MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 892b2599cfec3627557271febe1663f40297c6d30c1f31b83c4547b53473c574. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 892b2599cfec3627557271febe1663f40297c6d30c1f31b83c4547b53473c574
SHA3-384 hash: ece337881f5b5e6e24d8a767fa9f834fc440ec21ce72b0cae12041bec9cc65fce79bd3d59fd5c2960dffb4d3d03a193c
SHA1 hash: 76bb36702ddbccf80b1633b835b2c39d1afc5224
MD5 hash: 7d70799e55cbb78908bfa713bb48ac37
humanhash: connecticut-nebraska-bravo-louisiana
File name:7d70799e55cbb78908bfa713bb48ac37.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'184'768 bytes
First seen:2022-02-20 08:15:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8b6595c889ddf8475abea4af78bffc99 (1 x Loki)
ssdeep 12288:wehVb6FqWW9vvqveFSRVtvrvGviP3S8gJPp5lmRbMAEY5yQvu/SUhrYSV+mbl:wIeFwvvUeoRVtTqiPkx0TE/QW/SVg+S
Threatray 6'429 similar samples on MalwareBazaar
TLSH T15C45AE0D7542D873D2632D769E0786F15D26BED13E6904012BD4BE48EB3B782BE2A173
File icon (PE):PE icon
dhash icon 27d0d8d4d4d8f006 (1 x Formbook, 1 x Loki, 1 x RemcosRAT)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://kitnasedhasa.com/rud/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://kitnasedhasa.com/rud/fre.php https://threatfox.abuse.ch/ioc/389572/

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/242753/
Detection(s):
Win.Trojan.Zusy-6985095-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Sending a custom TCP request
Unauthorized injection to a recently created process
Reading critical registry keys
Changing a file
DNS request
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for analyzed file
Stealing user critical data
Moving of the original file
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6758/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe exploit fareit keylogger replace.exe zusy
Link:
https://www.filescan.io/uploads/6211f8c6a2660f3bb90eaf42/reports/1881c12d-9c5f-4bdb-8a89-9ab1bb4e591c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cea09d84-da00-4601-837f-5c4390342b5c
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/942772
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/892b2599cfec3627557271febe1663f40297c6d30c1f31b83c4547b53473c574/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-01-20 16:41:19 UTC
File Type:
PE (Exe)
Extracted files:
84
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=revslgop5q3covlsoh7l4ftd6qbjprwtbqptdob4ivd3kndtyv2a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
04648027cb82497087f5b36b8d2fdf12ce9412349c728500bf97c9418d729f0e
Loki
391b079f44623381b2b2c9a6d6df08175e9779aefd7ae8fb9b369f5dac6c2188
Loki
3fe2d0dd224e7799ad1d669d3e01ec1676ce6ba39170e12df1a600ca49ae3422
Loki
4fcb2d6dd4e6699e31ef782cdb40bdf65c388311c72952702e8f3024c46c2793
Loki
8019700bd27aecf2c5a6874494f5d897aea450cfe806435f7fe28680487dcc8a
Loki
b6423a90227ed2d30952943cdfc63e4f31b2c79a15f80e5f2fb6aa9efb75dcbe
Loki
b9464d27c038d3f5cdd28f88083396b4e29a7fa78cdb384b572f3f13c3fd5a3c
Loki
ca80e46167f7c8dd33ca38ecff1c2c19704a80735caa1c4b49498e0bc255b2cb
Loki
f9a2f1e7311dab79c889621aeb6e11c48024343f8f44e787ab4903a8f2495554
Loki
+ 6'419 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/220220-j55jcaade9/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Drops startup file
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://kitnasedhasa.com/rud/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
d4d338006a20901ea824607dae1b922d09a98bb8c699a49d7518e3fa350a838e
MD5 hash:
d464507cf7aac10101b336a2e807f88f
SHA1 hash:
11b67bb216e21dee74515d75f32ca3fd3a987ffd
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/1f25e2dd-a0ee-4068-ae71-fad6814931c1/
SH256 hash:
892b2599cfec3627557271febe1663f40297c6d30c1f31b83c4547b53473c574
MD5 hash:
7d70799e55cbb78908bfa713bb48ac37
SHA1 hash:
76bb36702ddbccf80b1633b835b2c39d1afc5224
Link:
https://www.unpac.me/results/1f25e2dd-a0ee-4068-ae71-fad6814931c1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/892b2599cfec3627557271febe1663f40297c6d30c1f31b83c4547b53473c574

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/242753/

Comments