MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a87bbc2669573efdc7db6a99c44ecbcec828ceccc0574ed019309a06c7771f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a87bbc2669573efdc7db6a99c44ecbcec828ceccc0574ed019309a06c7771f6
SHA3-384 hash: 3cf6541fc11d663652beac7b5234a4b294f7c64a054edea4e35ee8eed4626249439ee110be7ad10f58ecbc4fc7bd19f3
SHA1 hash: 3afdfe1f9bbf02ce854ad6c2469a8949ba587d7b
MD5 hash: 05106c7d606878ebb00967832613cb2f
humanhash: bulldog-early-hot-oregon
File name:05106c7d606878ebb00967832613cb2f.exe
Download: download sample
Signature Loki
Create hunting rule
File size:979'272 bytes
First seen:2023-04-21 14:35:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3cbc6836750e81514fac4284f71c59f9 (1 x Loki)
ssdeep 3072:bCnSC8f3UQ3VYtRwKZugLzl5E/99wQu6xbegc8NLbOVwLnpFKKYxDj9Ji8NXVwLx:Tf3L3VAwKdLk99zRe8N3O9d9VwmXC5/
Threatray 582 similar samples on MalwareBazaar
TLSH T1AB259E2AA340A624DBE70DB0232091AC47E87CFB7866510B3107F59D6B3B7E69715F27
TrID 78.0% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.ICL) Windows Icons Library (generic) (2059/9)
1.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon ec8ad8c8686060d8 (1 x Loki)
Reporter abuse_ch
Tags:exe Loki signed

Code Signing Certificate

Organisation:Transition software (C) 2018
Issuer:Transition software (C) 2018
Algorithm:sha256WithRSAEncryption
Valid from:2019-03-26T08:25:50Z
Valid to:2022-03-25T08:25:50Z
Serial number: 01
Intelligence: 371 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: b7b6b2128ef49f05d6d6fc2af1750b092f552d8a5f7c5707bb4da0f0ce91d124
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Loki C2:
http://stardoors.com.br/site/wp-includes/fonts/ff/panel/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
276
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
05106c7d606878ebb00967832613cb2f.exe
Verdict:
No threats detected
Analysis date:
2023-04-21 14:38:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7a342c7d-e9bd-4049-b5c7-7500a79d3eac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383965/
Detection(s):
Win.Packed.Vbkryjetor-6915342-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/64429f53f2acc4ba529d0385/reports/c363a292-9606-44dd-b2e7-28727bbfcc8d/overview
Verdict:
Malicious
Labled as:
PonyStealer.Generic
Link:
https://www.hybrid-analysis.com/sample/8a87bbc2669573efdc7db6a99c44ecbcec828ceccc0574ed019309a06c7771f6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/91b15abb-e64f-424d-b082-fcd55a7ea184
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1218724
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Generic Dropper
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 851666 Sample: JHbAEIznhO.exe Startdate: 21/04/2023 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic 2->40 42 Multi AV Scanner detection for domain / URL 2->42 44 Found malware configuration 2->44 46 10 other signatures 2->46 7 JHbAEIznhO.exe 3 5 2->7         started        10 wscript.exe 1 2->10         started        12 wscript.exe 2->12         started        process3 file4 30 C:\Users\user\AppData\Local\...\notepad.exe, PE32 7->30 dropped 32 C:\Users\user\AppData\Local\...\notepad.vbs, data 7->32 dropped 14 notepad.exe 1 7->14         started        17 wscript.exe 1 7->17         started        19 notepad.exe 1 10->19         started        21 notepad.exe 1 12->21         started        process5 signatures6 56 Antivirus detection for dropped file 14->56 58 System process connects to network (likely due to code injection or exploit) 14->58 60 Multi AV Scanner detection for dropped file 14->60 62 3 other signatures 14->62 23 notepad.exe 54 14->23         started        28 notepad.exe 19->28         started        process7 dnsIp8 36 stardoors.com.br 192.169.89.40, 49686, 49687, 49688 LIMESTONENETWORKSUS United States 23->36 38 192.168.2.1 unknown unknown 23->38 34 C:\Users\user\AppData\...\B52B3F.exe (copy), PE32 23->34 dropped 48 System process connects to network (likely due to code injection or exploit) 23->48 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->50 52 Tries to steal Mail credentials (via file / registry access) 23->52 54 2 other signatures 23->54 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a87bbc2669573efdc7db6a99c44ecbcec828ceccc0574ed019309a06c7771f6/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2023-04-20 06:10:06 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
30 of 37 (81.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rkd3xqtgsvz67xd5w2uzyrhmxtwifdhmzqcxj3ibsme2a3dxoh3a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
cloudeye
Create hunting rule
Similar samples:
07fa172e1404c76738226cefc6e5d45559430c9946e419ed089d9ae5690783f9
Loki
2cb7bc593a5b4701b76d20ba93ad4e2dab62eb3b81dbc9f59965db44dafc97b8
Loki
332a67364db4ac8d8d0be982041ad50eaecd54fe7444cb766646aaa16b9cb99a
Loki
936ef3a90e5433d26c707b0660fb1530a3f717734dc0c86568854c6131f954f7
Loki
98883d7d2678fd8cbdad8b8c1ca7cf13a797b1074f081dee24aba14dcc346ffe
Loki
d5546c4ce65f892b4fc83398f5c45957f03a647c0bcd81488218da710475eae2
Loki
e4b9cadb865b6821fed44ea24bfb2968208aa56b2a0a76026d18d7d594f58c59
Loki
f84353a028d1c96db9ef3c775085e12c5222e3f41f4307f04db938a7b3be9d5d
Loki
+ 572 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection persistence spyware stealer trojan
Link:
https://tria.ge/reports/230421-ryj8tsaa3v/
Behaviour
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
https://stardoors.com.br/site/wp-includes/fonts/ff/panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
316d4e117774b7717ab4afb0fb515b05b1c2989b12e6271c5dbb9284b8c176a0
MD5 hash:
307666a9ff13aa01e7f856b87577100c
SHA1 hash:
e4dff8ae9d0e5b098e433f60879a1949f10628b3
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/381493a2-5054-4890-b90e-1401e1f77570/
SH256 hash:
8a87bbc2669573efdc7db6a99c44ecbcec828ceccc0574ed019309a06c7771f6
MD5 hash:
05106c7d606878ebb00967832613cb2f
SHA1 hash:
3afdfe1f9bbf02ce854ad6c2469a8949ba587d7b
Link:
https://www.unpac.me/results/381493a2-5054-4890-b90e-1401e1f77570/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8a87bbc26695/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/8a87bbc2669573efdc7db6a99c44ecbcec828ceccc0574ed019309a06c7771f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_734d0baf7a6b44743ff852c8ba7a751a7ff0ec73
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/383965/

Comments