MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95adc30ed6495e078a795b6184442b4147e87e1e48bd040467c0d190cabbf092. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95adc30ed6495e078a795b6184442b4147e87e1e48bd040467c0d190cabbf092
SHA3-384 hash: 6f19ce85edb378974f3bf3f0a1c7bc2f1c0ce2e509e95038b7d0d35e5fdbc5ea06d053383d876355f1b3767c893fac9c
SHA1 hash: 5649611b8d4f5c73c99643e4005ee83c094496ae
MD5 hash: c56cfbc256132f6c04a193a47ef4949c
humanhash: diet-india-edward-william
File name:C56CFBC256132F6C04A193A47EF4949C.exe
Download: download sample
Signature Loki
Create hunting rule
File size:499'712 bytes
First seen:2021-06-22 12:10:36 UTC
Last seen:2021-06-22 12:36:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8042518445fdbe32d1be366d9cb29a91 (2 x Loki)
ssdeep 6144:Ui9dZNf/9bmDCWH3AEOVdaUUqZ7sIJ0RNBjEDoUYplB2eJhxsdvwncFp65/A:hRZmHXoeU9Z74QDmweadZ4pA
Threatray 8'286 similar samples on MalwareBazaar
TLSH FCB4C01C1FCB63D9E625ECB65B2232ADB283183299A1CD72DC256870A1F77C0B719771
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://185.198.57.204/kboy/sync/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.198.57.204/kboy/sync/fre.php https://threatfox.abuse.ch/ioc/139716/

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
C56CFBC256132F6C04A193A47EF4949C.exe
Verdict:
No threats detected
Analysis date:
2021-06-22 12:13:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/863f5381-56ca-4298-a28f-99a958694e3b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167550/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f0845b54-020a-4d3c-aec6-98c3022a46b6
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805931
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Generic Dropper
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 438342 Sample: aGDehjYIws.exe Startdate: 22/06/2021 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 9 other signatures 2->41 8 aGDehjYIws.exe 3 5 2->8         started        11 wscript.exe 1 2->11         started        13 wscript.exe 2->13         started        process3 file4 29 C:\Users\user\AppData\Local\...\filename.exe, PE32 8->29 dropped 31 C:\Users\user\AppData\Local\...\filename.vbs, ASCII 8->31 dropped 15 wscript.exe 1 1 8->15         started        18 filename.exe 1 11->18         started        20 filename.exe 13->20         started        process5 signatures6 59 Creates autostart registry keys with suspicious values (likely registry only malware) 15->59 22 filename.exe 1 15->22         started        process7 signatures8 43 Antivirus detection for dropped file 22->43 45 Multi AV Scanner detection for dropped file 22->45 47 Detected unpacking (changes PE section rights) 22->47 49 3 other signatures 22->49 25 filename.exe 22->25         started        process9 dnsIp10 33 185.198.57.204, 49733, 49734, 49735 HSAE Netherlands 25->33 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->51 53 Tries to steal Mail credentials (via file access) 25->53 55 Tries to harvest and steal ftp login credentials 25->55 57 Tries to harvest and steal browser information (history, passwords, etc) 25->57 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/95adc30ed6495e078a795b6184442b4147e87e1e48bd040467c0d190cabbf092/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2021-06-17 21:42:34 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sww4gdwwjfpapctzlnqyirblifd6q7q6jc6qibdhydizbsv36cja._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
481ef8217d421c2f236d0846229e3c9884cb373530d93a00c8f30b83319c2824
Loki
5c4943289a1959b03d31592b147472be4d31a2637316b7bbe102412082619502
Loki
68f15600e889278aada0762a0fb84c11501bf3913380686aac74e6b3d4443368
Loki
72f8fc97cdd78a7349f6cfa31bce03a55f9e5f2485a443f73690ffeee77fad71
Loki
7c72d2e12ed2db6353a373d16c07eaf27fbf110c75a2dc7535ec7d624cb42012
Loki
8533f6030709d8f590c3e50dd87edf7cc841d2b4b455e209a7999c0ef1b1d743
Loki
ab1cef822f66d7b77574a21c8154d4a6e9fcd196a6659637f1d662f0ef7df3bd
Loki
ced266ad59923661e84dca65e4412e0b99a11fe4868f4219142ebc49a8308fb2
Loki
d5444014dffa4f7690681f95911efc47a8a8f07086a720204db2588998b8a6d1
Loki
e4effdebb79bd1b3d2e3a2510a96f44cbf9ca4961340c7ca1f276bd3c527afb2
Loki
+ 8'276 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot persistence spyware stealer trojan
Link:
https://tria.ge/reports/210622-4ctee2e53j/
Behaviour
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Lokibot
Malware Config
C2 Extraction:
http://185.198.57.204/kboy/sync/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
95adc30ed6495e078a795b6184442b4147e87e1e48bd040467c0d190cabbf092
MD5 hash:
c56cfbc256132f6c04a193a47ef4949c
SHA1 hash:
5649611b8d4f5c73c99643e4005ee83c094496ae
Link:
https://www.unpac.me/results/2e0d8bc2-50b0-41e5-885c-df9bb3128b96/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.21
Link:
https://yomi.yoroi.company/submissions/95adc30ed6495e078a795b6184442b4147e87e1e48bd040467c0d190cabbf092

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167550/

Comments