MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7994e0d58c47b933e70d0c50122fc167f86f96d5602a285ef32a6dfbb5e16de7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 8

Intelligence 8 IOCs YARA 6 File information Comments

SHA256 hash:	7994e0d58c47b933e70d0c50122fc167f86f96d5602a285ef32a6dfbb5e16de7
SHA3-384 hash:	0e8fa0cf5dc450754b3b3f1db25cb4eadb040d6f4a987b0c57d62bcdf0acc25e027202b6d2a753075ba4311c4df6efbb
SHA1 hash:	c801f1867ca4e7e430de759e0f61505311ab9b2d
MD5 hash:	94b11b947d70cee9efdbd25fdd6961b2
humanhash:	network-crazy-uranus-monkey
File name:	OXHV3S9rWfqQqfJ.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	612'864 bytes
First seen:	2020-10-21 10:44:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:CntVLMCw2PzYIM/VFz8U2q5typg7Dg7vbF1XbN5XLJWX4E3:CnjLs2PzYISzKqLypICjF15w
Threatray	1'706 similar samples on MalwareBazaar
TLSH	ACD412893624B2DED01BC072DFA82D6AA6517DB3572F521388173AEDA97C507CF190F2
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Malspam distributing Loki:

HELO: server.filmworld.tv
Sending IP: 70.32.31.17
From: finance <finance@hsasystems.com>
Reply-To: finance@hasystems.com
Subject: Payment(2019+2020).
Attachment: payment doc1.rar (contains "OXHV3S9rWfqQqfJ.exe")

Loki C2:
http://sieqwarteg.com/kon/kon1/fre.php

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/74093/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Reading critical registry keys

Creating a file

Changing a file

Replacing files

DNS request

Stealing user critical data

Connection attempt to an infection source

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/505700

Signature

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Detected unpacking (changes PE section rights)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has nameless sections

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM_3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7994e0d58c47b933e70d0c50122fc167f86f96d5602a285ef32a6dfbb5e16de7/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-21 09:09:40 UTC

AV detection:

24 of 27 (88.89%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pgkobvmmi64thzynbribel6bm74g7fwvmavcqxxtfjw7xnpbnxtq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

spyware trojan stealer family:lokibot

Link:

https://tria.ge/reports/201021-eb3ezw2lzs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://sieqwarteg.com/kon/kon1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

23f91c407ff237df8784c9303c92550cd08390c3ea90aa13d1f4d5f12a9256b2

MD5 hash:

1d12eaf37982792fb8927b033c1d14db

SHA1 hash:

2100083ec0120ce6170d49f26177b16f9136c1bc

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/9e007e20-cc04-40e5-b24e-e494aa4019de/

Parent samples :

229c2a76e14bcb4b84636f972a2acdedad5295dac077e9f6d895ca8a4f37f6c3
7994e0d58c47b933e70d0c50122fc167f86f96d5602a285ef32a6dfbb5e16de7
2e1f23f4c8536a0f803f8d9f54e5d5c67a99aa2b0c44031d4ed743acd6003887
d565ab7ba182e34ed88578e2219c34071a449f1841d4ba22e555be279ce626c3

SH256 hash:

30286051a5f00a7752e244ba26944218aec49d644aef55ecd430fb4222a5149f

MD5 hash:

4c910e70a5a6d1890ce07df7ff03e4a1

SHA1 hash:

a47b2934511196daadb254cc7fa651c31c63d4b2

Link:

https://www.unpac.me/results/9e007e20-cc04-40e5-b24e-e494aa4019de/

SH256 hash:

0c22ad59ae56f4db3b4f76202a0e1ca782b23bd4fa839d7140b4707f5851c813

MD5 hash:

41baaccd532776b087843cb4ed12ecc4

SHA1 hash:

c0582250063f3b803ab667f51c7673471b3d31a4

Link:

https://www.unpac.me/results/9e007e20-cc04-40e5-b24e-e494aa4019de/

SH256 hash:

7994e0d58c47b933e70d0c50122fc167f86f96d5602a285ef32a6dfbb5e16de7

MD5 hash:

94b11b947d70cee9efdbd25fdd6961b2

SHA1 hash:

c801f1867ca4e7e430de759e0f61505311ab9b2d

Link:

https://www.unpac.me/results/9e007e20-cc04-40e5-b24e-e494aa4019de/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	Lokibot Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_lokipws_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com