MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bd5bbea9b02d99f157e191dbdfe2d772498c3443496738e2c8d92a9617a099e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bd5bbea9b02d99f157e191dbdfe2d772498c3443496738e2c8d92a9617a099e
SHA3-384 hash: 7ad1f1258852440bc206a1c57d08dbf96e8f81333fb3aa7c34e6bac1c0fca2b79d3c04501201bb40fd7e7a9ba9b6a4f7
SHA1 hash: 4b02b3b59c0cde3b4dcfeb17c3921ac419a7ebe3
MD5 hash: 98d09abc36800d204fd55df87679ffb9
humanhash: december-lamp-indigo-black
File name:98d09abc36800d204fd55df87679ffb9.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'083'904 bytes
First seen:2022-10-04 12:45:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:kj+Os4K4HTNanseaQRlHVF7NKViqyqHUP+BYFAaxXeH4N4eXb:NXaQjb7ciwUP+B2LAH46eX
Threatray 10'077 similar samples on MalwareBazaar
TLSH T16335E03513E29A0AC0521735CDD3C3B0AFE84E64E276C2474FD9FE5BB5772EAAA01245
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://162.0.223.13/?OpqycIYJoIxPvNI7mSRvpEdWbvlzd7L2wbAJUztih08MOR

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://162.0.223.13/?OpqycIYJoIxPvNI7mSRvpEdWbvlzd7L2wbAJUztih08MOR https://threatfox.abuse.ch/ioc/870433/

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316516/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.2700.21478.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
packed
Link:
https://www.filescan.io/uploads/633c2b0bd089a0c15dd508be/reports/4bc040df-049b-42fa-9bd7-f5050773bbb7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/06281c47-b276-4104-b5a1-74cba6e3b080
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1083777
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 716334 Sample: Imru3H1sDB.exe Startdate: 05/10/2022 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 9 other signatures 2->50 7 Imru3H1sDB.exe 7 2->7         started        11 rxKcpq.exe 5 2->11         started        process3 file4 34 C:\Users\user\AppData\Roaming\rxKcpq.exe, PE32 7->34 dropped 36 C:\Users\user\...\rxKcpq.exe:Zone.Identifier, ASCII 7->36 dropped 38 C:\Users\user\AppData\Local\...\tmpF4F3.tmp, XML 7->38 dropped 40 C:\Users\user\AppData\...\Imru3H1sDB.exe.log, ASCII 7->40 dropped 52 Uses schtasks.exe or at.exe to add and modify task schedules 7->52 54 Adds a directory exclusion to Windows Defender 7->54 56 Injects a PE file into a foreign processes 7->56 13 Imru3H1sDB.exe 54 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        58 Multi AV Scanner detection for dropped file 11->58 60 Machine Learning detection for dropped file 11->60 21 rxKcpq.exe 1 53 11->21         started        24 schtasks.exe 1 11->24         started        signatures5 process6 dnsIp7 42 162.0.223.13, 49701, 49702, 49703 ACPCA Canada 13->42 26 conhost.exe 17->26         started        28 conhost.exe 19->28         started        32 C:\Users\user\AppData\...\B52B3F.exe (copy), PE32 21->32 dropped 62 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->62 64 Tries to steal Mail credentials (via file / registry access) 21->64 66 Tries to harvest and steal ftp login credentials 21->66 68 Tries to harvest and steal browser information (history, passwords, etc) 21->68 30 conhost.exe 24->30         started        file8 signatures9 process10
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6bd5bbea9b02d99f157e191dbdfe2d772498c3443496738e2c8d92a9617a099e/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-10-04 12:46:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=npk3x2u3almz6fl6deo337rno4sjrq2egslhhdrmrwjksyl2bgpa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
132b2bec8d938eeff8eaa559349a7a2a272a957fef0e4f3e9bcb4241eadf7e68
Loki
1757bb219f27379b3af4bd3b3bf2414db8996f002051908faff66f94515fd9c3
Loki
297b5625bfc9158c4b69b45b82bf9401b548222026efabaf7738caa87984c533
Loki
35bf40f65ad336f3d6192dd5b520085fe55780d9740f697de15923712c87f6d3
Loki
61ceb9bb8363e17528ed811b0886a9aa174f5b26fe8e20cf9393d4d2d9df8041
Loki
8889a80ba52046a9980a2575191afbf1eed046dccc770acb32542e648e1dd7a1
Loki
d361d688e58fafb99967afc805bd203c1f743a113b8c76c7e94b2960f40b285d
Loki
e0fe12504cc638820796299a68a761cfad56c38c3390f6ac010b40eb8daec63c
Loki
+ 10'067 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/221004-pzmdgaahg8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://162.0.223.13/?OpqycIYJoIxPvNI7mSRvpEdWbvlzd7L2wbAJUztih08MOR
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/63f7dbef-d78e-4236-83c9-758696605a6f
Unpacked files
SH256 hash:
cfd4764fc7dae26c78cd54a92f0d8a2a1629f5fd72f60289561817dea2d5c08b
MD5 hash:
962a56be51b339b2d8741f44dbde2a12
SHA1 hash:
e0cd3caa6add122ac9a803430352624e701fe3da
Link:
https://www.unpac.me/results/96d6531c-65b0-4fb6-b506-6254a3ef828f/
SH256 hash:
a04c799fa302c78d04acc3b4be8ccbde2f7fa00fe515daf18a2fc7e65fad3b13
MD5 hash:
d76812ec4cbc45e1e26ed36691596f7e
SHA1 hash:
c854fe9792694fb464a0bed51c737ff61ccef736
Link:
https://www.unpac.me/results/96d6531c-65b0-4fb6-b506-6254a3ef828f/
SH256 hash:
f3046fb3bfbc8bf540bff8ae8ac3a51e5bf39199612a1c028724e8122541f587
MD5 hash:
ea1542cfe2d1741035c1be2d265c3779
SHA1 hash:
8bf1074d75ec8bcb38302fdbc1e2e52b49b85c92
Link:
https://www.unpac.me/results/96d6531c-65b0-4fb6-b506-6254a3ef828f/
SH256 hash:
f7df5564dd5f186c44083d4b0d0c3980acf7f65449957ab9439d79d3976eb9df
MD5 hash:
099b481f10b21772b4011f99df321375
SHA1 hash:
47b87a2bb0227fd8acc56be54bdfc84c4f31db2e
Link:
https://www.unpac.me/results/96d6531c-65b0-4fb6-b506-6254a3ef828f/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/96d6531c-65b0-4fb6-b506-6254a3ef828f/
SH256 hash:
6bd5bbea9b02d99f157e191dbdfe2d772498c3443496738e2c8d92a9617a099e
MD5 hash:
98d09abc36800d204fd55df87679ffb9
SHA1 hash:
4b02b3b59c0cde3b4dcfeb17c3921ac419a7ebe3
Link:
https://www.unpac.me/results/96d6531c-65b0-4fb6-b506-6254a3ef828f/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6bd5bbea9b02/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6bd5bbea9b02d99f157e191dbdfe2d772498c3443496738e2c8d92a9617a099e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 6bd5bbea9b02d99f157e191dbdfe2d772498c3443496738e2c8d92a9617a099e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2348190/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/316516/

Comments