MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 785d6428a26a8844b3ab8a93dc5a48223f0bb6a8d4e28565abdc3f96981ec5c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 18

Intelligence 18 IOCs YARA 8 File information Comments

SHA256 hash:	785d6428a26a8844b3ab8a93dc5a48223f0bb6a8d4e28565abdc3f96981ec5c6
SHA3-384 hash:	29ad5f6f995ace8184fd69b3db0ea8da9ef1281c33d89b2d75ac9afcb74990f053d021b1f3818d3acd4c2531c824c89f
SHA1 hash:	cfc64b9ed39c8e591bed1eecab77b657aa9136d8
MD5 hash:	9646ebeebe5711415a3aa54fce21c1c9
humanhash:	july-victor-yankee-hawaii
File name:	Új fertőző betegség.cmd
Download:	download sample
Signature	Loki Create hunting rule
File size:	563'720 bytes
First seen:	2024-09-02 10:51:04 UTC
Last seen:	2024-09-02 11:44:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	12288:R0RC419gnx+4kqFglRe/hYEhde5yN45dkQkR:R0RFOx+4kaglRahrLeyNikX
Threatray	4'398 similar samples on MalwareBazaar
TLSH	T1B6C412AA91E68E83C8A977FD9C68129B677181326611CFF71CC094C14B937C20D66DBF
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
File icon (PE):
dhash icon	f2ceaeaeb2968eaa (68 x RedLineStealer, 21 x AgentTesla, 18 x AveMariaRAT)
Reporter	smica83
Tags:	exe HUN Loki

Intelligence

File Origin

# of uploads :

# of downloads :

454

Origin country :

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

Új fertőző betegség.cmd

Verdict:

Malicious activity

Analysis date:

2024-09-02 10:55:07 UTC

Tags:

stealer lokibot trojan

Link:

https://app.any.run/tasks/fd302df8-ed62-4608-858b-044258175546

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.BackDoor.AgentTeslaNET.34.30825.4283.UNOFFICIAL

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66d598d5a0c486d2f7940ee0

Tags:

Encryption Execution Network Static Stealth Lokibot

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Launching a process

Creating a file

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Stealing user critical data

Connection attempt to an infection source

Unauthorized injection to a system process

Adding an exclusion to Microsoft Defender

Sending an HTTP POST request to an infection source

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/785d6428a26a8844b3ab8a93dc5a48223f0bb6a8d4e28565abdc3f96981ec5c6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1e9bec95-9d73-4b8a-b76d-6cd013630887

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1502867

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

AI detected suspicious sample

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suricata IDS alerts for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/785d6428a26a8844b3ab8a93dc5a48223f0bb6a8d4e28565abdc3f96981ec5c6

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/785d6428a26a8844b3ab8a93dc5a48223f0bb6a8d4e28565abdc3f96981ec5c6/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2024-09-02 10:52:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pbowikfcnkeejm5lrkj5ywsiei7qxnvi2trikznl3q7znga6yxda._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

2f7014c598a900f828893aeb0c0724d9f48c37c6987dfc12847525df174e0e81

Loki

5f6d0070aa1b62cfb032d99a822b585b79d1d66125cbf16fe03d7840f89cf7cf

Loki

785d6428a26a8844b3ab8a93dc5a48223f0bb6a8d4e28565abdc3f96981ec5c6

Loki

84fb2ec298bec7a70493394b6d6caabcd0522a8f5f7753d8e725118c7e08da4e

Loki

+ 4'388 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection credential_access discovery execution spyware stealer trojan

Link:

https://tria.ge/reports/240902-mydntszbjd/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Credentials from Password Stores: Credentials from Web Browsers

Lokibot

Malware Config

C2 Extraction:

http://104.248.205.66/index.php/modify.php?edit=1
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/08d0ecc1-032a-42a1-862b-a09dda4ef9e0

Unpacked files

SH256 hash:

fa36ec7029a4145902e1ca5fb9eb358d217450503f01ef10c4cce3f17067b4da

MD5 hash:

d195d9b266df9f1fb4b6e5b28f39f840

SHA1 hash:

813d036fbd42074f8ce8c8e5b2f09a1b84900b71

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Lokibot

SUSP_XORed_URL_In_EXE

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_GENInfoStealer

STEALER_Lokibot

Link:

https://www.unpac.me/results/a37901b6-c750-4d3c-8161-76d6c6f29c18/

Parent samples :

866c6f0599d2375ac1d50a165f5735c74b980bc6bdea3f023522f897999f6770
4ebeb928e56c30dc2fa722e5ae1e41181bfae00ce0466226bcb7d17a7dbaaae7
785d6428a26a8844b3ab8a93dc5a48223f0bb6a8d4e28565abdc3f96981ec5c6

SH256 hash:

323949160b82cf15b13a118fcabace9e871f4882736ca3a1506dac73be602362

MD5 hash:

5790fe679cd98d360f9606c2421adda7

SHA1 hash:

79da1f6b14041a29a5d04b13467e54b5440f8081

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/a37901b6-c750-4d3c-8161-76d6c6f29c18/

SH256 hash:

8f3e8fb00b864b774ba1ff591b4d2f29d04cf4fea45e179f39309b984a92093c

MD5 hash:

d0223abc16917fd6ab9a529f597cc431

SHA1 hash:

6de268dcad66b83e126c39b7cb8aaec020d64dcb

Link:

https://www.unpac.me/results/a37901b6-c750-4d3c-8161-76d6c6f29c18/

SH256 hash:

785d6428a26a8844b3ab8a93dc5a48223f0bb6a8d4e28565abdc3f96981ec5c6

MD5 hash:

9646ebeebe5711415a3aa54fce21c1c9

SHA1 hash:

cfc64b9ed39c8e591bed1eecab77b657aa9136d8

Link:

https://www.unpac.me/results/a37901b6-c750-4d3c-8161-76d6c6f29c18/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/785d6428a26a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/785d6428a26a8844b3ab8a93dc5a48223f0bb6a8d4e28565abdc3f96981ec5c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample