MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89c9935b305ddc218ccce08c0676176e0c8be511b15f9fa9af9a7560c76560c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 15

Intelligence 15 IOCs YARA 15 File information Comments

SHA256 hash:	89c9935b305ddc218ccce08c0676176e0c8be511b15f9fa9af9a7560c76560c7
SHA3-384 hash:	f0882b2448dfc454c295b4a8214c8c40b01d03972eee4e0806d3af8ff61c05cd0efdd278382a1a2019f7c5c63855b267
SHA1 hash:	c51439cf6f65f0f58eb367d87e3e2353ee77d807
MD5 hash:	6ec9b742a4686a200ac8efd955afdb0d
humanhash:	blue-charlie-papa-charlie
File name:	Purchase Inquiry Daxparker Apparels03062023 f.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	805'376 bytes
First seen:	2023-03-06 02:20:25 UTC
Last seen:	2023-03-06 03:27:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:igy8Mb3cOQ7uZLc6u3ymgqN3w75muSaTLdgV2uOsz6gyCB9o:o8E3cOQCOi805Zdndo2uOnC
Threatray	110 similar samples on MalwareBazaar
TLSH	T1AC058D9172B19473F5CB016964297ACC2C3CB193B6D8E24B6B3779C096019FFF6A8E11
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	8cf2684d6868e892 (13 x AgentTesla, 4 x Loki, 3 x SnakeKeylogger)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://68.183.13.128/?page_id=4136377

Intelligence

File Origin

# of uploads :

# of downloads :

247

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

Purchase Inquiry Daxparker Apparels03062023 f.exe

Verdict:

Malicious activity

Analysis date:

2023-03-06 02:22:23 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/98c84955-ed8e-49ab-a10c-bd99594234e3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/371760/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Launching a process

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

80%

Tags:

packed

Link:

https://www.filescan.io/uploads/64054e0f5961badabfa9af36/reports/a3f61f06-7afc-4e35-b9ca-a38aff9eddd8/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/89c9935b305ddc218ccce08c0676176e0c8be511b15f9fa9af9a7560c76560c7

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1187483

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/89c9935b305ddc218ccce08c0676176e0c8be511b15f9fa9af9a7560c76560c7/

Threat name:

ByteCode-MSIL.Backdoor.Androm

Status:

Malicious

First seen:

2023-03-06 01:28:53 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 25 (56.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rhezgwzqlxocddgm4cgam5qxnygixzirwfpz7knptj2wbr3fmddq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

30effb0aff6fa76c3ad8a5cbce7fda55b0cb0ab823e2d5aabb8a804c29137c01

Loki

53e04b40ad30d83c66ef729d87e5822f732fbc6804cbe216d68898f583ce7ad3

Loki

5796e0bd3872a4838b8e3a23139c16f456b8006859aedc9a6c7cbaa576969000

Loki

66bf3cedae82f70793c807db231ed455594c60e5cf0daabbfebdd7d69ec1f91d

Loki

70be751106b253c90ed4d19a828dbf3505f1d3dd322c2220c4856157f8297b09

Loki

95709146a788e3cae6af75199ba67b1aa327c8fe1c605f2cf8341861389cd011

Loki

b173d8cc12b90dce7f70af597cb5966c54690319ff4b48c99cafb1b63f01ca04

Loki

fccebf9b597398ab3e46b9f50076f8a3bcdb24cd4f3786e1c4540637cf32d96b

Loki

+ 100 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230306-cszzrshg5w/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Lokibot

Malware Config

C2 Extraction:

http://68.183.13.128/?page_id=4136377
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f

MD5 hash:

f4e7e91d4fdda2d3feb401b5b1d53abf

SHA1 hash:

cf9e76e6418850ac853bd9c6ce82a0be7920fc1d

Link:

https://www.unpac.me/results/9ff703cb-0079-476f-8da9-e248d110f2fb/

SH256 hash:

460602d5e8707fbf68fb46774e32d6e634ca7ca3d707181f2a0122d9a3be1238

MD5 hash:

bcaf10642fa4e470f0ac572df4f29d25

SHA1 hash:

af8fdf4c2994056b3bc28b4708a846cb3e62849b

Link:

https://www.unpac.me/results/9ff703cb-0079-476f-8da9-e248d110f2fb/

SH256 hash:

d0dccb7d82e85434f1d851c18bc27dc0cd09ce8806f12b75e618c44d855c8e4d

MD5 hash:

6398057b8df73eea5bc63297445a91a1

SHA1 hash:

aa20b0090ff8121b219665bd47224c2d5d2f8c2e

Link:

https://www.unpac.me/results/9ff703cb-0079-476f-8da9-e248d110f2fb/

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/9ff703cb-0079-476f-8da9-e248d110f2fb/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

11d023325f99b8ea727359780bb58d68bdd5b948ca2ba3e9fc13b36ab2fb005c

MD5 hash:

a53c9a40bca8d343700294aaba3b9978

SHA1 hash:

3dcfd33aa1ea390079dc91ed52c640f4e7149cd9

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/9ff703cb-0079-476f-8da9-e248d110f2fb/

Parent samples :

89c9935b305ddc218ccce08c0676176e0c8be511b15f9fa9af9a7560c76560c7
d6edba98646efecccc2f9e35c537d8a08f986bef694efdc8cdc0301f80fba616
06460ceaf5a16fcd4d69720ff95097e3980c319b3d30184a7f79de52c15a8384

SH256 hash:

89c9935b305ddc218ccce08c0676176e0c8be511b15f9fa9af9a7560c76560c7

MD5 hash:

6ec9b742a4686a200ac8efd955afdb0d

SHA1 hash:

c51439cf6f65f0f58eb367d87e3e2353ee77d807

Link:

https://www.unpac.me/results/9ff703cb-0079-476f-8da9-e248d110f2fb/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/89c9935b305d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/89c9935b305ddc218ccce08c0676176e0c8be511b15f9fa9af9a7560c76560c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	infostealer_loki Create hunting rule

Rule name:	infostealer_xor_patterns Create hunting rule
Author:	jeFF0Falltrades
Description:	The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.

Rule name:	Loki Create hunting rule
Author:	kevoreilly
Description:	Loki Payload

Rule name:	LokiBot Create hunting rule
Author:	kevoreilly
Description:	LokiBot Payload

Rule name:	malware_Lokibot_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	Windows_Trojan_Lokibot_0f421617 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Lokibot_1f885282 Create hunting rule
Author:	Elastic Security

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

DLL dll 498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f

Loki

exe 89c9935b305ddc218ccce08c0676176e0c8be511b15f9fa9af9a7560c76560c7

(this sample)

Cape

https://www.capesandbox.com/analysis/371760/

Dropped by

SHA256 498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f

Dropped by

MD5 f4e7e91d4fdda2d3feb401b5b1d53abf

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample