MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ceca99b6e496dc542829e7e39d4853d28e278747bb159fe0f3fe2955e0bc88d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 18


Intelligence 18 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ceca99b6e496dc542829e7e39d4853d28e278747bb159fe0f3fe2955e0bc88d
SHA3-384 hash: f9c40410953998b0d62a1544c9e7d7a234fd7e90d8413365d054cb32b686c5c25ec8597d9bdb23578a037080c1fc8f44
SHA1 hash: 729bd91c6b262be4561784bd5f2ded15bdf75abc
MD5 hash: 2725b73350182dfbf4aefe17a19a8e2c
humanhash: crazy-lake-papa-grey
File name:T2fTdPhr4piX2cB.exe
Download: download sample
Signature Loki
Create hunting rule
File size:676'352 bytes
First seen:2023-06-15 22:51:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:YCPWR28Le0cY+Yg9fb9zOpUDJHC+XLVINQ6PG4ZUYCJtES6oZ/5XbeFQEZwa:YK+xL9Rk9I0HJLVINQyjUhJ0ol5LALZT
Threatray 4'324 similar samples on MalwareBazaar
TLSH T144E401AD17B3892EC89A3FBC4D202AB9E1EC59857137C3574FA7FDA9DC50A084C91291
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter threatcat_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
374
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
T2fTdPhr4piX2cB.exe
Verdict:
Malicious activity
Analysis date:
2023-06-15 22:53:03 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/4b79ec94-e4e2-4364-ab45-ae05f4ee4f2f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/399349/
Detection(s):
SecuriteInfo.com.Trojan.Generic.33918120.4778.32105.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed
Link:
https://www.filescan.io/uploads/648b9613e8a7749a2a223bcd/reports/6fa2e817-e072-4a46-976c-698e91721aff/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7ceca99b6e496dc542829e7e39d4853d28e278747bb159fe0f3fe2955e0bc88d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6caa3b41-ed16-485c-92f0-079ce1d1def1
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1255688
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7ceca99b6e496dc542829e7e39d4853d28e278747bb159fe0f3fe2955e0bc88d/
Threat name:
ByteCode-MSIL.Trojan.Snakekeylogger
Create hunting rule
Status:
Malicious
First seen:
2023-06-09 02:03:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ptwktg3ojfw4kquctz7dtvefhuuoe6dupoyvt7qph7rjkxqlzcgq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
5db6a8dfafd6956beaf4127500cd5232d78d70165a1775fa1da58277a43327ed
Loki
690bf56c513b3b1e8ef7eb1cabd0e7ae3caf33e6d4442264ec5b17c74b9c5d92
Loki
852e0d9a8f474077261d053d587868b211e70eff320a7e7067c3fc1cb3253ea5
Loki
856d9678db405a6c131e80b60351819e8ec3ed19b043d170d19ca078f7723ab4
Loki
8699f030698874a541a877ae7068bde48d11e74fd9a6c817d45885e1815e0dcd
Loki
9329a473fbc644201fef14d26d708eca73a6d524c629c6b2881527525bfff3a6
Loki
b49f61234795f9d0c4fb2800a4c45346dadec2854f96c884d2432f91c3fa13a6
Loki
e9c141cc8f4535f2abc77198d303fb533cd4acedb9b1aef39d57529dd6bafe65
Loki
fd5030b33e9f626dceea517a8ff935dcd2f9d9d8d6ff9ded6f998ecee7de7e52
Loki
ff927067632cbc9312282420e5ed0e75505e871970b76c169cd57f0ca52c3d84
Loki
+ 4'314 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230615-2tc9tsbf69/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://185.246.220.60/office1/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
cdb2c04cd1029d672a67e2086469dd5f7132f39f16811afc1b652dafbc561b92
MD5 hash:
3faac169f9080f523c1cb46b3a9ee39f
SHA1 hash:
f2726a275e03c9020e0046cc2c3f84464f6461da
Link:
https://www.unpac.me/results/f4bf1561-ad6d-4115-9d53-3d707fe472f0/
SH256 hash:
c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d
MD5 hash:
9390df6c9a6111978dee5414bc42eda6
SHA1 hash:
d3cb1c366b9e466afa93eb369838a04d30777795
Link:
https://www.unpac.me/results/f4bf1561-ad6d-4115-9d53-3d707fe472f0/
SH256 hash:
cad9d5158bd4148003f9393e3b89ea98951360112337f191af3fc7ed9d9fac34
MD5 hash:
cebb2b71aadd6adf6c4b077193e0522b
SHA1 hash:
b705fe3184e6e0a48cf7e30dbe9d1bf317e83a45
Link:
https://www.unpac.me/results/f4bf1561-ad6d-4115-9d53-3d707fe472f0/
SH256 hash:
bb440ef1ef7b5b6565ba64f316c2ef6de5f4c4bf356ff9b0f5b02e3bcc8623fa
MD5 hash:
cbecb749bde968c52403e91128eb818c
SHA1 hash:
a6a37a6ac5fe577eeec97fcc21a3cd801f44eb2f
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/f4bf1561-ad6d-4115-9d53-3d707fe472f0/
Parent samples :
40d89b32ac24d8d4e95b6c43218f15e9a3144191786f248e963dea351f718af4
b7912e36936ed5ccf60f51884b731630d07dc6727fe8cd0b44d51b42800d48bf
80695c8b6b87a0f03f6b3dbd14f714920aadf3c720bc2a2ef2a05caedb33c2dd
a0bee5267d0b17ca3aef423b133243a4b02104f85720e73799e6cd5972176f20
3e9a480499ba57c2d390520d58226fc7aa8690b9e4e766318b27486e3c12ee00
b3b03d6eff59070c3049aecc702de3bc10b5117d1ed18e96ee6f2675c5301ab6
7ceca99b6e496dc542829e7e39d4853d28e278747bb159fe0f3fe2955e0bc88d
6a0ce1aeb67fe005151417bf367bdba06bb72f128ddd6dbb00ba207c013324ec
SH256 hash:
6fc20a3011d42ecebf51141d77a178cc1c7d50bd148505f138e3c1abba8b8e80
MD5 hash:
76a54bf2d25cdaba4d5e3baf2b383ee0
SHA1 hash:
1872dbe7ab92f9435d680e88561d51d9d561fb5f
Link:
https://www.unpac.me/results/f4bf1561-ad6d-4115-9d53-3d707fe472f0/
SH256 hash:
7ceca99b6e496dc542829e7e39d4853d28e278747bb159fe0f3fe2955e0bc88d
MD5 hash:
2725b73350182dfbf4aefe17a19a8e2c
SHA1 hash:
729bd91c6b262be4561784bd5f2ded15bdf75abc
Link:
https://www.unpac.me/results/f4bf1561-ad6d-4115-9d53-3d707fe472f0/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7ceca99b6e49/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/7ceca99b6e496dc542829e7e39d4853d28e278747bb159fe0f3fe2955e0bc88d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:LokiBot
Create hunting rule
Author:kevoreilly
Description:LokiBot Payload
Rule name:malware_Lokibot_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:Windows_Trojan_Lokibot_0f421617
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Lokibot_1f885282
Create hunting rule
Author:Elastic Security
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 7ceca99b6e496dc542829e7e39d4853d28e278747bb159fe0f3fe2955e0bc88d

(this sample)

  
Dropped by
loki
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/399349/

Comments