MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8bbd910cc31c0c11e4b7a83df4ae39744d4a0643c744abd0726cb747cb639ed6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8bbd910cc31c0c11e4b7a83df4ae39744d4a0643c744abd0726cb747cb639ed6
SHA3-384 hash: 1b7773fafc704550d93e3577016812a1013a357292bbbb4502bb5135b5fe73611c329d3cf2f817d854406dc3f1e65f58
SHA1 hash: c70dc0efb5d10c484cd3eeb7cb7393ac4f112477
MD5 hash: 8d006ba73b1d7747b0bb58a3635006fb
humanhash: jersey-speaker-robert-autumn
File name:informe bancario.PDF.bat
Download: download sample
Signature Loki
Create hunting rule
File size:670'720 bytes
First seen:2020-12-30 09:15:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:fAno2iNgld+QnjNG4x+wsJ7ONzeoaOGftab0phOqlNPMD41/R:f6o1w+QnZn1NzG3f6SNPx1/R
Threatray 2'208 similar samples on MalwareBazaar
TLSH 2AE46A03E5AEF92CD018527BA711B11136A19CE12D82C17D7BD5A7EA18F11CAC63C7FA
Reporter abuse_ch
Tags:bat Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: smarthost1.gohsphere.com
Sending IP: 173.0.137.124
From: PAGOS <pagos@carvil.com.mx>
Subject: Re: DEVOLUCIÓN DE PAGO TT (Ref 0180066743)
Attachment: informe bancario.img (contains "informe bancario.PDF.bat")

Intelligence

File Origin
# of uploads :
1
# of downloads :
346
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
informe bancario.PDF.bat
Verdict:
Malicious activity
Analysis date:
2020-12-30 09:29:05 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/d65f725f-13a6-44a8-8b70-a18342f42d02

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/109878/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Reading critical registry keys
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Moving of the original file
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/571946
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8bbd910cc31c0c11e4b7a83df4ae39744d4a0643c744abd0726cb747cb639ed6/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2020-12-30 09:15:24 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ro6zcdgddqgbdzfxva67jlrzorguubsdy5ckxudsns3ups3dt3la._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
030d7031dc02ec7766d476e96b72e5a348eab8814d9c2cb04c33e75071020440
Loki
1df38ad7f7297914ac4345c3572a92bd2a0507baedff37681f35b3bb8fa0d9eb
Loki
3b9ff29f35dafcb9a28349285b3a4f834c21d3a4061f05c775ee53b11fdd6a05
Loki
5434b3121b379bde98f409a5d00c6da0be9f001b73e73860ca0c530386e002c6
Loki
67022a9257f711a8c6287fd668c24d8ded9cefbbe1b0e5cf299a1fd9a03fc29f
Loki
6e60550a33d25470c7d89ea1d8afa1f2e742a1cb6f4970ed48fcbdeeb7940002
Loki
7689fde52d772a6810cccf89d32a6bb8e944a9ce435a44dc52032feeee61d6eb
Loki
ad289b3d23743f22175387c9f8e04d774d6c81c179654f29b71c715712594d1c
Loki
ad6946570be39c2f4da1777083f2339cae24bec7928b460db68e55e53c915e22
Loki
b2f7371dbc4fb27739f11a5fbf9aa878f118d1f8659025422bc614e7c5b60ff6
Loki
+ 2'198 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/201230-qf39s2zhcn/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://51.195.53.221/p.php/dklX59XNxRkB6
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
8bbd910cc31c0c11e4b7a83df4ae39744d4a0643c744abd0726cb747cb639ed6
MD5 hash:
8d006ba73b1d7747b0bb58a3635006fb
SHA1 hash:
c70dc0efb5d10c484cd3eeb7cb7393ac4f112477
Link:
https://www.unpac.me/results/daf7d779-6bc3-465d-9251-d0dc6f31bd46/
SH256 hash:
a7e8d5aa86e2461d7d15c8d5f952fc73956a8edbe223d72084ebe6be336633c0
MD5 hash:
41fcad9bb45d06178dd6bc28bf956ebf
SHA1 hash:
9a85845b84f69b91d953057d41c7f87e2e7fad97
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/daf7d779-6bc3-465d-9251-d0dc6f31bd46/
Parent samples :
8bbd910cc31c0c11e4b7a83df4ae39744d4a0643c744abd0726cb747cb639ed6
7595980954007d3f83848feeb1b75115710f953952eec63ad46e6ea257aec55a
c7165e922003e02118c0d79ab82e5e63c430cf63f41252ad9f968cb7fe3078b9
644fe9320e421d92bf74b5ab972f3fcef4e07fc0ff9cc21cdc3d569b49201ad5
91f8ad08e33830df10bedd519ccbfc3d910a6456ac964e1e6871838b9558e599
SH256 hash:
9e6342e87be06fa388709246bc4d072cc98a3eab0f2843ca09e5492112183d82
MD5 hash:
fd7af294e33c5ac54e61d410baa43a79
SHA1 hash:
ee1da98aeaa9b8deaec61697b7ce4eef03d2301f
Link:
https://www.unpac.me/results/daf7d779-6bc3-465d-9251-d0dc6f31bd46/
SH256 hash:
44106a7753790a12c522849b3f7da238337bd0342e5664021e25f79b2705ae9a
MD5 hash:
d43e8dcc8f8b23c144f820eaa9bdbee4
SHA1 hash:
41faa61eb543ac1386e59ef1e3c485a19458ff68
Link:
https://www.unpac.me/results/daf7d779-6bc3-465d-9251-d0dc6f31bd46/
SH256 hash:
d1b01045124251aba5499c3e5df3f9905d9ac0a955c741d94c0e188a397b75d1
MD5 hash:
2a0c12b772683fa90b1c79277d07743e
SHA1 hash:
9687ff49b4130576180f6d6af4735615c8302ec9
Link:
https://www.unpac.me/results/daf7d779-6bc3-465d-9251-d0dc6f31bd46/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_lokipws_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

img b2581a526dcf63422c4a4b5e900040d14ed72378305d678508d8b6449a3900e4

Loki

Executable exe 8bbd910cc31c0c11e4b7a83df4ae39744d4a0643c744abd0726cb747cb639ed6

(this sample)

  
Dropped by
MD5 81583553ff4dca623514af92ddd70cdc
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b2581a526dcf63422c4a4b5e900040d14ed72378305d678508d8b6449a3900e4
Cape
Cape
https://www.capesandbox.com/analysis/109878/

Comments