MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f69c10fc02a6d92e09ba2a0ce64f3ad093448d5bfd69d0023337417c1ddb774. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 18


Intelligence 18 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f69c10fc02a6d92e09ba2a0ce64f3ad093448d5bfd69d0023337417c1ddb774
SHA3-384 hash: 856390a36b467108f2cdc65c436b18360f554452bbbd9b5b7724b347c655354c0942538fd033ddf1fa0207764f9fe8b0
SHA1 hash: 9668a3308afd8008b45f0318e893b12c2e358bdf
MD5 hash: 423f4c2362a604ad167e5d9c9c71b50f
humanhash: crazy-mississippi-glucose-paris
File name:423f4c2362a604ad167e5d9c9c71b50f
Download: download sample
Signature Loki
Create hunting rule
File size:200'704 bytes
First seen:2023-02-14 17:31:08 UTC
Last seen:2023-02-14 20:33:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dd0586f5c5e46eff877624b05b375878 (20 x Smoke Loader, 6 x RedLineStealer, 1 x TeamBot)
ssdeep 3072:oJ7uFa5zvmULiU5mntmsLIDy5xz2AdrJCTqA4sFkCVM:ooovvrStms023iAPwqTyBVM
TLSH T19014BE22B3E0D471E92346318C35D1B56A6FF8215FA59ADB23946B3F0D713D08B7A392
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 929acad2e4e0c2c4 (1 x Loki)
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
3
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
MV SANTA ACE.xls
Verdict:
Malicious activity
Analysis date:
2023-02-14 17:03:49 UTC
Tags:
opendir exploit cve-2017-11882 loader trojan lokibot
Link:
https://app.any.run/tasks/66cc61a6-fe8c-45ea-8823-05e38bfc3fa8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/365916/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65495303.21221.29000.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for analyzed file
Stealing user critical data
Query of malicious DNS domain
Moving of the original file
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/69751/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lockbit packed smokeloader
Link:
https://www.filescan.io/uploads/63ebc59555a8f3b96192475a/reports/946ab6c8-f723-4b83-ae79-4b76e23fb716/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9f69c10fc02a6d92e09ba2a0ce64f3ad093448d5bfd69d0023337417c1ddb774
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9fddbdf4-daf9-4226-941e-9edd34de180c
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1174680
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f69c10fc02a6d92e09ba2a0ce64f3ad093448d5bfd69d0023337417c1ddb774/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-02-14 17:32:11 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t5u4cd6afjwzfye3ukqm4zhtvuetisgvx7lj2abdgn2bpqo5w52a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230214-v4ahcsfa32/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
https://sempersim.su/ha19/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
d8bb582465eb556c5bed130c6a832ebd673709f9b45d29d2fe056388def76bbb
MD5 hash:
7e778e6a939266a8deac1152b921ab21
SHA1 hash:
fea6f2ba9be6a4f57dc71d67addd857924e9e41a
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/47c563b5-9b86-42f8-9f77-243f8266b54d/
Parent samples :
9f69c10fc02a6d92e09ba2a0ce64f3ad093448d5bfd69d0023337417c1ddb774
65cc33992ce4489d338c48feb5dbe78f5a252d5195bb7d56e6bcf631d26e8dd7
bd6d05a0b508e5bfc4c8d4a2c9bd7b307638986e460c160378bd5d98cd5850aa
c2e87e031cf06cfbc066444c30dc76d1377857012a034143c7b039b292da73b9
ef55ccbcd896514df881410c71c4f5bfc27d49ccfb4a5eaad9107d53f0ac817f
1f973d307ac6766796e6abcaf1c71b8e506859ebf82d9d176fafc564383b2e20
99d0215079e5fa7783a1f4a945b9dcc57fde6bfebff9ecabc408fdb3ff29ba87
6ed50a5868a27769876f8cbff4f93982ed20881ed73f6a17ca7626b7da81e565
c0ab36b7e47fb880b196a926d3c38c6336ccff8de52bee22b845ed21e466f7a1
3a1b720f24bfe9a18b5183e3482a50230c33260f5135c99f0581ed8d9a605436
ed93caf4a5efd745ca40ffb4c8ef2d1e05255ecfd6aa4584b3709075a8e8949d
SH256 hash:
9f69c10fc02a6d92e09ba2a0ce64f3ad093448d5bfd69d0023337417c1ddb774
MD5 hash:
423f4c2362a604ad167e5d9c9c71b50f
SHA1 hash:
9668a3308afd8008b45f0318e893b12c2e358bdf
Link:
https://www.unpac.me/results/47c563b5-9b86-42f8-9f77-243f8266b54d/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9f69c10fc02a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f69c10fc02a6d92e09ba2a0ce64f3ad093448d5bfd69d0023337417c1ddb774

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 9f69c10fc02a6d92e09ba2a0ce64f3ad093448d5bfd69d0023337417c1ddb774

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2539965/
Cape
Cape
https://www.capesandbox.com/analysis/365916/

Comments


Avatar
zbet commented on 2023-02-14 17:31:10 UTC

url : hxxp://195.133.40.108/spacedata/.win32.exe