MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 722f3b6fd1145b2572e70b531b4ba55889aa9e90f3e5908827467c072469d558. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Loki
Vendor detections: 7
| SHA256 hash: | 722f3b6fd1145b2572e70b531b4ba55889aa9e90f3e5908827467c072469d558 |
|---|---|
| SHA3-384 hash: | 9125b0a61d06e0bf75e51cff48b2e050fb857740650ba0c182e7f1768401b338931b76c3422014688adcfd63494ad1e2 |
| SHA1 hash: | 4d28cf40b6552c17ac31c4b0d9e5c069baa57ceb |
| MD5 hash: | bc9185209a77d179cfdf21a1370ed177 |
| humanhash: | potato-hydrogen-cat-ten |
| File name: | PO 201023-042A.exe |
| Download: | download sample |
| Signature | Loki |
| File size: | 731'648 bytes |
| First seen: | 2020-10-23 06:46:06 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger) |
| ssdeep | 12288:E2UqIR7sKaSQLENOphVYv1rqsfPfUE2vvCzRCdqOWln5gaL/YA3HRSUYHxx9lngx:E2UZlQLPprwm2PfUvJsUasU |
| TLSH | 9FF44ADD762072EFC857D5729AA82C74EB50B8BB831F4203942755AD9A4C887CFA44F3 |
| Reporter |  abuse_ch |
| Tags: | exe geo KOR Loki |
abuse_ch
Malspam distributing Loki:HELO: mail-smail-vm46.hanmail.net
Sending IP: 203.133.180.234
From: 구매부 김승준 과장 <jne2664@hanmail.net>
Subject: RE: 견적요청드립니다.
Attachment: PO 201023-042A.cab (contains "PO 201023-042A.exe")
Loki C2:
http://79.124.8.8/plesk-site-preview/heliopoliss.com/http/79.124.8.8/kiriko/Panel/fre.php
Intelligence
File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Reading critical registry keys
Creating a file
Stealing user critical data
Moving of the original file
Result
Threat name:
Lokibot
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.Heracles
Status:
Malicious
First seen:
2020-10-23 00:33:35 UTC
AV detection:
27 of 28 (96.43%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
unknown
Result
Malware family:
lokibot
Score:
10/10
Tags:
spyware trojan stealer family:lokibot
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://79.124.8.8/plesk-site-preview/heliopoliss.com/http/79.124.8.8/kiriko/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
722f3b6fd1145b2572e70b531b4ba55889aa9e90f3e5908827467c072469d558
MD5 hash:
bc9185209a77d179cfdf21a1370ed177
SHA1 hash:
4d28cf40b6552c17ac31c4b0d9e5c069baa57ceb
SH256 hash:
aeefdb376ac7ee2983ad19a204f25c9fc74b1e7492a21b08941286d85ecb8c35
MD5 hash:
ba007d15d9f3e13f22b6fab9630740d1
SHA1 hash:
148ab5043f5d5c502462b29d593accf8a3e80ebb
SH256 hash:
a33057093ec9bcf89b6b7abb1b2851a575ed24acedc69dfd5092d27ec7fa35c4
MD5 hash:
625b340aa203427ea923dd4a2e49ea4d
SHA1 hash:
8b74bca4be90868ab67e4681c0ec4c4dd4714201
SH256 hash:
92fd15be00d18ccc8dc2c028e7556544880e4e84f50a0f1bc7aae3f66ca5a767
MD5 hash:
dce902581ab2141a060f37e61c4c02cf
SHA1 hash:
8e29ceb09607663e3a7e9933fc6dbb04f2069a0b
Detections:
win_lokipws_g0
win_lokipws_auto
Parent samples :
8f712c89da9b64d0002d5b1a6d666d489d3d648e81468d53bf12aaec3252d187
722f3b6fd1145b2572e70b531b4ba55889aa9e90f3e5908827467c072469d558
1df38ad7f7297914ac4345c3572a92bd2a0507baedff37681f35b3bb8fa0d9eb
c89ff2ee5d641439d21cd2d45657c4e3766000b514c43be672f40c88325cee1a
22415179190d4247a852425771b1479d5539b4a9d0f15f395db9b3da550c23ce
722f3b6fd1145b2572e70b531b4ba55889aa9e90f3e5908827467c072469d558
1df38ad7f7297914ac4345c3572a92bd2a0507baedff37681f35b3bb8fa0d9eb
c89ff2ee5d641439d21cd2d45657c4e3766000b514c43be672f40c88325cee1a
22415179190d4247a852425771b1479d5539b4a9d0f15f395db9b3da550c23ce
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.