MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 945aee9e799851eb1a2215fe1a60e55e41eb6d69ef4cb1b0fc0ab7e53489c67c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 945aee9e799851eb1a2215fe1a60e55e41eb6d69ef4cb1b0fc0ab7e53489c67c
SHA3-384 hash: 127ca2f0899ae7a13b766f70a985206fcb3c78d7313e541a7faa0d7eb2288a21a9479bf8357e3cb56dc884c9ceba0996
SHA1 hash: c8adaf3337e20aff23b33e319a9794e22095e73b
MD5 hash: df32605de60aeb2f415927686fd455e3
humanhash: uncle-batman-aspen-oklahoma
File name:945AEE9E799851EB1A2215FE1A60E55E41EB6D69EF4CB.exe
Download: download sample
Signature Loki
Create hunting rule
File size:182'872 bytes
First seen:2021-05-04 07:40:44 UTC
Last seen:2021-05-04 08:01:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4f67aeda01a0484282e8c59006b0b352 (51 x GuLoader, 9 x RemcosRAT, 9 x VIPKeylogger)
ssdeep 3072:J1E/rS2paccKntce45gdi4RrCsXC4qZOGaKa1RqATUsf+SCRxw1oJsGKLs5uwj:J1onnFdi4R2U6HaKUqATUs/Qw1HGKLMD
Threatray 353 similar samples on MalwareBazaar
TLSH 4D04F10532E094B7E49506B15C76C6BAF7B7E52041354A2B3BF06F3F2E32712CE1929A
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://kenal.co/elber/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://kenal.co/elber/fre.php https://threatfox.abuse.ch/ioc/28917/

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/149742/
Detection(s):
Win.Dropper.Nemesis-6646739-0
Create hunting rule

SecuriteInfo.com.Adware.Generic12.HOD.14374.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/709468
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/945aee9e799851eb1a2215fe1a60e55e41eb6d69ef4cb1b0fc0ab7e53489c67c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2018-06-15 14:09:28 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=srno5htztbi6wgrccx7buyhflza6w3lj55gldmh4bk36knejyz6a._file
Verdict:
unknown
Similar samples:
19a8635bb3faac894101fe7eb5f9ab3be3cfdbeca231e220df546b0b0f4f7852
Loki
42ca73a2f64b86c9e59cc795eaf28450bdfd1149a35b052e2a8baf1b47e82204
Loki
54f6e12269366bf379107d1a920e4b0e428bdcc10cac24457874181916e84ba5
Loki
5f3be7bf52d0617f50d8dcf095edc606854a589a94f2ac8186d6b9406960aa86
Loki
6b85fd7249ceaf4a88f71ad1becb27b9c9a17b1c1bd2cb75f25cdc7b1318785a
Loki
79fd58a3cc4e8c1ff9fc6e159f504fd7f1996e77ea6c15b7303792082a2cae86
Loki
94596876e5408289110c03aee0bf01dda5d9632d4614041e644bf4809fc46b5f
Loki
c38dae4b2e2f1a502e5047777cca3852274c4b1727c56fca964a5adf0d0aeb2a
Loki
e0b94624bef25e6b46b21cc3d05ac9582b04d1b2258aaff1d13fc3819079fb3f
Loki
f03ce9b002d389709422b30388879f944410b91496c44cb29dbeeef0788b8987
Loki
+ 343 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210504-xaqk6q2llj/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Lokibot
Malware Config
C2 Extraction:
http://kenal.co/elber/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
389af6ac573db3384b2da58241a248a984c1555e739626bc1352d86fa3a3ddef
MD5 hash:
806f374ca53abd8d725ff1dd764ee1a6
SHA1 hash:
ba97241c2cfa9cf74c7211364f6465aa2b8af1e8
Link:
https://www.unpac.me/results/fd3fbf4b-a566-4f95-b21b-cc407c912de3/
SH256 hash:
f520d1db9fc12677e2d949f69559e71a35c7ea545b5c6e0c7e8debd624538b2b
MD5 hash:
6494cb360ed00d49b1fc8c7fc44fc18d
SHA1 hash:
1fdd8e25b4fdb7bcb215e391fd6c6dadd817ef58
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/fd3fbf4b-a566-4f95-b21b-cc407c912de3/
SH256 hash:
945aee9e799851eb1a2215fe1a60e55e41eb6d69ef4cb1b0fc0ab7e53489c67c
MD5 hash:
df32605de60aeb2f415927686fd455e3
SHA1 hash:
c8adaf3337e20aff23b33e319a9794e22095e73b
Link:
https://www.unpac.me/results/fd3fbf4b-a566-4f95-b21b-cc407c912de3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/945aee9e799851eb1a2215fe1a60e55e41eb6d69ef4cb1b0fc0ab7e53489c67c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/149742/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-04 08:27:03 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0032.001] Data Micro-objective::CRC32::Checksum
1) [C0026.002] Data Micro-objective::XOR::Encode Data
4) [C0046] File System Micro-objective::Create Directory
5) [C0048] File System Micro-objective::Delete Directory
6) [C0047] File System Micro-objective::Delete File
7) [C0049] File System Micro-objective::Get File Attributes
8) [C0051] File System Micro-objective::Read File
9) [C0050] File System Micro-objective::Set File Attributes
10) [C0052] File System Micro-objective::Writes File
11) [E1510] Impact::Clipboard Modification
12) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
13) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
14) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
15) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
16) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
17) [C0017] Process Micro-objective::Create Process
18) [C0038] Process Micro-objective::Create Thread