b5a-b81d-407c-bbad-0ab8eb7eadb5

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1206784

Signature

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/69efd675ee6737f614a8ea14f4b125b25c9b3d80ab901d2dd0024837e0e5ac29/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-04-03 04:07:49 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nhx5m5pom437mffi5ikpjmjfwjojwpmavoib2loqajedpyhfvquq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

0bcb9bf4516773558cd8464a3b7795d3752f8eb27840e848db87a55df9393d25

Loki

4e12ca0674f72503e00f35b8b27aa98da0855baa9e25264b357bb934e31a2217

Loki

7ad407db0255d8fb99c3e55c50a6ce76db3b1386c8ced5b2b3866720194e9d9d

Loki

7f0fcb4f3651ec6a3b273322857afe8aa8373f77964afd0bb592378a4a97fe1a

Loki

def88fc364ed03678d528bfd6bc39f19ff1831b098aaf0705fa13063c4044a2a

Loki

fa4058c30f37d1cdb72e5bbcc467ff8f9b584b090bfdf723ac1f04817980096a

Loki

+ 4'003 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230403-f7qanada24/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://64.227.48.212/?page_id=3328
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

5214b6f85d7e9fdd8aa6ce50634c44f35d1ba2ed033198a10527c01370a6de9a

MD5 hash:

20176b94d1fbf325ae623245e7243869

SHA1 hash:

c90cbf65a619cc1819c94861f79b22e38a4c0480

Link:

https://www.unpac.me/results/839c2a80-be29-4c01-9bdc-76d7aaf9af46/

SH256 hash:

9d9536e58881c3372adeaa0d111c08eda5a3b030386007f44f4174bd9c6b1b85

MD5 hash:

50169ddb605f595cb5c2021374f59063

SHA1 hash:

9b869892ea2a0aa0b349b3533a4cfc264aad3841

Link:

https://www.unpac.me/results/839c2a80-be29-4c01-9bdc-76d7aaf9af46/

SH256 hash:

35fd4366f0efd4dffa6666e550bffe9b2ee4af5b107de4127918d9f9a9e02c7a

MD5 hash:

477fb034dcb7dd435b6e96fd993673d2

SHA1 hash:

99f280e15d5b6850111326cadfbdbca36040d6bd

Detections:

lokibot

Link:

https://www.unpac.me/results/839c2a80-be29-4c01-9bdc-76d7aaf9af46/

SH256 hash:

3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa

MD5 hash:

e79bf0e7e9d52d398e0b23b352394c68

SHA1 hash:

682325763a0ec77e0fd475ea3a4021b4651eceac

Link:

https://www.unpac.me/results/839c2a80-be29-4c01-9bdc-76d7aaf9af46/

SH256 hash:

33d20707f3877a75bb90511213375c3f3ad6e7c36d1cc7dbf89f9300a0a114d5

MD5 hash:

38ab64dfcac8e8ebfb02add59f403325

SHA1 hash:

24540291f9efd7eb05b556cd1db79fedae0e8869

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/839c2a80-be29-4c01-9bdc-76d7aaf9af46/

Parent samples :

69efd675ee6737f614a8ea14f4b125b25c9b3d80ab901d2dd0024837e0e5ac29
1f4ba3e37b0bb7a99563ad72e2314d7b3d1a0af6810576c2155facff5cda4944

SH256 hash:

69efd675ee6737f614a8ea14f4b125b25c9b3d80ab901d2dd0024837e0e5ac29

MD5 hash:

1c77d9b43c4770cf84c41a5c4a53f098

SHA1 hash:

4b4eaeb0eb6990e5af8d2ebdfdba6cf1ade07304

Link:

https://www.unpac.me/results/839c2a80-be29-4c01-9bdc-76d7aaf9af46/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/69efd675ee67/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/69efd675ee6737f614a8ea14f4b125b25c9b3d80ab901d2dd0024837e0e5ac29

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	infostealer_loki Create hunting rule

Rule name:	infostealer_xor_patterns Create hunting rule
Author:	jeFF0Falltrades
Description:	The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.

Rule name:	Loki Create hunting rule
Author:	kevoreilly
Description:	Loki Payload

Rule name:	LokiBot Create hunting rule
Author:	kevoreilly
Description:	LokiBot Payload

Rule name:	malware_Lokibot_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	Suspicious_Macro_Presence Create hunting rule
Author:	Mehmet Ali Kerimoglu (CYB3RMX)
Description:	This rule detects common malicious/suspicious implementations.

Rule name:	Windows_Trojan_Lokibot_0f421617 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Lokibot_1f885282 Create hunting rule
Author:	Elastic Security

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/379474/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample