MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a662463b94dc39ece0f3b0d885772475a475b8e1cb347e0909087ced1f54e552. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	a662463b94dc39ece0f3b0d885772475a475b8e1cb347e0909087ced1f54e552
SHA3-384 hash:	bebe70a305a7bc97205a0bd9bfd91d0e4cde1efbcf0986a5ac0d24a19c7cb39a3ecc7a4d3b02447c4194af6c7eac0074
SHA1 hash:	2f4329fa3aa0a1811b22d4645a8679288abbbd77
MD5 hash:	c72b6d0fa5da7249b6ddffe1b3d83363
humanhash:	ceiling-table-ack-juliet
File name:	QT367001.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	728'064 bytes
First seen:	2023-05-03 03:55:09 UTC
Last seen:	2023-05-13 22:55:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:6BOJA0xPmangAfwVUYArnfndGKCXlbgNe6s/buvjwbuHSd9:6t0xua1fwVrEdGKC27s/4syS
Threatray	4'107 similar samples on MalwareBazaar
TLSH	T125F4BE14F3B68402E40BCE731A5CF9B012727C8B7DD19A6566E97F977BBBA44280424F
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://185.246.220.85/seth1/five/fre.php

Intelligence

File Origin

# of uploads :

# of downloads :

550

Origin country :

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

QT367001.exe

Verdict:

Malicious activity

Analysis date:

2023-05-03 03:56:17 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/218ac4ed-5964-4b03-87da-44dec9f6e5de

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/386192/

Detection(s):

SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lokibot packed

Link:

https://www.filescan.io/uploads/6451db531facab193c672a2b/reports/43d24034-d9fa-4d81-b8ac-ae76ca3e8530/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/a662463b94dc39ece0f3b0d885772475a475b8e1cb347e0909087ced1f54e552

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9892b725-5b58-4451-a002-0f13ed5a6775

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1225113

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a662463b94dc39ece0f3b0d885772475a475b8e1cb347e0909087ced1f54e552/

Threat name:

ByteCode-MSIL.Trojan.LokiBot

Status:

Malicious

First seen:

2023-05-03 03:53:28 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uzremo4u3q46zyhtwdmik5zeowshlohbzm2h4cijbb6o2h2u4vja._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

13b7f376d27ce6de51165613f7faf54350e0fbd2c50b509df1bdc3704e26808f

Loki

5c8cebda365a042d04dc1734322b809fdb56e95f0a7ce0b7bd3e141ebccc07bf

Loki

78a5a0b0bed684217ba65ee4f92daebaa0ef82c9f95d9a5999e0b3755e2ba823

Loki

7e44c6fb6963620960fe0f8574af42ec032aaff7238bf470cba2c4af3a9da77d

Loki

aa5db1e76d992d81c9b6f368bc705f4240512bc4aa193cc23fa3ba50ce48d1fc

Loki

c4359763aa0cac9b3d55b130cca1f38e1a4b3a2b80c55feff4e048b86d2e9c0f

Loki

e2de9b40fe4d786cefc62428bb7e17d2268f5bf6c8c939e576d86be69c90af90

Loki

e3bd0660f61bc671f91a00cac1734dd1854d7c7a2ae4293ddc960d274fdfbe6e

Loki

+ 4'097 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230503-ehcgtsde98/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://185.246.220.85/seth1/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

a5345827c7856f45c58b0f6efc65e41a369c587688119d92c8ea56665157f7a3

MD5 hash:

a1da401184f9367fd8c81004e30ee7df

SHA1 hash:

f3a0a3656d027ba72ac79c5963aaf31c904fa339

Link:

https://www.unpac.me/results/855ab211-47c9-4601-bd57-02ae0a311bb5/

SH256 hash:

280001013946838a651abbdee890fa4a4d49c382b7b5e78b7805caef036304e2

MD5 hash:

d4b6893a5512534104c6c7403be60897

SHA1 hash:

d4b51c3e4cafb3b146435a4e2e21bb5ddf15956d

Link:

https://www.unpac.me/results/855ab211-47c9-4601-bd57-02ae0a311bb5/

SH256 hash:

1076940f9f54596f3ef3848b7fce5a33b73138c3a7ca164daa18541acee1902f

MD5 hash:

83ab40633f99a85f69a23a4f8bb465ed

SHA1 hash:

c109a5e691aedcf19bbd48ee8fb5ffaee02fb8a3

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/855ab211-47c9-4601-bd57-02ae0a311bb5/

Parent samples :

bdca02b5a08aacb4702cfabaaca20129ff3c7ff3b332ebaeb41c1b802bb8e19b
a662463b94dc39ece0f3b0d885772475a475b8e1cb347e0909087ced1f54e552

SH256 hash:

40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403

MD5 hash:

c768bac25fc6f0551a11310e7caba8d5

SHA1 hash:

95f9195e959fb48277c95d1dd1c97a4edff7cb3a

Link:

https://www.unpac.me/results/855ab211-47c9-4601-bd57-02ae0a311bb5/

SH256 hash:

9bbdcdabf3c76923a23706a151dee25c402b3cc72208dc5ff84be3549bc6c9b3

MD5 hash:

92f656a8ebd6709d90227a4d69d418f2

SHA1 hash:

09dd98683bab36307728a3419a6149e2554c71f0

Detections:

lokibot

Link:

https://www.unpac.me/results/855ab211-47c9-4601-bd57-02ae0a311bb5/

SH256 hash:

a662463b94dc39ece0f3b0d885772475a475b8e1cb347e0909087ced1f54e552

MD5 hash:

c72b6d0fa5da7249b6ddffe1b3d83363

SHA1 hash:

2f4329fa3aa0a1811b22d4645a8679288abbbd77

Link:

https://www.unpac.me/results/855ab211-47c9-4601-bd57-02ae0a311bb5/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a662463b94dc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/a662463b94dc39ece0f3b0d885772475a475b8e1cb347e0909087ced1f54e552

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/386192/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample