MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab1cef822f66d7b77574a21c8154d4a6e9fcd196a6659637f1d662f0ef7df3bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab1cef822f66d7b77574a21c8154d4a6e9fcd196a6659637f1d662f0ef7df3bd
SHA3-384 hash: e20634f0656a3f6b618dc9422e804429286986d7c3c19c99c78b5c282ebb5bc51ca634b4b6dc0cc0a575ffbd6cf0710e
SHA1 hash: 258023292effb0a0f1ad10ab34efe380eca746f1
MD5 hash: 4f1000a03f782677440b67a61ef3930b
humanhash: whiskey-blue-december-jersey
File name:AB1CEF822F66D7B77574A21C8154D4A6E9FCD196A6659.exe
Download: download sample
Signature Loki
Create hunting rule
File size:499'712 bytes
First seen:2021-06-22 00:11:07 UTC
Last seen:2021-06-22 01:08:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8042518445fdbe32d1be366d9cb29a91 (2 x Loki)
ssdeep 6144:Oi9dZNf/9bmDCWH3AEOVdaUUqZ7sIJ0RNBjEDoUYplB2eJhxsdvwncFp65/W:DRZmHXoeU9Z74QDmweadZ4pW
Threatray 8'140 similar samples on MalwareBazaar
TLSH E8B4C01C1FCB63D9E625ECB65B2232ADB283183299A1CD72DC256870A1F77C0B719771
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://185.198.57.204/kboy/sync/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.198.57.204/kboy/sync/fre.php https://threatfox.abuse.ch/ioc/139716/

Intelligence

File Origin
# of uploads :
2
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AB1CEF822F66D7B77574A21C8154D4A6E9FCD196A6659.exe
Verdict:
No threats detected
Analysis date:
2021-06-22 00:14:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/40fe0835-622c-4ae5-a457-370f0f810494

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lokibot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167411/
Detection(s):
PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b8ac06c-8cb5-4a2b-be10-c2aaf9f8d40a
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805673
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Generic Dropper
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 438084 Sample: AB1CEF822F66D7B77574A21C815... Startdate: 22/06/2021 Architecture: WINDOWS Score: 100 33 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 9 other signatures 2->39 8 AB1CEF822F66D7B77574A21C8154D4A6E9FCD196A6659.exe 3 5 2->8         started        11 wscript.exe 1 2->11         started        13 wscript.exe 2->13         started        process3 file4 27 C:\Users\user\AppData\Local\...\filename.exe, PE32 8->27 dropped 29 C:\Users\user\AppData\Local\...\filename.vbs, ASCII 8->29 dropped 15 wscript.exe 1 1 8->15         started        18 filename.exe 1 11->18         started        process5 signatures6 57 Creates autostart registry keys with suspicious values (likely registry only malware) 15->57 20 filename.exe 1 15->20         started        process7 signatures8 41 Antivirus detection for dropped file 20->41 43 Multi AV Scanner detection for dropped file 20->43 45 Detected unpacking (changes PE section rights) 20->45 47 3 other signatures 20->47 23 filename.exe 20->23         started        process9 dnsIp10 31 185.198.57.204, 49727, 49728, 49729 HSAE Netherlands 23->31 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->49 51 Tries to steal Mail credentials (via file access) 23->51 53 Tries to harvest and steal ftp login credentials 23->53 55 Tries to harvest and steal browser information (history, passwords, etc) 23->55 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab1cef822f66d7b77574a21c8154d4a6e9fcd196a6659637f1d662f0ef7df3bd/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2018-04-26 15:23:09 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vmoo7arpm3l3o5luuioicvguu3u7zumwuzszmn7r2zrpb3356o6q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
3a8891a9fd3e0a3cc62286f2c9fcda0bdfb802aba61560103811140cae528983
Loki
481ef8217d421c2f236d0846229e3c9884cb373530d93a00c8f30b83319c2824
Loki
4eb165d0adad5be9d9a4470eb3760a991c4ae1ae52ee2fe349851d1b50aaff53
Loki
5c4943289a1959b03d31592b147472be4d31a2637316b7bbe102412082619502
Loki
66d9988ac36da793b04a0de06e655fb3b386fc947c7d0009beaff2ff4da18be4
Loki
68f15600e889278aada0762a0fb84c11501bf3913380686aac74e6b3d4443368
Loki
8533f6030709d8f590c3e50dd87edf7cc841d2b4b455e209a7999c0ef1b1d743
Loki
d288abb89e9395815e993830e4c09765f4130d8f9c3a9398af68ddf71ec5d67d
Loki
d8e410f087d55207a1d9c1d688c86729fe6aa3f14940c4f1e4a943afc08443e1
Loki
eec64be092d3bd6ac2f32cbbc1bb4f50b373200d8431ae7f62a02834afbe7aef
Loki
+ 8'130 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot persistence spyware stealer trojan
Link:
https://tria.ge/reports/210622-ncfm32tlfn/
Behaviour
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Lokibot
Malware Config
C2 Extraction:
http://185.198.57.204/kboy/sync/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
ab1cef822f66d7b77574a21c8154d4a6e9fcd196a6659637f1d662f0ef7df3bd
MD5 hash:
4f1000a03f782677440b67a61ef3930b
SHA1 hash:
258023292effb0a0f1ad10ab34efe380eca746f1
Link:
https://www.unpac.me/results/6aeabfba-7ea4-4706-a865-a4e8477838e1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.41
Link:
https://yomi.yoroi.company/submissions/ab1cef822f66d7b77574a21c8154d4a6e9fcd196a6659637f1d662f0ef7df3bd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167411/

Comments