MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 729b3db8ec16b0254c1c66f74a178a63ade2c12874ea42ba123bd7efc366eb38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 729b3db8ec16b0254c1c66f74a178a63ade2c12874ea42ba123bd7efc366eb38
SHA3-384 hash: 6f8bac26095bb400fa56ddaefb7eb8ce8c84cd85202df272c77b99e852a17cc951af725932b8ae06a81caf31a3347cc6
SHA1 hash: 90647e59f38b7db81558f9637fca8cd27c64e45d
MD5 hash: 3f0eb92361d284bedb88ea31f683b625
humanhash: alaska-lake-saturn-island
File name:CILJAK164769.exe
Download: download sample
Signature Loki
Create hunting rule
File size:271'872 bytes
First seen:2020-08-17 05:56:05 UTC
Last seen:2020-08-17 07:00:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:H49P8Wg/5/zpunWGJYmnGepCrxNxZBQZaghZ14EcmZHyXFaxmVmie9bngP:HmP8We5rSWGJ3nGeQz9MNb14EcmZHAFn
Threatray 30 similar samples on MalwareBazaar
TLSH 3344D05C35E0B071F7F85BF1ACB42D18477AB3260933AE4F299472B117E39E0AE5494A
Reporter abuse_ch
Tags:exe Loki Maersk


Avatar
abuse_ch
Malspam distributing Loki:

HELO: mail.ptjlg.co.id
Sending IP: 103.253.68.52
From: Maersk Line <finance@ptjlg.co.id>
Subject: MAERSK LINE SHIPPING DOCUMENTS
Attachment: CILJAK164769.gz (contains "CILJAK164769.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/46611/
Detection(s):
SecuriteInfo.com.Trojan.Inject3.51227.21118.29069.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Reading critical registry keys
Creating a file
Changing a file
Replacing files
DNS request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Moving of the original file
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/432493
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/729b3db8ec16b0254c1c66f74a178a63ade2c12874ea42ba123bd7efc366eb38/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 00:38:03 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oknt3ohmc2yckta4m33uuf4kmow6fqjiotvefoqshpl67q3g5m4a._file
Verdict:
unknown
Similar samples:
227edfe5a3f405840f8be7a96d205ddbd66707829e0118f049f2917d28d2b142
Loki
22a1cc0a4f9c3667870c2f7487ca8d028288806955866f32e621aadc8afe9eae
Loki
2a9cf930b5e11dee35842ff73179a0467f820a95e23560d774f7ea05111de351
Loki
36609130c2783f8915051cf0030eb0b4a2712710257fb07095463a3dbc7f1861
Loki
404f88f8e5d2270cbab30c8e9de8d30aa8054939580a6ef40f41df59cc1f90a8
Loki
5dae09313f5bf2ef9f108c33d30b770c83d450e5c163150ef1754794493bb86f
Loki
67309e579deeb9fae0f90ce0e40e40318ef25c6c32b88e247863f13aa6678a55
Loki
7abf73f6d63535a3770a681960124ee32f77d0305cfb82e80da13301829d5b25
Loki
9b35a1eab3bddb51f9571b67a8d679c7db0af207a938f428870e10eae43e00f2
Loki
b96e6ac1d0b74e691b13eaddb1f72d792727c0447aaadae0a9c4599c3288d51c
Loki
+ 20 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
trojan spyware stealer family:lokibot
Link:
https://tria.ge/reports/200817-s67hljb5es/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://easydriverservice.com/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Noon
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/729b3db8ec16b0254c1c66f74a178a63ade2c12874ea42ba123bd7efc366eb38

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

gz cfc9c44707362bf6bc8cc33a753fcec4222d39115e951cf0d17e47fa6a7b3d3d

Loki

Executable exe 729b3db8ec16b0254c1c66f74a178a63ade2c12874ea42ba123bd7efc366eb38

(this sample)

  
Dropped by
MD5 918fd21d79f26fef7aeb1de7dd21df54
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/46611/
  
Dropped by
SHA256 cfc9c44707362bf6bc8cc33a753fcec4222d39115e951cf0d17e47fa6a7b3d3d

Comments