MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98ee9eb5449562fdfe5e0a448cec7ef60f315e5f8a7c65c40a5b61290bcbe97d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98ee9eb5449562fdfe5e0a448cec7ef60f315e5f8a7c65c40a5b61290bcbe97d
SHA3-384 hash: 4a120614393dfca885486efa74c14c2acdd5680c170145123bc774e1bea21b03ca50f8202986e7ca4094994c1a613a21
SHA1 hash: c93d0009340d1823cc9997d197d3adac6dffeac2
MD5 hash: e5f57d9347f7c484754015daa62f12af
humanhash: beer-apart-item-fourteen
File name:roaqc.exe
Download: download sample
Signature Loki
Create hunting rule
File size:375'246 bytes
First seen:2021-07-08 10:28:53 UTC
Last seen:2021-07-08 11:49:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (290 x GuLoader, 50 x VIPKeylogger, 48 x RemcosRAT)
ssdeep 6144:oMm4CCxYgWYD7QJox/4ql13p0jCDb+Sfkc0fY+bcIl8erZBz3OgpEIzq:oMwKYRWP6q3OjCD9kfY+bcIWAT+
Threatray 3'454 similar samples on MalwareBazaar
TLSH T1EA84F162EE80D4D6F821CC7245435063BBDF9C3D47A88A0707AAF34A5475851EEBFB4A
Reporter James_inthe_box
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
roaqc.exe
Verdict:
Malicious activity
Analysis date:
2021-07-08 10:35:29 UTC
Tags:
lokibot stealer trojan
Link:
https://app.any.run/tasks/762d4718-7cfe-44e0-8a8e-2d46af82d89a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170401/
Detection(s):
SecuriteInfo.com.Trojan.Nsis.Spy.Gen.1.6902.19504.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2b5d89de-4746-4295-a10c-66117b32394e
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813395
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/98ee9eb5449562fdfe5e0a448cec7ef60f315e5f8a7c65c40a5b61290bcbe97d/
Threat name:
Win32.Ransomware.Hermes
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 04:16:44 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tdxj5nkesvrp37s6bjciz3d66yhtcxs7rj6glraklnqssc6l5f6q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
1c21c7c621b4d7f5d39f3563c5625489c186da307a60399f918c5e8558d6458a
Loki
2070d6f358d9a25cce07e2179d7a4625bca289e433a74718bc9300350f1d3e1c
Loki
27fa1f24657b1710079922f92e16cdc7d1710257aabe93201bbf730b7ddea3a9
Loki
47aa20a304624dbf8b71da1804f3f848ab12f2797390d0788067b542dc2c6a9c
Loki
84ec364c6d26c1a382649abc47eafc328c9ee5f1ef19dbddf528db50432246f7
Loki
96502f45d9fa8235052025a0edfb89ce841b2b188259c870626f499ed68116a9
Loki
a130cf9df18f1ae304826c98d4e7cfd2e75043b126a1df0c0a36f98a64cde5c2
Loki
b05d4c847f6c158729a1d150d30c75319e6e238044928baaa631ecd053335463
Loki
b0ea4256ed6da35b96a40d763e8281f46ff79c78a0c92aca14c69eaf13a3d244
Loki
bc0e4d752580a45adc132bafa84fafea4c9e517b6af4450a57724c294a6f79bf
Loki
+ 3'444 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210708-hc3lrqw686/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Lokibot
Malware Config
C2 Extraction:
http://sspmoct.xyz/tkrr/T1/w2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
65bf01b7027b4435e69bfcf3ed1ab47d0a496152d2c18dfb1b3ea1605b463ef6
MD5 hash:
622e8935119a1ef572ff08fd2d17ea5b
SHA1 hash:
9f40d971289f0192bfedba8242253f1d791b2cc4
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/f757994e-6587-4e60-8a1c-9c8e00e3f801/
Parent samples :
c6814de11de23dfe3c6ff1bd8bda596128e39b83a3c4692cfce7daed13ac5b65
94ce947ee07dc19d535d78551ba3a64ffc394fd3049b0719f43ec9f78be32c08
ca471f5b9cc2a2ea2e2d8b250f550e2a98c93cf322f7d7497dcd4cc1736f5448
98ee9eb5449562fdfe5e0a448cec7ef60f315e5f8a7c65c40a5b61290bcbe97d
8aba3d028f87a457d87cd4f236183a751eef5166f73e04aa377c57600f0daeaa
SH256 hash:
5457c01cf927f872f0336833c55f42ca24eb3f5e75853021f714c5b40e3a738d
MD5 hash:
12599398574cfcd8c82e7d8d2158ee53
SHA1 hash:
4329aad9e7babca67ffc1a0c94bfcd7d625c64f9
Link:
https://www.unpac.me/results/f757994e-6587-4e60-8a1c-9c8e00e3f801/
SH256 hash:
687429ea562181bf37517d8862af687beb09a6f6663419cbafdf7ff038dde8bf
MD5 hash:
9c76cfbaffe634a60c5a1e0d7b149c5b
SHA1 hash:
ba719597cc17389a9705b2268e6441d9f9d03d3b
Link:
https://www.unpac.me/results/f757994e-6587-4e60-8a1c-9c8e00e3f801/
SH256 hash:
98ee9eb5449562fdfe5e0a448cec7ef60f315e5f8a7c65c40a5b61290bcbe97d
MD5 hash:
e5f57d9347f7c484754015daa62f12af
SHA1 hash:
c93d0009340d1823cc9997d197d3adac6dffeac2
Link:
https://www.unpac.me/results/f757994e-6587-4e60-8a1c-9c8e00e3f801/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/98ee9eb5449562fdfe5e0a448cec7ef60f315e5f8a7c65c40a5b61290bcbe97d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_lokipws_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/170401/

Comments