MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0d74d6d2bda3ad10c36a48bdbd96d9567e12074148220a4c04df674584cf6e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 2 File information Comments

SHA256 hash:	a0d74d6d2bda3ad10c36a48bdbd96d9567e12074148220a4c04df674584cf6e5
SHA3-384 hash:	d8466c4cdc99a45c577f3558e88d91e4ab4b651c7f9e6d75ff6f1c5e6d28442edc894985af63b14d7cec08e02d2ac16f
SHA1 hash:	f36655b60255f68d151dd00f57d0b2f401ceb480
MD5 hash:	7054a3f3c56e9b62ba1583ae4cc67f1b
humanhash:	fourteen-violet-saturn-arizona
File name:	LJah82xRicHcquG.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	472'064 bytes
First seen:	2022-07-26 10:21:02 UTC
Last seen:	2022-07-26 19:52:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'652 x Formbook, 12'246 x SnakeKeylogger)
ssdeep	12288:oo30/A9M0OWzXnK9tuANu3Qw2dpMHFK9A6No5g0x8H:FEb0OCX2tuAzpMQ9JSC0xu
TLSH	T135A4026EF9583C53CABE45FCA4A1A20413F5A45376E2FBDACDC251E212C77B58202693
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://sempersim.su/gj3/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://sempersim.su/gj3/fre.php	https://threatfox.abuse.ch/ioc/839638/

Intelligence

File Origin

# of uploads :

# of downloads :

331

Origin country :

n/a

Vendor Threat Intelligence

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/294247/

Detection(s):

SecuriteInfo.com.Trojan.Olock.1.23605.21109.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62dfc04fb3bb70bb32e1da7a/reports/a6655d1a-9097-494a-b02e-02d483b0a67d/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a0e0a044-49d3-48a0-8ac0-f14d98a5122d

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1040975

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/a0d74d6d2bda3ad10c36a48bdbd96d9567e12074148220a4c04df674584cf6e5/

Threat name:

ByteCode-MSIL.Trojan.LokiBot

Status:

Malicious

First seen:

2022-07-26 10:05:34 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 25 (88.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=udlu23jl3i5ncdbwusf5xwlnsvt6ciducsbcbjgajx3hiwcm63sq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/220726-mdpwcsgecq/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://sempersim.su/gj3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

736e2691ed37836c45fce2416cf7600ed2692d31642d3b3c1c7e6ec1f3281e25

MD5 hash:

e243d85bda734856d7918f1ad5c96ee4

SHA1 hash:

e437503d11fc5b9dabdca2fbebc83d0528aa9e97

Link:

https://www.unpac.me/results/14b42f88-608e-4e25-8d45-687e6fb4f297/

SH256 hash:

39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807

MD5 hash:

db51fe170a9e5d6ec5429a2fbd9d0353

SHA1 hash:

e30a58125fc41322db6cf2ccb6a6d414ed379016

Link:

https://www.unpac.me/results/14b42f88-608e-4e25-8d45-687e6fb4f297/

SH256 hash:

4caeaf1ea2b305223a533a76bc9b8328db80205f73abcd12becdb35bf705d593

MD5 hash:

b2fa7b23ded32a7a4ec4f504b07a58e4

SHA1 hash:

80a9097a02a9d1a5d6cbd74c70ee6b0094618741

Detections:

win_lokipws_g0

win_lokipws_auto

lokibot

Link:

https://www.unpac.me/results/14b42f88-608e-4e25-8d45-687e6fb4f297/

Parent samples :

a0d74d6d2bda3ad10c36a48bdbd96d9567e12074148220a4c04df674584cf6e5
f7975f12a9c6b34bc27357d0bc4eda0220c5a1e57f976280b64d86fb47976637

SH256 hash:

13ca2f7a55b98e1890983122e67935c97e6d9df4429279d49a1324c6d56f0451

MD5 hash:

8b3a92a3409ae046bf3dc0753fcf8685

SHA1 hash:

4455c3efa2bf569f6d180063bb1e104a22581d61

Link:

https://www.unpac.me/results/14b42f88-608e-4e25-8d45-687e6fb4f297/

SH256 hash:

db4db9290d04b8099065726308588be361b68da59ccfd5c9e114bda11a483a6f

MD5 hash:

2eda8f56090bb1362bb74b25a26b08c5

SHA1 hash:

3b1ac8c1d762ead4e955f5a54ad72eb097b05e34

Link:

https://www.unpac.me/results/14b42f88-608e-4e25-8d45-687e6fb4f297/

SH256 hash:

a0d74d6d2bda3ad10c36a48bdbd96d9567e12074148220a4c04df674584cf6e5

MD5 hash:

7054a3f3c56e9b62ba1583ae4cc67f1b

SHA1 hash:

f36655b60255f68d151dd00f57d0b2f401ceb480

Link:

https://www.unpac.me/results/14b42f88-608e-4e25-8d45-687e6fb4f297/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/a0d74d6d2bda3ad10c36a48bdbd96d9567e12074148220a4c04df674584cf6e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/294247/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample