MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6eae3e24c55f21e9e559702caff91a3d0144ef6fe00eca90df7d902faebf23c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6eae3e24c55f21e9e559702caff91a3d0144ef6fe00eca90df7d902faebf23c3
SHA3-384 hash: 7af800bd6f5f1cf0a2f90fcac3802872f63712b2cd731ea35f5696a53b2227884d2dec023a57dd03af3dcaaa90f25dbb
SHA1 hash: b74ff3fd6a611f2e73f18dcaeb36edfaff9e9cb4
MD5 hash: 02ba74645ca89fe0cfe8f153b85b0a31
humanhash: mexico-monkey-kilo-vermont
File name:IRQ2107798.exe
Download: download sample
Signature Loki
Create hunting rule
File size:566'987 bytes
First seen:2022-02-16 07:15:53 UTC
Last seen:2022-02-16 13:27:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 12288:MQ/5lnMHJ2P4R5NhIpciNh3P0lZrG/m6JEB9mrhA6ZR:v/jnc15mciN10fG/a49ZR
Threatray 6'321 similar samples on MalwareBazaar
TLSH T115C412E8B4C5E571C4288533A867C87AE770AC28D6B2527377055FF92F412F39A36386
File icon (PE):PE icon
dhash icon c498b8c8d8d4d8c0 (1 x Loki)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://164.90.194.235/?id=54083300496945222

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://164.90.194.235/?id=54083300496945222 https://threatfox.abuse.ch/ioc/388110/

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/241807/
Detection(s):
Win.Dropper.Temonde-6571898-0
Create hunting rule

SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe nemesis overlay packed shell32.dll virus
Link:
https://www.filescan.io/uploads/620ca4b6875593a3ccd55182/reports/f41a4344-4530-4e43-bce5-4d2498c948ee/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/940599
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 573077 Sample: IRQ2107798.exe Startdate: 16/02/2022 Architecture: WINDOWS Score: 84 16 Found malware configuration 2->16 18 Malicious sample detected (through community Yara rule) 2->18 20 Antivirus detection for URL or domain 2->20 22 4 other signatures 2->22 7 IRQ2107798.exe 19 2->7         started        process3 file4 14 C:\Users\user\AppData\Local\...\yadlmtgif.exe, PE32 7->14 dropped 10 yadlmtgif.exe 7->10         started        process5 process6 12 yadlmtgif.exe 10->12         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6eae3e24c55f21e9e559702caff91a3d0144ef6fe00eca90df7d902faebf23c3/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2022-02-16 07:16:10 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=n2xd4jgfl4q6tzkzoawk76i2huauj33p4ahmveg7pwic7lv7epbq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
03f95f38206c97a22729410f7370638a2832564f8fbf9930d6a77187b643aba1
Loki
132ab6bad9a67e89e621caa83db4baa17664e89d8d13a12fba8f2e8a1e72e48e
Loki
6dd1c29a05cc6e24d9b0cad1cf09b31f71119a890fbcede2319a88764fe0bf5a
Loki
9cbed5eff56e1c08b6040c8ab4977e76528d59368d9d0550626b5380513ecb7b
Loki
b20256d1444836e3b99830ad0e6039478db5252eaf692c968f5e0ff76151d89f
Loki
b98d87718d8368b86ecc76bc0e95a1455a78239b8ef076c535f3219587861be3
Loki
effd0df81d379a3d84ca32d0c345555636736d37c144475effb2d629f5d2eca1
Loki
f3495f0adf003d127cd7c3ff28dbc1b88f3776ebf379b4f4cbe7e44ecd690620
Loki
+ 6'311 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220216-h3s7vscfem/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://164.90.194.235/?id=54083300496945222
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
28b54462ba703be3626a7f2ce43ef63cd283617744cd9e6b6f417a4ebe7e7f4e
MD5 hash:
c2b4f366f8b4fa66587ffa5d6fa9aef4
SHA1 hash:
3eee4f4b165e686b5d9260b2f10f81108dc667fa
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/d9708699-c004-4d21-b7eb-277b2131a663/
Parent samples :
6eae3e24c55f21e9e559702caff91a3d0144ef6fe00eca90df7d902faebf23c3
7f6ffc1a187ca58f53519b1efd9d1caafe97989e6ff5efc100a2a77eaba996d2
fbef000a07f200da1ee608434afbe5d7a62fc0f2ca3858a83fe708eec330c64d
SH256 hash:
af22b6edb2f408a9296641dfc60539fa9ed8cc031cce18af01b84e5f976ba77d
MD5 hash:
7837eb46b5a9f09dcf13c78a98168368
SHA1 hash:
5ae32c7ef1c7ffba444220d7bba0bf59ad7b0b53
Link:
https://www.unpac.me/results/d9708699-c004-4d21-b7eb-277b2131a663/
SH256 hash:
6eae3e24c55f21e9e559702caff91a3d0144ef6fe00eca90df7d902faebf23c3
MD5 hash:
02ba74645ca89fe0cfe8f153b85b0a31
SHA1 hash:
b74ff3fd6a611f2e73f18dcaeb36edfaff9e9cb4
Link:
https://www.unpac.me/results/d9708699-c004-4d21-b7eb-277b2131a663/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6eae3e24c55f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/6eae3e24c55f21e9e559702caff91a3d0144ef6fe00eca90df7d902faebf23c3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/241807/

Comments