MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 986b212acea3c00ed30bba3e1a12519bb601d47f5b0ba61ddb68f5e82eff5d53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 986b212acea3c00ed30bba3e1a12519bb601d47f5b0ba61ddb68f5e82eff5d53
SHA3-384 hash: 8d7184d9d09a3cb655b48c5c840701c0874fbb8a6ce28a2c5329423d70de94038eec00fbc0dcac15ac6811bc9113d785
SHA1 hash: bc9183af110267c3f780fb6dc7819716558353cd
MD5 hash: 23b171b01245495df38af3a1a5ada2eb
humanhash: hawaii-north-winter-kilo
File name:Visotsk_BOQ_200717.exe
Download: download sample
Signature Loki
Create hunting rule
File size:863'232 bytes
First seen:2020-10-06 05:54:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 12288:PqlMOn1DbR5yKo4UF9w/JKxRzLZrU7dsTBElxAhQb9o7vj5:Pn+JV5pPhKvzL+7dKBHmbk
Threatray 1'549 similar samples on MalwareBazaar
TLSH 0D05BF11968C0267F132E039A627D4786BB59D456A04D2D52DEADCBFFACFE98F4D020C
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: mail-smail-vm43.hanmail.net
Sending IP: 203.133.180.231
From: 박하준 대리 <audqja105@daum.net>
Subject: [Visotsk] Inquiry for the Russia Visotsk Project
Attachment: Visotsk_BOQ_200717.cab (contains "Visotsk_BOQ_200717.exe")

Loki C2:
http://79.124.8.8/plesk-site-preview/coautomaquinaria.com/http/79.124.8.8/garuba/Panel/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68419/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Reading critical registry keys
Changing a file
Replacing files
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Connection attempt to an infection source
Moving of the original file
Sending an HTTP POST request to an infection source
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/482321
Signature
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/986b212acea3c00ed30bba3e1a12519bb601d47f5b0ba61ddb68f5e82eff5d53/
Threat name:
ByteCode-MSIL.Trojan.CryptInject
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 01:16:59 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tbvsckwoupaa5uylxi7buesrto3advd7lmf2mho3nd26qlx7lvjq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
02e8ccb362f76aeb28273e88c3538254effce7f5aa752e17373c1de1c34e3d24
Loki
17347ea4da31247415f8d87423d8b0b03eac3c25c4bed8fac50723eaba2f6b04
Loki
194b26a2d9469d17c5ab27bbd41257758c3a4f7e20efd5388f3643f24c364b94
Loki
441da56bd7e61ce353b6cf4be1510e44983465620fab6130c648bb99e15ab190
Loki
510c68882ff2fed7d2045040f45c79980ebaa58c9c074d59390edc72c1bbca68
Loki
64c4d370517d05b2add478ca85855bf94c4c51ed05e9e02a92afecc04459ea38
Loki
79a794aa53cfb22103d08a8cfa1bb158e2a23bbaa6f73abee590083ae45b560f
Loki
8600c1896f8c6835a9a5c44631ac45b319c0cc9b2e0a50a72bb37436a84ea96a
Loki
c8ef5faf8bef2942260f56a7bfca916280711c776ee19bf00954ebdee11804ea
Loki
d9c78a21a8344b6cc4768d7fa1b9ff128437267f1b7d1d29fccca4a5751d7ed6
Loki
+ 1'539 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/201006-5p9z3nlptn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://79.124.8.8/plesk-site-preview/coautomaquinaria.com/http/79.124.8.8/garuba/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
986b212acea3c00ed30bba3e1a12519bb601d47f5b0ba61ddb68f5e82eff5d53
MD5 hash:
23b171b01245495df38af3a1a5ada2eb
SHA1 hash:
bc9183af110267c3f780fb6dc7819716558353cd
Link:
https://www.unpac.me/results/ea81d747-206e-46de-a3a2-8800705dc3d3/
SH256 hash:
d05ed397c31eff27f9cca54a8ba48e8ebf8eadd5e137dfcf495bbe5f822ea0c0
MD5 hash:
a7d5e9ec9689db7bc594e023839ed681
SHA1 hash:
020dbf56ce45cc328e1f47c05a4c1350927b777b
Link:
https://www.unpac.me/results/ea81d747-206e-46de-a3a2-8800705dc3d3/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/ea81d747-206e-46de-a3a2-8800705dc3d3/
SH256 hash:
463b7bf914fc080a3046d43c766e576c7dec44dcedb599ce897866930c0bef1d
MD5 hash:
c5f44ca36dbed66c4c83d241f55a948a
SHA1 hash:
67689cf86c04f503d40d5302e458c0f7024a3dea
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/ea81d747-206e-46de-a3a2-8800705dc3d3/
SH256 hash:
efed1b429d40a00bdb5f8c0194c015d4b65217d7699f96cd78eaaf8295c7560c
MD5 hash:
08c0820ea7c452a4981ccb2a29514fed
SHA1 hash:
8ed738b506e2228703968ada8b0792a97f745d4f
Link:
https://www.unpac.me/results/ea81d747-206e-46de-a3a2-8800705dc3d3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/986b212acea3c00ed30bba3e1a12519bb601d47f5b0ba61ddb68f5e82eff5d53

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

cab 962b1179284c6dfee49527300f18b9a648667c27f553119f4f6b3819e4a6e998

Loki

Executable exe 986b212acea3c00ed30bba3e1a12519bb601d47f5b0ba61ddb68f5e82eff5d53

(this sample)

  
Dropped by
MD5 ca5ce5b150cf62ed46ef3119892e249d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 962b1179284c6dfee49527300f18b9a648667c27f553119f4f6b3819e4a6e998
Cape
Cape
https://www.capesandbox.com/analysis/68419/

Comments