MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8883f583022b4c5d9f4aed11853958a7e3266c68963bfbe765f2009a9ffff746. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8883f583022b4c5d9f4aed11853958a7e3266c68963bfbe765f2009a9ffff746
SHA3-384 hash: 5a65e3c7a41fe9f25370fb1eaa4181bea7c1e54e6cc1f802d543d0ee476202bc57f687e2171ca79369adfd77919d314b
SHA1 hash: 29546e0a244dddedc77649abefe1ce582d56de7b
MD5 hash: 7105b22ec10aee2ef62494012bff058e
humanhash: finch-jig-kentucky-tennis
File name:7105b22ec10aee2ef62494012bff058e.exe
Download: download sample
Signature Loki
Create hunting rule
File size:241'152 bytes
First seen:2022-06-28 07:53:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f0888305a369a44455dcf5f4e579ce7 (8 x RedLineStealer, 1 x Loki, 1 x Smoke Loader)
ssdeep 6144:sSwQOmN0k03FYvtVNgwgq5dJxE0p7ITsqmK+:sSrM3AtVDgq5dJDp7Zp
Threatray 8'392 similar samples on MalwareBazaar
TLSH T12834BFE0B6E0C872C0A33530C865CBB16A7A7911E771858B37F42B2E7E747D06AB9355
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c01edecea68c8ccc (154 x RedLineStealer, 98 x Smoke Loader, 36 x Stop)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://sempersim.su/gi2/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://sempersim.su/gi2/fre.php https://threatfox.abuse.ch/ioc/730449/

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/283792/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for analyzed file
Stealing user critical data
Query of malicious DNS domain
Moving of the original file
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult crypter greyware packed
Link:
https://www.filescan.io/uploads/62bab3dc197c837506caf0f7/reports/027e5aab-2037-45e6-ba03-f403f81d5c66/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3b7ff57-e628-4585-94ee-5fdb7609bade
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1020976
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8883f583022b4c5d9f4aed11853958a7e3266c68963bfbe765f2009a9ffff746/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-06-28 03:51:10 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rcb7laycfngf3h2k5uiykokyu7rsm3disy57xz3f6iajvh7765da._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
1b697cbd61c08be53e1cdb6b94379423ff4b0056d19f7646f6da6a21111e30df
Loki
1d6baba880112637b879dc43d27adfa60111d612a2076525a9b8ebb66d333e7b
Loki
37835fd541311503e6f9d9f751a2a78eb7dd593000e92c2161cb919238aefb29
Loki
3ba4826484ea2e18bf59b0d62f652dfd9961b44b95fad32d2ed3a4ee8ffd4c8b
Loki
7449b87b5834bf7af188910c52d201cb1539d6e49d311c161a9c37f2cf72472d
Loki
8bf11c49109e41553a01c4845eaacd7dd10826686b2dd3f61b9d2f4526b57235
Loki
9632ef251fc7538bbf3d50d17035c5ceaf3d7a0fb571e424d0c3c28a829cdf85
Loki
c8037e53bce9878999866f4f25aafb4469e2a0b91d4c64d3b3f16f4e77a23f10
Loki
e885de5c226088e771adf5e01c3c58894bc1f37f51d0ce917ed0f0822e2e62d3
Loki
f1d35589ab4afd274172a3a899254efcb6aaac6d50cb0e192bf93d162a1d70b9
Loki
+ 8'382 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220628-jrjpqagaak/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://sempersim.su/gi2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
8afdc76b7d447969dcdbdceaae4c5eacfeebd1d92dedc3c02f12833909527fc7
MD5 hash:
eb4f3cf373ce34b775ec32c0bfff94ef
SHA1 hash:
c3504a54c0afe76bf8f0fa4b4f68feb54d2a1578
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
lokibot
Create hunting rule
Link:
https://www.unpac.me/results/9327f42c-4f25-4124-b601-7378202f93ca/
SH256 hash:
8883f583022b4c5d9f4aed11853958a7e3266c68963bfbe765f2009a9ffff746
MD5 hash:
7105b22ec10aee2ef62494012bff058e
SHA1 hash:
29546e0a244dddedc77649abefe1ce582d56de7b
Link:
https://www.unpac.me/results/9327f42c-4f25-4124-b601-7378202f93ca/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8883f583022b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8883f583022b4c5d9f4aed11853958a7e3266c68963bfbe765f2009a9ffff746

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:LokiBot
Create hunting rule
Author:kevoreilly
Description:LokiBot Payload
Rule name:malware_Lokibot_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 8883f583022b4c5d9f4aed11853958a7e3266c68963bfbe765f2009a9ffff746

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2251949/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/283792/

Comments