MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98eda554df96bab70962f0766b781d5571a1981230ed3698b9c55902b0890f48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments

SHA256 hash:	98eda554df96bab70962f0766b781d5571a1981230ed3698b9c55902b0890f48
SHA3-384 hash:	71248446580b5e23a0f390e7ee3306dacc95464c52ccabe045dc40e81a287649017c80decea04fbd3c708c37f4a0a829
SHA1 hash:	6366e56f492390f089c6afa0a0fa848b6a9e4a78
MD5 hash:	d98af0ffb777225327dda3a3156c294f
humanhash:	saturn-queen-cold-happy
File name:	ORDER.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	837'120 bytes
First seen:	2023-03-14 04:00:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:FCO8lpXU5ZkXwkT2nuhqmjYuPtmIobbLxnSzI9hGeOH8opDSbq6mcBcBg6WdyjS6:FGKngtCSI9IrrSmscWcD
Threatray	3'985 similar samples on MalwareBazaar
TLSH	T143058D4483484F2CF2E0227D30683EC66F8158DCE9AEBBEF89A7D879B5D845507D6C52
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	70f0e6d4cca8f070 (15 x AgentTesla, 6 x SnakeKeylogger, 5 x Loki)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://185.246.220.60/cbn/five/fre.php

Intelligence

File Origin

# of uploads :

# of downloads :

219

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

ORDER.exe

Verdict:

Malicious activity

Analysis date:

2023-03-14 04:01:34 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/d3e5d7ec-c000-430c-9b45-715778d8e968

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/374110/

Detection(s):

SecuriteInfo.com.Trojan.GenericKDS.61009005.2492.27158.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lokibot packed

Link:

https://www.filescan.io/uploads/640ff17f86958b4d2a2797c6/reports/d6074f8d-3300-4d74-ac71-50a1e2df4876/overview

Verdict:

Malicious

Labled as:

Trojan.GenericS

Link:

https://www.hybrid-analysis.com/sample/98eda554df96bab70962f0766b781d5571a1981230ed3698b9c55902b0890f48

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bf0b659b-efed-4b04-bb70-6daf9f7b02f4

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1192993

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/98eda554df96bab70962f0766b781d5571a1981230ed3698b9c55902b0890f48/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-03-13 05:25:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 37 (56.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tdw2kvg7s25loclc6b3gw6a5kvy2dgasgdwtngfzyvmqfmejb5ea._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

0f6a0c8f4c9d3fa419bd22b2687328e7a721ad0b1ef504a64166b1c630997cee

Loki

26cfdd614196dd8f128f01480c55504960ecafad60991455a030cc5c73130f2a

Loki

4e12ca0674f72503e00f35b8b27aa98da0855baa9e25264b357bb934e31a2217

Loki

594a574211cffc47d78817221315092ab978403b71e1ff43922286ec9f60e188

Loki

7f0fcb4f3651ec6a3b273322857afe8aa8373f77964afd0bb592378a4a97fe1a

Loki

83ce4d12583639df7dcbe4d13b6e608bca3c42a58dc4fbb18c352fa93dec7800

Loki

a1f8dd874a1d63dfbd2cc504fbe6d5784eb00610b02fef44b606b7a127f41bc4

Loki

+ 3'975 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230314-ek72hsdb55/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://185.246.220.60/cbn/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

8b94b89b65310eded2180fb05f2043eed1de50ec184f5c0ca701e64bfa7ff961

MD5 hash:

009e070ce4b5e5317a76475607e1d98e

SHA1 hash:

e501036e4c59457337f9feec7ba84ffe836d1c7e

Link:

https://www.unpac.me/results/c67c1c85-2b7e-4439-a303-d33c935cf468/

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/c67c1c85-2b7e-4439-a303-d33c935cf468/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

3e9b230d21475e887c543cc73bacfca24380829d151ac46f1e48211e8c587fe0

MD5 hash:

c8588d78e04cd83c0f2bb62b2cd7e38a

SHA1 hash:

54851e8d9527cdc7d1e3189d6db662322f28208f

Link:

https://www.unpac.me/results/c67c1c85-2b7e-4439-a303-d33c935cf468/

SH256 hash:

a4276f84a15c512e24f05a0ec5a4b0b22babaeebf59d4b6112b295b86a5ea805

MD5 hash:

3d7bc5433b132f4a8f676c959098441e

SHA1 hash:

1946d3ab82fa345bc16f6794c896a6d9b7d9918f

Link:

https://www.unpac.me/results/c67c1c85-2b7e-4439-a303-d33c935cf468/

SH256 hash:

85cbf7ebdb1fb9dfbf7be74de47050d8a747f85cb013a7cfd371cb3ab3013ac6

MD5 hash:

91cd7607d4942cc959d10e24a26f811c

SHA1 hash:

0c2d4b0d59a139b1c460b95c7cd892178079602e

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/c67c1c85-2b7e-4439-a303-d33c935cf468/

Parent samples :

98eda554df96bab70962f0766b781d5571a1981230ed3698b9c55902b0890f48
b46bad53e429d0e8448e3887355ae7b83c08f397ff30be8a8c6866ad2d9177db
6f24575f00c2dac29c50dd95998b4f9dcb21a179bf26a428638cdd78d69e1c49

SH256 hash:

98eda554df96bab70962f0766b781d5571a1981230ed3698b9c55902b0890f48

MD5 hash:

d98af0ffb777225327dda3a3156c294f

SHA1 hash:

6366e56f492390f089c6afa0a0fa848b6a9e4a78

Link:

https://www.unpac.me/results/c67c1c85-2b7e-4439-a303-d33c935cf468/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/98eda554df96/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/98eda554df96bab70962f0766b781d5571a1981230ed3698b9c55902b0890f48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/374110/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample