MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c6e740b2a9841664d6824708850c48260c34646dae42455a6b9e31863a26bf9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 16

Intelligence 16 IOCs YARA 14 File information Comments 1

SHA256 hash:	8c6e740b2a9841664d6824708850c48260c34646dae42455a6b9e31863a26bf9
SHA3-384 hash:	07eb9294fb572fd79c7836df2a52c2f26ca18e0ae6ab19c088a9a433ebb2e05240137258e932facba7fc658d0be9c9cc
SHA1 hash:	9855ce74f709aabdbc07fb9c3c070bb25521b581
MD5 hash:	b53ebaf56c7f64cc9e7aec067362fb03
humanhash:	arizona-violet-vermont-quiet
File name:	b53ebaf56c7f64cc9e7aec067362fb03
Download:	download sample
Signature	Loki Create hunting rule
File size:	258'560 bytes
First seen:	2022-03-24 12:34:32 UTC
Last seen:	2022-03-24 14:39:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3a09809e2f82aed7962ea0c7c3c640d3 (3 x Stop, 2 x RedLineStealer, 1 x Loki)
ssdeep	1536:zyKloL7RaRpp4ZUkqhfgYzpmPstDQAxFZuB42cW+CZgf4JopeRwJnE/Whr3/TT5s:zyKlaIhdNPxFZku8gQaKwxES5Db0
Threatray	7'040 similar samples on MalwareBazaar
TLSH	T18C44D0623AA1C831C0460C397916C7B6EA3E783101B699937B960F6D8F743D6F5B934A
File icon (PE):
dhash icon	5c599a3ce0c3c850 (43 x Stop, 37 x RedLineStealer, 36 x Smoke Loader)
Reporter	zbetcheckin
Tags:	32 exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

265

Origin country :

n/a

Vendor Threat Intelligence

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/257161/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware1.14396.10002.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for analyzed file

Stealing user critical data

Moving of the original file

Sending an HTTP POST request to an infection source

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/11144/overview

Behaviour

SystemUptime

MeasuringTime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/623c6590dfdfa8501cd88aac/reports/ee1982a3-3fd6-4fca-bde8-f33607a802e5/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/35cf98e0-e1af-4792-ace2-784d553fcd01

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/963736

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/8c6e740b2a9841664d6824708850c48260c34646dae42455a6b9e31863a26bf9/

Threat name:

Win32.Trojan.Raccrypt

Status:

Malicious

First seen:

2022-03-24 12:35:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rrxhiczktbawmtlieryiqugeqjqmgrsg3lscivngxhrrqy5cnp4q._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

465a58c67b9c168e2a7d5a1ba3b7fb53bf439be8fdabf8b07ad8e03141aafc8c

Loki

6fa3ca5bec61c6c9427b467ecefd895568f9d2db64097a2acb5d987228f97b0c

Loki

733662f82e9957520803040fdc7ac39766988c8fbe989544be40154cafce3ed5

Loki

7ec8d23c5167687f3e60e57527cedf105a3de3b1d88e47924d96bad31bfe5385

Loki

f491ca92789db4ebf58c5107059fd90616472d55a8ee51734cb9b77d89d0a7e3

Loki

+ 7'030 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/220324-psdsrahac4/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://164.90.194.235/?id=17007285853618101
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

5ef5622dbc703f03e928b6c5924d5dc84bf5a1b5f9b2f9372afaf5e8dc2323fb

MD5 hash:

1bc58cb103bb1d43219e88ea27651ca8

SHA1 hash:

eebfc51c136c667f9bad76d856de9fedb3705dba

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/28aacb9a-01fb-4fa0-9026-f5b565b9180b/

Parent samples :

96d4f14f8d1be02a21feb4533eca4f270716e7b0feefe6e5a477454f13db99d1
082565f03fa8f59b87354a271edcf92c6559472043e21fef60a47cfc6072f495
fd43579434ad0575895c12d783158f56396c725639c76f9ce04d00f6026c19a8
29e35c799198c6801c422f8d1f014d8c2e024186220fc959de30e222f6be286d
8c6e740b2a9841664d6824708850c48260c34646dae42455a6b9e31863a26bf9
c5fb4d13bb4b34f9670bc238a047b53c4392b299139c3da8b2b70ba9ddd3db2d
d74ebe06d17fc8e347dda04ca17006fa2f24deb7df06617feb13bffdc9bee476

SH256 hash:

8c6e740b2a9841664d6824708850c48260c34646dae42455a6b9e31863a26bf9

MD5 hash:

b53ebaf56c7f64cc9e7aec067362fb03

SHA1 hash:

9855ce74f709aabdbc07fb9c3c070bb25521b581

Link:

https://www.unpac.me/results/28aacb9a-01fb-4fa0-9026-f5b565b9180b/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/8c6e740b2a98/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8c6e740b2a9841664d6824708850c48260c34646dae42455a6b9e31863a26bf9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	infostealer_loki Create hunting rule

Rule name:	infostealer_xor_patterns Create hunting rule
Author:	jeFF0Falltrades
Description:	The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.

Rule name:	Loki Create hunting rule
Author:	kevoreilly
Description:	Loki Payload

Rule name:	LokiBot Create hunting rule
Author:	kevoreilly
Description:	LokiBot Payload

Rule name:	malware_Lokibot_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	MAL_Lokibot_Stealer Create hunting rule
Description:	Detects Lokibot Stealer Variants

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lokipws.

Rule name:	XOREngine_Misc_XOR_Func Create hunting rule
Author:	smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:	Use with care, https://twitter.com/cyb3rops/status/1237042104406355968