MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e1e3092d5e2010d374b8b6b44492d22431dcfde69cc4058e51b5626b67beafa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 14

Intelligence 14 IOCs YARA 13 File information Comments 1

SHA256 hash:	8e1e3092d5e2010d374b8b6b44492d22431dcfde69cc4058e51b5626b67beafa
SHA3-384 hash:	5e7e38088d871ef1539fc9a76592df6b495c9dd3727a0b4c3dc00c57e4fc6e1236d49b9592b38859d544d5ec188cc7ad
SHA1 hash:	baf0aafa640187dc6686762bf2b5cb9312c039cd
MD5 hash:	32d0c1d05a56b3868db81174272a2417
humanhash:	arkansas-north-west-georgia
File name:	32d0c1d05a56b3868db81174272a2417
Download:	download sample
Signature	Loki Create hunting rule
File size:	445'952 bytes
First seen:	2022-06-24 13:55:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:XrOkPRxliW1QNoyuJij7kLPRBln8e+zSg:XCkPRrhM7CZ8eES
TLSH	T13394E099E7682F5BE5C383F89C68D1042B16F34E95ACD3197DBA35CAD4363E24092E07
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	zbetcheckin
Tags:	32 exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

247

Origin country :

n/a

Vendor Threat Intelligence

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/283069/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for analyzed file

Stealing user critical data

Query of malicious DNS domain

Moving of the original file

Sending an HTTP POST request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62b5c2771fcdba4e1a524cec/reports/2e51e1b9-8ecc-4ae4-89f2-a47a94e8a090/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9dbade21-b026-4ae5-9faa-9ef7ee3fdaca

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1019363

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries random domain names (often used to prevent blacklisting and sinkholes)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Generic Downloader

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/8e1e3092d5e2010d374b8b6b44492d22431dcfde69cc4058e51b5626b67beafa/

Threat name:

Win32.Trojan.Woreflint

Status:

Malicious

First seen:

2022-06-24 07:50:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rypdbewv4iaq2n2lrnvuisjnejbr3t66nhgeawhfdnlcnnt35l5a._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer suricata trojan

Link:

https://tria.ge/reports/220624-q8ntbscffq/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot Fake 404 Response

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://plxnva67001gs6gljacjpqudhatjqf.ml/BN4/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

9166bf66d80192f7e309386847067e9e7a85c98a7fb47891c20486e88084642e

MD5 hash:

cbb831dd1a1ca5eb07a70fd63eefc551

SHA1 hash:

d56694df0d66c38374b421162a20f6f2adbd1262

Link:

https://www.unpac.me/results/0e5eb155-d7c9-40bd-afa2-fd5502d32527/

SH256 hash:

0cb6aef1fa57d11408e47ae071485ef8f48c2982997b8d74b47a4151d85b978c

MD5 hash:

843aa6edf83bff7b61c6a5369ef41e95

SHA1 hash:

d1bfeec8eaac9a1dacf2f7062ce964d8e7d77085

Link:

https://www.unpac.me/results/0e5eb155-d7c9-40bd-afa2-fd5502d32527/

SH256 hash:

4de22c3ae6d00e2235699463077878e4ee50154334298cb448afad0f8332601c

MD5 hash:

fee12c02bf81c361c624a1e04aec8704

SHA1 hash:

81080652b1557205d9369edeb4aa14b399a54b0b

Detections:

win_lokipws_g0

win_lokipws_auto

lokibot

Link:

https://www.unpac.me/results/0e5eb155-d7c9-40bd-afa2-fd5502d32527/

Parent samples :

2bf23bcaac2fa52fde6e170575defcc11807e3409747e92e1cd0b8cf93c898b6
9b44c677587d3cbd6eeb546e50011fbeb5e7e5ed5768d25858be6da683ba5bde
8e1e3092d5e2010d374b8b6b44492d22431dcfde69cc4058e51b5626b67beafa
a268288a6fd08bdf1f7458dbfba0cfce862e6f109dc51738d51654dd2540256c
69c72c6b690d302ba4c3294c90b067a50964bdac9e9f36b7d4ce6fd041c0715e
1cad6ac7f1a52dabece616a63040cc6e1b191461ce96caaef87a846de6c8ead4
e62ee0571627a81874e4439aacbb166d8a6419437e190278f432accfd92adb35

SH256 hash:

87577e6c69af07ba0e6383a2a152b59a39d6b336631ce4baa250bd9f8adce03d

MD5 hash:

9b17d560e68eff0da30f79b3c391c9a3

SHA1 hash:

5ceda263b1ea13401f652c709dd884d58945fe57

Link:

https://www.unpac.me/results/0e5eb155-d7c9-40bd-afa2-fd5502d32527/

SH256 hash:

9132afdee595d439a42656c6b8ffb801259d6a9d4f556e37c584a93804f41a0e

MD5 hash:

d54cdf919b502b02211c6f0355e3de1f

SHA1 hash:

451c7ba06278c70f3cd67b8a15b47f400a774433

Link:

https://www.unpac.me/results/0e5eb155-d7c9-40bd-afa2-fd5502d32527/

SH256 hash:

8e1e3092d5e2010d374b8b6b44492d22431dcfde69cc4058e51b5626b67beafa

MD5 hash:

32d0c1d05a56b3868db81174272a2417

SHA1 hash:

baf0aafa640187dc6686762bf2b5cb9312c039cd

Link:

https://www.unpac.me/results/0e5eb155-d7c9-40bd-afa2-fd5502d32527/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8e1e3092d5e2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8e1e3092d5e2010d374b8b6b44492d22431dcfde69cc4058e51b5626b67beafa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	infostealer_loki Create hunting rule

Rule name:	infostealer_xor_patterns Create hunting rule
Author:	jeFF0Falltrades
Description:	The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.

Rule name:	Loki Create hunting rule
Author:	kevoreilly
Description:	Loki Payload

Rule name:	LokiBot Create hunting rule
Author:	kevoreilly
Description:	LokiBot Payload

Rule name:	malware_Lokibot_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	MAL_Lokibot_Stealer Create hunting rule
Description:	Detects Lokibot Stealer Variants

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

exe 8e1e3092d5e2010d374b8b6b44492d22431dcfde69cc4058e51b5626b67beafa

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2248978/

Cape

https://www.capesandbox.com/analysis/283069/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2022-06-24 13:55:51 UTC

url : hxxp://198.12.81.50/277/vbc.exe