MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7690c6721de838a1f54b8bf058b68149dac4117f9ff6d1da17d1ebcc00361ee7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7690c6721de838a1f54b8bf058b68149dac4117f9ff6d1da17d1ebcc00361ee7
SHA3-384 hash: 5b0d63d89c7c810a237cc8f578b9d278b4d737b29f01d79894c32da2854a7860ecd52056cd0ceaea3fee3e452b49b0f7
SHA1 hash: 2ee77c031016430028245bb3752d9038e3993e8a
MD5 hash: 17ae136b2581ff7e154c48c273f08d5f
humanhash: emma-twenty-batman-cup
File name:L1452III-HASB-6582018-R02.exe
Download: download sample
Signature Loki
Create hunting rule
File size:84'192 bytes
First seen:2020-10-12 14:43:36 UTC
Last seen:2020-10-12 16:13:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:a7qLY+2o14+V8pOJGCnjbGnYTC9IGMJbLXi1UfY:amLY+2oPJGCnjbGY+9uJXiR
Threatray 1'599 similar samples on MalwareBazaar
TLSH AC83DD05314BBE03DEB6037945B2944262F36AF225A2C3785DC486CDEDC64A43B4BEDE
Reporter abuse_ch
Tags:exe Loki

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:Oct 12 08:36:23 2020 GMT
Valid to:Oct 12 08:36:23 2021 GMT
Serial number: 6A84383584B1477C79CC970BB50F4FB4
Thumbprint Algorithm:SHA256
Thumbprint: D2939B3F5084BBB51EFDB828947C1CCB1F9E744DF6B7B9EF15154A5418F23000
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: gmail.com
Sending IP: 156.96.44.206
From: Shinas Jabbar <Shinas@gmail.com>
Subject: Quote Ref.# L1452/III-HA/SB-658/2018-R02
Attachment: L1452III-HASB-6582018-R02.zip (contains "L1452III-HASB-6582018-R02.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70118/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.36880.4777.6934.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488556
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Binary contains a suspicious time stamp
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296730 Sample: L1452III-HASB-6582018-R02.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 100 29 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 Antivirus / Scanner detection for submitted sample 2->33 35 6 other signatures 2->35 7 L1452III-HASB-6582018-R02.exe 15 2 2->7         started        process3 dnsIp4 23 us-east-1.route-1.000webhost.awex.io 145.14.145.239, 443, 49727 AWEXUS Netherlands 7->23 25 appreciatory-cartri.000webhostapp.com 7->25 37 Tries to steal Mail credentials (via file registry) 7->37 39 Hides threads from debuggers 7->39 41 Injects a PE file into a foreign processes 7->41 11 L1452III-HASB-6582018-R02.exe 54 7->11         started        15 timeout.exe 1 7->15         started        17 WerFault.exe 23 9 7->17         started        19 L1452III-HASB-6582018-R02.exe 7->19         started        signatures5 process6 dnsIp7 27 195.69.140.147, 49740, 49741, 49742 XSGGE Georgia 11->27 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->43 45 Tries to steal Mail credentials (via file access) 11->45 47 Tries to harvest and steal ftp login credentials 11->47 49 Tries to harvest and steal browser information (history, passwords, etc) 11->49 21 conhost.exe 15->21         started        signatures8 process9
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7690c6721de838a1f54b8bf058b68149dac4117f9ff6d1da17d1ebcc00361ee7/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 12:35:59 UTC
File Type:
PE (.Net Exe)
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o2imm4q55a4kd5klrpyfrnubjhnmiel7t73ndwqx2hv4yabwd3tq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
038f6511fee241d2d255393c416c37c4582ad4bcf297dd5cab89ec0905270fb9
Loki
14cbfd81ab9f8f3ae1926d160ddaa8a0f2a61f5ce89f30efc18487e419705c91
Loki
14e7b4f4f4e98ecb3aad0e67857b3fbbca1d314ecdaa0b1aab122e1d97954977
Loki
20edc5b15578c2714fd64a6577a5bd1fbbb13434dc2e900e3b7c568537206050
Loki
3174c59112b25985b8c1454e28c3e42dce2e6b44e3da96d891bfd25622e586ea
Loki
35ba63b01ddc9f28a887e6286e205db48ae20c6b70f181d9f026abe468e4f32c
Loki
b1bb531b94fd992587eb042d3cf9d3cc5de717dc0c684c47b87e0913181330db
Loki
eb62fd0141733058ab86e491cd42e645341527cbaa10f339438528071ca17d28
Loki
ed6563b9e166cc1214903f5dd679b939cb695949c4b08d36adb0be3ffcf857f1
Loki
fcfc827205cd38cdf997f72b1d58eba51ac12da6ba5939279b626522b11fd938
Loki
+ 1'589 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/201012-s38zejwken/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://195.69.140.147/.op/cr.php/zk6JVkIrBjNwE
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
7690c6721de838a1f54b8bf058b68149dac4117f9ff6d1da17d1ebcc00361ee7
MD5 hash:
17ae136b2581ff7e154c48c273f08d5f
SHA1 hash:
2ee77c031016430028245bb3752d9038e3993e8a
Link:
https://www.unpac.me/results/00b02808-74ee-4db0-8723-a1b7685ba716/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7690c6721de838a1f54b8bf058b68149dac4117f9ff6d1da17d1ebcc00361ee7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

zip 25b871c94fcc1825b19de313875a06512f650480b6623ec678dee76732c52e0b

Loki

Executable exe 7690c6721de838a1f54b8bf058b68149dac4117f9ff6d1da17d1ebcc00361ee7

(this sample)

  
Dropped by
MD5 97e777ffc13dd5838f94cc8edadc0358
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70118/
  
Dropped by
SHA256 25b871c94fcc1825b19de313875a06512f650480b6623ec678dee76732c52e0b

Comments