MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a57c6fff4fb8840ffb5a1968aed725b5c5e4c6b5cd6184b681d6820f1f830fad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 15

Intelligence 15 IOCs YARA 18 File information Comments 1

SHA256 hash:	a57c6fff4fb8840ffb5a1968aed725b5c5e4c6b5cd6184b681d6820f1f830fad
SHA3-384 hash:	99da73b14764d2657d8a652c72ffaad1025d1e776f0befa13bd0247d379198a0335838f1f605ec2cc6b7f2b56bf94852
SHA1 hash:	eaf71996813d33be1412129f220f4df01720e62c
MD5 hash:	44306c039d9c7ae4e1ffc6f3241331f1
humanhash:	double-echo-social-two
File name:	44306c039d9c7ae4e1ffc6f3241331f1
Download:	download sample
Signature	Loki Create hunting rule
File size:	215'040 bytes
First seen:	2023-08-08 07:14:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2de346935dc4b8f552af9d851541677a (3 x RedLineStealer, 2 x Loki)
ssdeep	3072:uEc9uZbHLv2xqGGlVJnWofcuw0mFCHPzCDlvxHJBROWGq53PpS:V8u1HLv2xqHl3QuwisxHf1Fx
Threatray	4'244 similar samples on MalwareBazaar
TLSH	T11324C02179D1C0B2D16B41305934CAB06A3FB4766BB7C987F758172D1E332D2AAEA306
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	020604051c182000 (1 x Loki)
Reporter	zbetcheckin
Tags:	32 exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

318

Origin country :

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

Shipping Documents.xls

Verdict:

Malicious activity

Analysis date:

2023-08-08 06:47:32 UTC

Tags:

opendir exploit cve-2017-11882 loader trojan lokibot

Link:

https://app.any.run/tasks/96119b52-ff64-485d-adc6-1ff454e16560

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/441244/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a custom TCP request

Gathering data

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/a57c6fff4fb8840ffb5a1968aed725b5c5e4c6b5cd6184b681d6820f1f830fad

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fca4f70e-eb43-4b06-88da-4741d638d551

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1287585

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/a57c6fff4fb8840ffb5a1968aed725b5c5e4c6b5cd6184b681d6820f1f830fad/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-08-08 07:15:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uv6g772pxcca7622dfuk5vzfwxc6jrvvzvqyjnub22ba6h4db6wq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

4401ff9bde7c8fa01c34a3b90959ae1e41eba1ca2e0fc6ce57ecce3a34dd25ad

Loki

445313b315d4804177b96cd884ac97b6f2ab5f71642f53c82ee22b3b4f63637a

Loki

5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180

Loki

5781e8b9faa7f9d6016bce962bbc5677a40b018eb2e3245588287c032dc2960b

Loki

b3d81043a45b2c155f866d7710200892b12a9f31472c594e664e0a83ea959f85

Loki

c2e87e031cf06cfbc066444c30dc76d1377857012a034143c7b039b292da73b9

Loki

dbfb7fe4882a662e88d24b69b6e2fe33bafc95124d20b1db754ce05698527eff

Loki

+ 4'234 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot spyware stealer trojan

Link:

https://tria.ge/reports/230808-h28k6acf9x/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://2.59.254.19/fresh2/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

4beb516b7fbd64ab5e063a7d89e50cae6678ca2d66138ed40804500fe1bca833

MD5 hash:

02cd6173f35e70df571e901db2654076

SHA1 hash:

0cbf4c991e81195ca1a696c50d905ab2e6a73374

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/afc4edbb-9cc4-4485-9286-ba81b692521b/

Parent samples :

c948905331a49dd9d200fe4c6807a39e8be5cddf3c7e8f50f4a3a6047d4080e6
5eee327c9547654d3cc01473d65113b1346801acfaa70e2e79bf24b3eb226521
a57c6fff4fb8840ffb5a1968aed725b5c5e4c6b5cd6184b681d6820f1f830fad
93529d9a4557671f8c6a7649e177af2cf02627edf7d7beb693c0f76c55b39713
2a94af793a2d827d2239b6694948506f2b292c5573f5eecb4862e072ccff3666
2c1a810322fcdb4d5247df6da01e30c5c670b122498f3c6a4bcaaf1fe14dd1fc
82a294aa5072baca70b941c44def34063e052ef781a1673ebc65071cffba647e

SH256 hash:

a57c6fff4fb8840ffb5a1968aed725b5c5e4c6b5cd6184b681d6820f1f830fad

MD5 hash:

44306c039d9c7ae4e1ffc6f3241331f1

SHA1 hash:

eaf71996813d33be1412129f220f4df01720e62c

Link:

https://www.unpac.me/results/afc4edbb-9cc4-4485-9286-ba81b692521b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a57c6fff4fb8840ffb5a1968aed725b5c5e4c6b5cd6184b681d6820f1f830fad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	infostealer_loki Create hunting rule

Rule name:	infostealer_xor_patterns Create hunting rule
Author:	jeFF0Falltrades
Description:	The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.

Rule name:	Loki Create hunting rule
Author:	kevoreilly
Description:	Loki Payload

Rule name:	LokiBot Create hunting rule
Author:	kevoreilly
Description:	LokiBot Payload

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	malware_Lokibot_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	Windows_Trojan_Lokibot_0f421617 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Lokibot_1f885282 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

exe a57c6fff4fb8840ffb5a1968aed725b5c5e4c6b5cd6184b681d6820f1f830fad

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/441244/

URLhaus

https://urlhaus.abuse.ch/url/2702438/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-08-08 07:14:21 UTC

url : hxxp://103.37.60.77/770/chrome.exe