MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b53ba14172f0094a00edfef96887aab01e8b1c49bdc6b1f34d7f2e32f88d172. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 8

Intelligence 8 IOCs YARA 6 File information Comments

SHA256 hash:	6b53ba14172f0094a00edfef96887aab01e8b1c49bdc6b1f34d7f2e32f88d172
SHA3-384 hash:	35183dd11b79f7023159d956065af3983e3075d3f541751eca95bae6f217438573a448516e2d9ee05812cd3b56d7cc46
SHA1 hash:	c7c0a7175a6a838348cc474b293c0847caf074b2
MD5 hash:	9f1f5ecb148e6e648a6a2466b29f7f2d
humanhash:	edward-fruit-pip-winner
File name:	9f1f5ecb148e6e648a6a2466b29f7f2d.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	629'760 bytes
First seen:	2020-10-13 08:20:52 UTC
Last seen:	2020-10-14 04:36:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5f8ce99d6ad75c2b34e5fbb6b24c4395 (15 x ModiLoader, 4 x Loki, 2 x AZORult)
ssdeep	12288:2OZlAvXBW34aSHxF5en1PwGP0eAMNzVP+Vd13IdeK:DlUM4aSHTUn1PQeLNzVGH1XK
Threatray	32 similar samples on MalwareBazaar
TLSH	69D49EF3B2E14433C17626795F1B97FC682EBE132D28A8462AF51D4C6F39681742B193
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://104.223.143.132/ecflix/Panel/five/fre.php

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/70351/

Detection(s):

SecuriteInfo.com.Trojan.Siggen10.36912.32744.4644.UNOFFICIAL

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

DNS request

Sending an HTTP GET request

Launching the default Windows debugger (dwwin.exe)

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/489417

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to detect sleep reduction / modifications

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6b53ba14172f0094a00edfef96887aab01e8b1c49bdc6b1f34d7f2e32f88d172/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-10-12 20:59:01 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=nnj3ufaxf4ajjiao37xzncd2vma6rmoetpogwhzu27zogl4i2fza._file

Result

Malware family:

modiloader

Score:

10/10

Tags:

trojan family:modiloader

Link:

https://tria.ge/reports/201013-dce7rbzpya/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

ModiLoader First Stage

ModiLoader, DBatLoader

Unpacked files

SH256 hash:

6b53ba14172f0094a00edfef96887aab01e8b1c49bdc6b1f34d7f2e32f88d172

MD5 hash:

9f1f5ecb148e6e648a6a2466b29f7f2d

SHA1 hash:

c7c0a7175a6a838348cc474b293c0847caf074b2

Link:

https://www.unpac.me/results/01a8fb10-46e8-4362-8415-ce3e762c7451/

SH256 hash:

f45d6b9777f10fbab5be5eb2dac740d78bd1197d364ea8f2146a681ff571f11e

MD5 hash:

74d52cec69379e42fcf8ea903e3264e2

SHA1 hash:

c8a0ccab5075fd23f9cdd6c46e244e15a1543e3d

Detections:

win_dbatloader_auto

Link:

https://www.unpac.me/results/01a8fb10-46e8-4362-8415-ce3e762c7451/

Parent samples :

838a8c1b12270b248fd13d1f110998a79ee9442d19fb3f3562dfe734d7033367
6b53ba14172f0094a00edfef96887aab01e8b1c49bdc6b1f34d7f2e32f88d172
35fe99cece48f4b41d99b8ab41cfe2b894007dd56fdd3999cb5e989fc7cf3fca

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6b53ba14172f0094a00edfef96887aab01e8b1c49bdc6b1f34d7f2e32f88d172

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	Lokibot Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	win_dbatloader_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com