MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e87a118ff99af8fa1ae32be359992f8872d632ee4e838e27d5b5137fef34cfc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e87a118ff99af8fa1ae32be359992f8872d632ee4e838e27d5b5137fef34cfc
SHA3-384 hash: 1668871ad5b405c941f839cbbb431ef89835b251390e66e9d4c73ac0adf15ac96977d9868fc57e5bdf9bf982b55e351a
SHA1 hash: 382e86c09e6b52a647588fcb27c715d5ee45ee70
MD5 hash: 1b29cfed64d530eafb6ce93a632e20d2
humanhash: undress-finch-delaware-yellow
File name:SecuriteInfo.com.Win32.PWSX-gen.14556.26418
Download: download sample
Signature Loki
Create hunting rule
File size:748'544 bytes
First seen:2023-07-25 10:32:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:kfgETCrYiIoFwIrG3XCCaEHsbHGcEFeXMajf9sbh7Iaw/fWKG:Sx2rHIcTrGCS8zMaj6Fc
Threatray 3'971 similar samples on MalwareBazaar
TLSH T109F4F12136B99F97C5BA47F84030323413FAAEAE6039D3195EC374DA1976F408626F67
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win32.PWSX-gen.14556.26418
Verdict:
Malicious activity
Analysis date:
2023-07-25 10:40:54 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/360ba0c6-5b4e-4a08-ad54-2c2a4f934d22

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/432111/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.14556.26418.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Enabling the 'hidden' option for analyzed file
Moving of the original file
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9e87a118ff99af8fa1ae32be359992f8872d632ee4e838e27d5b5137fef34cfc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/56e186f9-99bf-4afe-9dd5-918524048d85
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1279042
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1279042 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 25/07/2023 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 8 other signatures 2->50 7 SecuriteInfo.com.Win32.PWSX-gen.14556.26418.exe 7 2->7         started        11 agUiPFdTfeJLfh.exe 5 2->11         started        process3 file4 34 C:\Users\user\AppData\...\agUiPFdTfeJLfh.exe, PE32 7->34 dropped 36 C:\...\agUiPFdTfeJLfh.exe:Zone.Identifier, ASCII 7->36 dropped 38 C:\Users\user\AppData\Local\...\tmpE52F.tmp, XML 7->38 dropped 40 SecuriteInfo.com.W...14556.26418.exe.log, ASCII 7->40 dropped 52 Tries to steal Mail credentials (via file registry) 7->52 54 Uses schtasks.exe or at.exe to add and modify task schedules 7->54 56 Adds a directory exclusion to Windows Defender 7->56 13 SecuriteInfo.com.Win32.PWSX-gen.14556.26418.exe 54 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        58 Multi AV Scanner detection for dropped file 11->58 60 Machine Learning detection for dropped file 11->60 62 Injects a PE file into a foreign processes 11->62 21 agUiPFdTfeJLfh.exe 1 53 11->21         started        24 schtasks.exe 1 11->24         started        signatures5 process6 dnsIp7 42 138.68.56.139, 49707, 49708, 49709 DIGITALOCEAN-ASNUS United States 13->42 26 conhost.exe 17->26         started        28 conhost.exe 19->28         started        32 C:\Users\user\AppData\...\B52B3F.exe (copy), PE32 21->32 dropped 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->64 66 Tries to steal Mail credentials (via file / registry access) 21->66 68 Tries to harvest and steal ftp login credentials 21->68 70 Tries to harvest and steal browser information (history, passwords, etc) 21->70 30 conhost.exe 24->30         started        file8 signatures9 process10
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9e87a118ff99af8fa1ae32be359992f8872d632ee4e838e27d5b5137fef34cfc/
Threat name:
Win32.Infostealer.PrimaryPass
Create hunting rule
Status:
Malicious
First seen:
2023-07-25 07:03:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
41
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t2d2cgh7tgxy7inogk7dlgms7cds2yzo4tudryt5lnitp7xtjt6a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
21a3feee6f44d5a03971e5aced1f93b6bc28950d2729f411a477fdec605ec156
Loki
87315498a98e525f805959cc316405bb4f937ee28b087c68838033ecd3cd0dd5
Loki
8b3068ebb19771dd9d8d0fbabda5cef3d8dd973b4aace949bd2c72bc4dc9779e
Loki
8c5c20763f5514325caf9fd4aa11531658fbf52200ba359f4aa3d4c7284c464d
Loki
95bffddb091c2b221f1395a4a4cf1dbf4a3ad29638a503b7cc85848a45198e06
Loki
ba2ca0c5ba29b90d2ce55292293642c9f6b3b931381db8221d529452d04a5189
Loki
c8ad050630ea954712c67d5c27e8f75542d78e7d43c81554c0a652da9218a880
Loki
df72be5f9ed3c15149f37c8fdb80683554f439257317837b0b6bb96dc4cac387
Loki
fe1140b9f51be2ad605b26a161f79839994aad33089412401912811eb6d569e0
Loki
+ 3'961 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230725-mlh3saca97/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://138.68.56.139/?p=9198360515
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
3f68cc843eb3b2a764dc02355e2e3f97dce8f1164d6f18a4f77e850410dfc137
MD5 hash:
60126f10641986bbcefca9ed6159994b
SHA1 hash:
df584155d49b10805f1f0d81a758e98b23990815
Link:
https://www.unpac.me/results/c1a30adc-df2f-46f7-ad14-6a75e54b978e/
SH256 hash:
e1eeef7a9585e86f81033e20305bf97579145b98f30bab06ba35a63db417ab48
MD5 hash:
34d293b1ac49a23bf4799ee3172f097e
SHA1 hash:
a76f9c758aaeb9bcc288495291876b3d72a6c4fe
Link:
https://www.unpac.me/results/c1a30adc-df2f-46f7-ad14-6a75e54b978e/
SH256 hash:
a8ee4d03d5e0496382cf7a0f02724d3448ef7b74a14cc50c9235fd30dafa3b87
MD5 hash:
064a36385fe41ff395e8e49ca1d0c9ea
SHA1 hash:
2fdc69c7e7a94e84c7d4f160dac9af1b7e1e3020
Link:
https://www.unpac.me/results/c1a30adc-df2f-46f7-ad14-6a75e54b978e/
SH256 hash:
fe3bd8c55d03026d8e0243a71dc411488661fe41ca7de43649ff61b1d53b2510
MD5 hash:
528b0f2b2231328acc1fd9c50e575c9f
SHA1 hash:
0f924f3bd115273d2b504b5c6132c89a38010f44
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/c1a30adc-df2f-46f7-ad14-6a75e54b978e/
Parent samples :
ef954e69e445fd7a4ef88db4ec43f0b9ab80985e2de23d1fc6dfe89a8dc88970
d60d94a1edcdab800f81abe6f72248469547a1b55f89cd872acda4cc6d7dee61
39962d783ceca0f8d0250660179c45b22e74097cf20eacb5464342fbcfcac61a
8615a11492e27f4a2d4b3028ef8a94f179d7e4b2f8d81f3088172378db2e9df2
127c29b65ebf2143b66e5c60fcdbae43c4789c836e273e4f996efd0e56040e8f
9e87a118ff99af8fa1ae32be359992f8872d632ee4e838e27d5b5137fef34cfc
2eb81e5ef35729ff5cd330b41347350298e20cce4b1ebffcdba90be70b84590f
SH256 hash:
9e87a118ff99af8fa1ae32be359992f8872d632ee4e838e27d5b5137fef34cfc
MD5 hash:
1b29cfed64d530eafb6ce93a632e20d2
SHA1 hash:
382e86c09e6b52a647588fcb27c715d5ee45ee70
Link:
https://www.unpac.me/results/c1a30adc-df2f-46f7-ad14-6a75e54b978e/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9e87a118ff99/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9e87a118ff99af8fa1ae32be359992f8872d632ee4e838e27d5b5137fef34cfc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/432111/

Comments