MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99aa83f33755dd306c38287f08b2b4ee16d4a3336715191db4f942aa7aa9d792. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	99aa83f33755dd306c38287f08b2b4ee16d4a3336715191db4f942aa7aa9d792
SHA3-384 hash:	874650dae659fa86139c05a194744f101fe0e1db679756511e33efdd97998da8e214fb9bf1583e848e595cf2a615e6df
SHA1 hash:	f4cd845460d474c1270900ee3c35ffce3ec8ab8e
MD5 hash:	f42324274c7f0b3cc5a41d57112262fa
humanhash:	social-twenty-ceiling-diet
File name:	RFQ0220904Mayr.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	413'184 bytes
First seen:	2022-11-02 06:55:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:E20pouHH1J+0r1gRvNs+MIHV2KEY6qfwR1o2o0:EEu1j1YG+MIpEY6q81o2
TLSH	T12394129317B2C570D9EA83F15AE320585336AD6AE83BD75C0300157C3FB176BC536AA6
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	d4d6d4d4d4d4f4d4 (7 x AgentTesla, 6 x SnakeKeylogger, 3 x Loki)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://sempersim.su/gl20/fre.php

Intelligence

File Origin

# of uploads :

# of downloads :

255

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

RFQ0220904Mayr.exe

Verdict:

Malicious activity

Analysis date:

2022-11-02 06:58:21 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/d6aa67eb-3ff5-49ec-b979-d238c1d0bfe4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/326999/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.46122.12820.26793.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63621484b8952e91d3d25585/reports/f5923b69-acbd-4574-9495-ea5fa3d0c729/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/14550af9-80fc-4a42-8359-03b50262b3da

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1102998

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/99aa83f33755dd306c38287f08b2b4ee16d4a3336715191db4f942aa7aa9d792/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2022-11-02 04:02:03 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 40 (65.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tgvih4zxkxota3byfb7qrmvu5ylnjiztm4krshnu7fbku6vj26ja._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/221102-hqcdksagap/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://sempersim.su/gl20/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d0461089-a8bd-44b4-869c-1e47b2216fc6

Unpacked files

SH256 hash:

63bf2678973ab185939b591e505c44d4c166097806762b5f0ddc7634f3ab77e5

MD5 hash:

52ab44456930800b6b04f7dee3946284

SHA1 hash:

f97b283424010410fd7a51c045e5558d49458cb2

Link:

https://www.unpac.me/results/25e061a0-eb3e-43de-b33a-c19bb2e33b3d/

SH256 hash:

eccfe9cb22e8078b591d670f3c8639ece0ce95169fc6f859f3b4c758f9cfbf84

MD5 hash:

3fc10ef00bbab8260b063f21875e8a1c

SHA1 hash:

ca1e1de3c27059a38fcb46d71ef339d16af9d5dc

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/25e061a0-eb3e-43de-b33a-c19bb2e33b3d/

Parent samples :

99aa83f33755dd306c38287f08b2b4ee16d4a3336715191db4f942aa7aa9d792
db7a33f2a3884c2f0f37ffdf329af20f5a0103b41fa26d2dacabdba15b3fe693
e9adc2a8a1d94fb13c2b4c6343c4dae56accdeea3b37004b7f17cfbe30c1bd85
7a037b203ec93f6294986caba1bf5bc75ee68be47bb6a0622a42500d97851d5d
d943255185ae2844e018149b4cd7468a4b6f96559456fdc4fd80b4ecdfd49045
54a803a43c88a1dc7866fed21425200edb8227351c77142c308821f9e23a7c7e
4a85272319f953cfed9ca17c1277ed601a433cf1bf783e1aaa36991967a6a36e
ad5a2c0255a910242f0befdc84972a13179ee08dcdfdc24d7b72bdf9f7b8cff0
5bd660220c19c632f61015729a2b2d94a062a3f0d84ddd49854407e9a5965449
c36de6d07a8ce4407cb59a275dbf8c04d05844903bb6d566f295ccd13a2d4ce6

SH256 hash:

7f272c4db499b1501a5ea1711d23de0e6a0c07faf16275e9b01722dae889c7c9

MD5 hash:

dd8b9511dda8eb7c84e1621046828883

SHA1 hash:

7f715270ffcadcba5c3148d2a0cecfaaf6c2e805

Link:

https://www.unpac.me/results/25e061a0-eb3e-43de-b33a-c19bb2e33b3d/

SH256 hash:

8354a7ad0499febdd288542828ad0355dcb7054c0c518266208e571c5122b0c6

MD5 hash:

6bfc7ce9ec7891d9d8494454332099b5

SHA1 hash:

34fc8cebba035e2cc6d27d636f9655949080bf8e

Link:

https://www.unpac.me/results/25e061a0-eb3e-43de-b33a-c19bb2e33b3d/

SH256 hash:

fbaec964f94bb99c6c519b7f8d0597e849130c5480e6c2e25901df161adf1aa3

MD5 hash:

8e2182c5297db2e17d0ed223926462c3

SHA1 hash:

10ec0608917abf52018f63d70774b9a1220a2119

Link:

https://www.unpac.me/results/25e061a0-eb3e-43de-b33a-c19bb2e33b3d/

SH256 hash:

99aa83f33755dd306c38287f08b2b4ee16d4a3336715191db4f942aa7aa9d792

MD5 hash:

f42324274c7f0b3cc5a41d57112262fa

SHA1 hash:

f4cd845460d474c1270900ee3c35ffce3ec8ab8e

Link:

https://www.unpac.me/results/25e061a0-eb3e-43de-b33a-c19bb2e33b3d/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/99aa83f33755/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/99aa83f33755dd306c38287f08b2b4ee16d4a3336715191db4f942aa7aa9d792

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/326999/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample