MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95aa19eb5f26f4bc344f51d934138cb3f9a435fccb29a1d53277b06ecbb926cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	95aa19eb5f26f4bc344f51d934138cb3f9a435fccb29a1d53277b06ecbb926cd
SHA3-384 hash:	69fd7e190aaffc294fe60fc85801f99bb0ad115c7ca193b82d090d492ff2fa26e4ae1383e04b994daf389774f16eb507
SHA1 hash:	f33c82057e74d722983191ef284f676962e99eda
MD5 hash:	f1739f1542964f8cc19a351d75e9b162
humanhash:	yankee-venus-alanine-alanine
File name:	PO 201012-0134A.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	505'856 bytes
First seen:	2020-10-12 05:46:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:dtd0PZcX5w+sfwSnnZuWgNCNJk0C3TyBcmfNGq:H5cwSn4WZLk0OTuXMq
Threatray	1'689 similar samples on MalwareBazaar
TLSH	65B40233228A1E27C2BD16FA4013300613F5E61A6753FBDE7D9640AC06A1349EF667DA
Reporter	abuse_ch
Tags:	exe geo KOR Loki

abuse_ch

Malspam distributing Loki:

HELO: mail-smail-vm28.hanmail.net
Sending IP: 203.133.180.210
From: 구매부 김승준 과장 <ucpn2381@daum.net>
Subject: 견적 요청
Attachment: PO 201012-0134A.cab (contains "PO 201012-0134A.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Loki

Link:

https://www.capesandbox.com/analysis/69886/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Reading critical registry keys

Creating a file

Changing a file

Replacing files

Creating a file in the %AppData% subdirectories

Deleting a recently created file

Stealing user critical data

Connection attempt to an infection source

Moving of the original file

Sending an HTTP POST request to an infection source

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/487884

Signature

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM_3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/95aa19eb5f26f4bc344f51d934138cb3f9a435fccb29a1d53277b06ecbb926cd/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-12 02:50:19 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=swvbt227e32lyncpkhmtie4mwp42inp4zmu2dvjso6yg5s5ze3gq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

spyware trojan stealer family:lokibot

Link:

https://tria.ge/reports/201012-2b7yq58mpa/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://79.124.8.8/plesk-site-preview/coautomaquinaria.com/http/79.124.8.8/kiriko/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

95aa19eb5f26f4bc344f51d934138cb3f9a435fccb29a1d53277b06ecbb926cd

MD5 hash:

f1739f1542964f8cc19a351d75e9b162

SHA1 hash:

f33c82057e74d722983191ef284f676962e99eda

Link:

https://www.unpac.me/results/f3db4cbb-131d-4fad-a00f-21bec4fefde6/

SH256 hash:

13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43

MD5 hash:

109cedae3c384a1913107f1efad2b7c8

SHA1 hash:

1f7f35b0ed85fa12bb839cbce698e59a30813420

Link:

https://www.unpac.me/results/f3db4cbb-131d-4fad-a00f-21bec4fefde6/

SH256 hash:

c72e316bac6f44b7d2f04affebfa731144d83c68ab407f24d72b7c30bfaadcfb

MD5 hash:

41fe954180604ef9f3b5c3b48563982c

SHA1 hash:

3e241026e1983de10c4e901dd47eb661a50553a2

Link:

https://www.unpac.me/results/f3db4cbb-131d-4fad-a00f-21bec4fefde6/

SH256 hash:

db062545b1f734963c6e4d2614132495e37f7d7b295f25fa1033bb6a687acca8

MD5 hash:

e84ef5e5e9a5ce278c8e249aa9ef10bd

SHA1 hash:

823b72caafeb855dde1704ed9017f73544d15693

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/f3db4cbb-131d-4fad-a00f-21bec4fefde6/

Parent samples :

59e3d88395cd8c96d5417565ba343cb43c0f336ba9b7099e9314d3fe1795ef51
5f10fec31121883e725f46663c338b79694ad5de1636f974a724961aed9a16ff
95aa19eb5f26f4bc344f51d934138cb3f9a435fccb29a1d53277b06ecbb926cd

SH256 hash:

b7bacde0b5d855d81d8f9a935ac5e51e7ea030f427d7369072291cbda741b726

MD5 hash:

c34398be7e7f231b8263cc6ab713b72b

SHA1 hash:

dda778247d010ea0a37055fdd4613ae2d76dcc04

Link:

https://www.unpac.me/results/f3db4cbb-131d-4fad-a00f-21bec4fefde6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/95aa19eb5f26f4bc344f51d934138cb3f9a435fccb29a1d53277b06ecbb926cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	Lokibot Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com