MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ff407811ce5f14f5302bcb2646e67946293cb333f6c8550801d80fea2af9ec1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Loki


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments

SHA256 hash: 6ff407811ce5f14f5302bcb2646e67946293cb333f6c8550801d80fea2af9ec1
SHA3-384 hash: f31bdfee2529cb8c1822d672ad087b85ddcb57fc71fdc743ef3fcd230d937ec68d5acfcc3b2a4c445a2251f50cc7339e
SHA1 hash: 9fe97ca78a39d50bfa2610e3f4b8a76e4db78377
MD5 hash: 641139188c9eb5ee84d12eebb22e0dad
humanhash: harry-oranges-mobile-pluto
File name:????.vbs
Download: download sample
Signature Loki
File size:35'571 bytes
First seen:2024-09-24 08:20:15 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:3Y2yRfD0I1dAONNjvmRr/fZzhACSFKeEQ:UfII1dpbjy9zhAhU6
Threatray 4'417 similar samples on MalwareBazaar
TLSH T1ACF29C65D845635401A373A3CCA98FF7B4A821715CB7346C3B24A0D97C85E08E79E9EF
Magika vba
Reporter abuse_ch
Tags:Loki vbs


Avatar
abuse_ch
Loki C2:
http://137.184.191.215/index.php/039

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://137.184.191.215/index.php/039 https://threatfox.abuse.ch/ioc/1328766/

Intelligence


File Origin
# of uploads :
1
# of downloads :
153
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.9%
Tags:
Execution Network Stealth Monitor Gumen Sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated powershell
Result
Threat name:
GuLoader, Lokibot
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Malicious sample detected (through community Yara rule)
Obfuscated command line found
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected GuLoader
Yara detected Lokibot
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1516479 Sample: ____.vbs Startdate: 24/09/2024 Architecture: WINDOWS Score: 100 40 drive.usercontent.google.com 2->40 42 drive.google.com 2->42 58 Suricata IDS alerts for network traffic 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for URL or domain 2->62 64 8 other signatures 2->64 10 wscript.exe 1 2->10         started        signatures3 process4 signatures5 70 VBScript performs obfuscated calls to suspicious functions 10->70 72 Suspicious powershell command line found 10->72 74 Wscript starts Powershell (via cmd or directly) 10->74 76 2 other signatures 10->76 13 powershell.exe 14 19 10->13         started        process6 dnsIp7 48 drive.google.com 216.58.206.78, 443, 49702, 49709 GOOGLEUS United States 13->48 50 drive.usercontent.google.com 216.58.212.161, 443, 49703 GOOGLEUS United States 13->50 86 Obfuscated command line found 13->86 88 Very long command line found 13->88 90 Found suspicious powershell code related to unpacking or dynamic code loading 13->90 17 cmd.exe 1 13->17         started        20 cmd.exe 1 13->20         started        22 conhost.exe 13->22         started        signatures8 process9 signatures10 52 Suspicious powershell command line found 17->52 54 Wscript starts Powershell (via cmd or directly) 17->54 56 Very long command line found 17->56 24 powershell.exe 15 17->24         started        process11 signatures12 66 Writes to foreign memory regions 24->66 68 Found suspicious powershell code related to unpacking or dynamic code loading 24->68 27 wabmig.exe 1 83 24->27         started        32 cmd.exe 1 24->32         started        34 wabmig.exe 24->34         started        36 wabmig.exe 24->36         started        process13 dnsIp14 44 137.184.191.215, 49711, 49712, 49713 PANDGUS United States 27->44 46 142.250.185.129, 443, 49710 GOOGLEUS United States 27->46 38 C:\Users\user\AppData\Roaming\...\31437F.exe, PE32 27->38 dropped 78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->78 80 Tries to steal Mail credentials (via file / registry access) 27->80 82 Tries to harvest and steal ftp login credentials 27->82 84 Tries to harvest and steal browser information (history, passwords, etc) 27->84 file15 signatures16
Threat name:
Script-WScript.Trojan.GuLoader
Status:
Malicious
First seen:
2024-09-24 08:21:06 UTC
File Type:
Text (VBS)
AV detection:
7 of 38 (18.42%)
Threat level:
  5/5
Result
Malware family:
lokibot
Score:
  10/10
Tags:
family:guloader family:lokibot collection discovery downloader execution spyware stealer trojan
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Blocklisted process makes network request
Guloader,Cloudeye
Lokibot
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_Malicious_VBScript_Base64
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:detect_tiny_vbs
Author:daniyyell
Description:Detects tiny VBS delivery technique

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments