MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93c302b6c6f9186edb01c0192fccec2b77274a243e3eb049ae8c99679f57c9f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 17

Intelligence 17 IOCs YARA 15 File information Comments

SHA256 hash:	93c302b6c6f9186edb01c0192fccec2b77274a243e3eb049ae8c99679f57c9f1
SHA3-384 hash:	394300850793d5d23011e0b3715133dcaec3479937e9838939724fe66cf364a48133fffaab41d71e35b1e5e705b14b29
SHA1 hash:	1db7ee7cf5547a8d8ee539ce9d4e873ad034a483
MD5 hash:	967c7c2bf9099f39ad1c3111207e97e7
humanhash:	pasta-coffee-sink-connecticut
File name:	RFQ6789034-INQUIRY.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	672'768 bytes
First seen:	2023-03-20 02:10:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:hKhmYMUnFW/N0AVJVSufX1KzbTh9Ii3Ui4RCYhsMoPQ54ivU/MJ+H3tKzlCztxgM:hKhU+6uC0bT/Ii3PsCYhvoPk4aU/fczS
Threatray	259 similar samples on MalwareBazaar
TLSH	T1CDE412252F9B5634F83667FD95E4728057BEB3B22317D85D14B201CA5B73B038A81A3B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	209488c66eb85922 (14 x AgentTesla, 7 x Loki, 7 x Formbook)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://64.227.48.212/?page_id=6303

Intelligence

File Origin

# of uploads :

# of downloads :

307

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

RFQ6789034-INQUIRY.exe

Verdict:

Malicious activity

Analysis date:

2023-03-20 02:11:47 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/2306b954-18da-4ff3-aee3-b497f6e564fb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/375757/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Win.Trojan.EmbeddedDotNetBinary-9940868-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo formbook packed remcos

Link:

https://www.filescan.io/uploads/6417c0b7e6d26a096f5725d1/reports/fe7b5cd0-a245-487a-b730-1f43b1969b48/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/93c302b6c6f9186edb01c0192fccec2b77274a243e3eb049ae8c99679f57c9f1

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4b3ceb54-b671-40f6-9653-4cf6e1343f8b

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1197316

Signature

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/93c302b6c6f9186edb01c0192fccec2b77274a243e3eb049ae8c99679f57c9f1/

Threat name:

ByteCode-MSIL.Trojan.Loki

Status:

Malicious

First seen:

2023-03-20 02:11:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 37 (51.35%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=spbqfnwg7emg5wybyams7thmfn3sosrehy7lasnorsmwph2xzhyq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

11690992029e6c4c55ab843d496301b9189fc2a286ce3ff60ed485d88d46e8aa

Loki

2fbe8381a484cb4c52055f448ec0934e04230d60fe109b3982008c598714c8ae

Loki

3bec8fa9b1952d7c7289604328ff1c6fc528ed0d5643e308e643422eab3f21ae

Loki

50ee6f613fdfbbe0ab3745d1641f98df80be37ab88bb587cde4baf3835e5637c

Loki

594a574211cffc47d78817221315092ab978403b71e1ff43922286ec9f60e188

Loki

a0ef330540f4a9d53c9b6fd713570d8fc327f8af1b51e66918a528cf9f501cd3

Loki

c434dec5efd7676781a49416db58e4bc4e257e0d8f5c27ac1d9c61ca9693b648

Loki

deb989bfedd869d8ce4f26ff0dec29c8f0c3c2bef1f6b441bb63eb3266fba13b

Loki

+ 249 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230320-cl9wdsbd34/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://64.227.48.212/?page_id=6303
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

30780f2a50e90cd2774acd886918d8d92ea624a05b12d0e1faf7cec64a426edd

MD5 hash:

8d4982d22e42360c6097abdcf0ed79dd

SHA1 hash:

d7df2a1af071b636182c8f77affb9bcd9dc8c88e

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/68cb5820-e882-452f-b40f-d08eb3f36d20/

Parent samples :

93c302b6c6f9186edb01c0192fccec2b77274a243e3eb049ae8c99679f57c9f1
8e8f0ef7fe5176d9ca580c127a9476ca505c4990c317ebd7b18b92129eac4bb2
c013ec7ffc307a96a83494d9c838f60be692507aede1a0b5d7288a3993ccc57b
d8bcf863b8af5d3a0622ab2fe468752219a1e80e85ccb1e7d29608cb49350f46
a4d692bd2c6bc99530e231e63c93ee24629894b4f9391debdafcc0c161ec972d
b3a40483ab494f036bce8494672fcabc9719ac985979446135ca2625de80056d
3a7511034e72aa8874f3763cb01604464c74571237bc08906578ed9dcf2c137f
453b2c84056cde325f4e314ecb272996714901ced897e8605658d25f1036aee6

SH256 hash:

8c94dbbc9fa42cb45b8f6ba134df4ec28dd24c5dd93f80d286eff7552d073e11

MD5 hash:

895b9bc06dacb5097757497c4317ae0f

SHA1 hash:

c3f4579fca0325ac3189b6089eeb5d052df66701

Link:

https://www.unpac.me/results/68cb5820-e882-452f-b40f-d08eb3f36d20/

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/68cb5820-e882-452f-b40f-d08eb3f36d20/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

e6ecb7e698624384b0d994b1207fa8f97753b597b1a90376dc0894ee5bff555f

MD5 hash:

12ad1880b523a60edd5f67c0aceecb8b

SHA1 hash:

895ff2868c1ba61d6bd2b72ddfbae9d95421f3bb

Link:

https://www.unpac.me/results/68cb5820-e882-452f-b40f-d08eb3f36d20/

SH256 hash:

608cd263835a73319758bd1320b7ef85b490e6aa586567fe0751743e599dbe28

MD5 hash:

2dac515c330487cb2ed6cbb9494d5789

SHA1 hash:

3d73db4e33699a522597b1d64bf048a875ab7f9f

Link:

https://www.unpac.me/results/68cb5820-e882-452f-b40f-d08eb3f36d20/

SH256 hash:

93c302b6c6f9186edb01c0192fccec2b77274a243e3eb049ae8c99679f57c9f1

MD5 hash:

967c7c2bf9099f39ad1c3111207e97e7

SHA1 hash:

1db7ee7cf5547a8d8ee539ce9d4e873ad034a483

Link:

https://www.unpac.me/results/68cb5820-e882-452f-b40f-d08eb3f36d20/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/93c302b6c6f9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/93c302b6c6f9186edb01c0192fccec2b77274a243e3eb049ae8c99679f57c9f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	infostealer_loki Create hunting rule

Rule name:	infostealer_xor_patterns Create hunting rule
Author:	jeFF0Falltrades
Description:	The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.

Rule name:	Loki Create hunting rule
Author:	kevoreilly
Description:	Loki Payload

Rule name:	LokiBot Create hunting rule
Author:	kevoreilly
Description:	LokiBot Payload

Rule name:	malware_Lokibot_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	Windows_Trojan_Lokibot_0f421617 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Lokibot_1f885282 Create hunting rule
Author:	Elastic Security

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/375757/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample