MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7213e683d974ed27c90dea93b40caa5c497ca4ab9834e159adb69f7be5d2081e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 11

Intelligence 11 IOCs YARA 14 File information Comments

SHA256 hash:	7213e683d974ed27c90dea93b40caa5c497ca4ab9834e159adb69f7be5d2081e
SHA3-384 hash:	736f3e9516b7e3156f7b07445933782efd7eeec11b43c05300413f24c008097fec5feb8dbff5a2ebdb70c5e33fbdef74
SHA1 hash:	cee45ad78360c3665af73184471b05e12a73dd5d
MD5 hash:	b158c924678cd5bac37bfd7bfc9d8781
humanhash:	india-whiskey-cup-thirteen
File name:	csrss.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	1'238'016 bytes
First seen:	2021-07-29 13:26:40 UTC
Last seen:	2021-07-29 13:45:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:KvS/d3MKzksWks+5h9D1Rf0jNr27X7Jy8jh8N6ZN5Z:IKtxhmBK7NuN6ZN5
Threatray	3'861 similar samples on MalwareBazaar
TLSH	T1CA45E038898C9F96CC5803740A5846345EF4ADE2F2B0C8AC3D9D75B1B7F1D29EAB6345
dhash icon	c4b4e6e69898d2c4 (11 x Formbook, 11 x AgentTesla, 4 x NanoCore)
Reporter	info_sec_ca
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

132

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Document_Set_2021-07-29T113853.467.xlsx

Verdict:

Malicious activity

Analysis date:

2021-07-29 09:24:07 UTC

Tags:

encrypted opendir exploit CVE-2017-11882 loader trojan lokibot stealer

Link:

https://app.any.run/tasks/d2a70593-9a47-49a4-a46c-6adbd6fab28e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Loki

Link:

https://www.capesandbox.com/analysis/175036/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.967.26167.14919.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/16dd9666-daa8-4c29-a2fa-799d46e0bf63

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/823844

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Sigma detected: System File Execution Location Anomaly

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-29 13:27:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 27 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oij6na6zotwspsin5kj3idfklrexzjflta2ocwnnw2pxxzosbapa._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot spyware stealer suricata trojan

Link:

https://tria.ge/reports/210729-57ybfg4kfa/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

CustAttr .NET packer

Lokibot

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://manvim.co/fd5/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

8bfac86ce2ec065cbc02812f682378688a932ffe44c43f97a9bc75150c37a6fc

MD5 hash:

8dc967bad88873101b3a0da0138324ef

SHA1 hash:

d3c0ad2a8c5eff56a46195ed919b34812087c5c0

Link:

https://www.unpac.me/results/e903bb1e-0e3e-41cd-97a7-4f79d2cd568b/

SH256 hash:

97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438

MD5 hash:

68463851c0e6fe7a254c99fae763d454

SHA1 hash:

4587a5371d88c296a0184fe47ee0c5245b187127

Link:

https://www.unpac.me/results/e903bb1e-0e3e-41cd-97a7-4f79d2cd568b/

SH256 hash:

bfd15cc2a18eb65fe3d75e68a92b73509277bad7d65dfd503722f4c09c2f00e7

MD5 hash:

c7d4f4a65deaecd5f2f89013e8b4e7f5

SHA1 hash:

34235904d4f9d2cbb0a666d339d99771dd2f38cd

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/e903bb1e-0e3e-41cd-97a7-4f79d2cd568b/

Parent samples :

a6aaddec76836b2a28fc166f5d61c494fb7646bf39accdd5302fd1d780b629f7
f65830401cf628b23ffb0de217cb465b985797ca7ff4129753511f3f93862590
822c7b5b3b56f0826494e8d4490f141f5dfd34dad0201699acc797d93efe577e
260787b8265c23f5bd922d6345f14a7f6242e336375544e96fe325e31af8a5d0
7746d06b49835e0b431daaa65c560b936ba1598e886a1749496966da2918ce87
1ea40cca77e0d4e409a0a2364b57d43b05ee46736b2b656744054790e0c8608d
58aa35af01b43dc0e414a64d596cb2416384e0b0085d0a6137676fc56dbc3c07
61fc463e85fb2fa581c8d7ba3321992bfe69d28dc8ca06660875d8b9e9701ecc
06c7f215dc0c66b7c65d344dd461bdc9f13f948d53a4d36914594dee780d9ac2
7213e683d974ed27c90dea93b40caa5c497ca4ab9834e159adb69f7be5d2081e
0b69967e2521d32bbe7e73b50d7458aaf1ef1d61e4ba3ecd3fcbe4efde30a37a
c655cc215970dec5d45327944a3766c92b4bc3d9bb7151f945b9e33d681ab147
3f4e7765b271ea4766c05cb4a29e14b22ec22d4ad42da74372fc3b475b0f0566
e3c270600328928f0c6576743fd759ca88b86abb024ae180549c3a5be0e7e41e
276df8a116116425e538bfea657c789006d45a6e9f2802f396154574aa0085e3
c4b7287b0bb9ecfc2f4d2fb4dcb39452bb13714398dcff0cddc3ae4a673dae0b
f72043a7f6269e23272d97de16df7f3cd04a0c7463f6f16175b66332fe336083

SH256 hash:

7213e683d974ed27c90dea93b40caa5c497ca4ab9834e159adb69f7be5d2081e

MD5 hash:

b158c924678cd5bac37bfd7bfc9d8781

SHA1 hash:

cee45ad78360c3665af73184471b05e12a73dd5d

Link:

https://www.unpac.me/results/e903bb1e-0e3e-41cd-97a7-4f79d2cd568b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/7213e683d974ed27c90dea93b40caa5c497ca4ab9834e159adb69f7be5d2081e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	infostealer_loki Create hunting rule

Rule name:	infostealer_xor_patterns Create hunting rule
Author:	jeFF0Falltrades
Description:	The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.

Rule name:	Loki Create hunting rule
Author:	kevoreilly
Description:	Loki Payload

Rule name:	Lokibot Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

exe 7213e683d974ed27c90dea93b40caa5c497ca4ab9834e159adb69f7be5d2081e

(this sample)

Cape

https://www.capesandbox.com/analysis/175036/

URLhaus

https://urlhaus.abuse.ch/url/1490342/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample