MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abeeca1676f089cfcc80ad5126fe4849b701bf185aebb30ab96b7c89490a73b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abeeca1676f089cfcc80ad5126fe4849b701bf185aebb30ab96b7c89490a73b3
SHA3-384 hash: c0f84699027431e28f6f9f23f02378c39a000caa2601e3ab1fe369e3ae864c70b1fbaa5d41e2627351c23bc5871aa269
SHA1 hash: 7bbb45387c64ee4288d0d6996084dce62f1edbb3
MD5 hash: 52b90d1eed8e25aeebdce06a38f093dc
humanhash: happy-jersey-bluebird-one
File name:52b90d1eed8e25aeebdce06a38f093dc.exe
Download: download sample
Signature Loki
Create hunting rule
File size:753'508 bytes
First seen:2024-08-02 14:00:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 12288:IcrNS33L10QdrX4tf4nZWGCLIsXqCevUVeq+pzsvv3C1ONYKdO9OUqFRjnhRNdAC:7NA3R5drX4R4Zu6CHVeq+OxNYaO9/Yrt
Threatray 4'345 similar samples on MalwareBazaar
TLSH T11CF40211B7E294B2E6731D32493DA722A97C39201E34CA2FB3D44B5CDE711D1EA25B63
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon e8c4a84681e2c4e8 (2 x Loki)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://94.156.66.169/topwttsg/Panel/five/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.156.66.169/topwttsg/Panel/five/fre.php https://threatfox.abuse.ch/ioc/1306290/

Intelligence

File Origin
# of uploads :
1
# of downloads :
462
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
52b90d1eed8e25aeebdce06a38f093dc.exe
Verdict:
Malicious activity
Analysis date:
2024-08-02 14:02:50 UTC
Tags:
stealer lokibot trojan
Link:
https://app.any.run/tasks/015f655b-96c9-4066-b6d0-bcf813f5abd6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66ace6a1037b02d0daed2121
Tags:
Encryption Execution Network Static Trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Creating a process from a recently created file
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint installer lolbin microsoft_visual_cc overlay packed setupapi sfx shdocvw shell32
Link:
https://www.filescan.io/uploads/66ace6aab45fbebc0edc6abf/reports/85106585-f4f7-4c46-a7a7-fc6e8257df30/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/abeeca1676f089cfcc80ad5126fe4849b701bf185aebb30ab96b7c89490a73b3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3871f511-244d-4f93-aede-3929eaf4b6b5
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1486846
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
PE file contains section with special chars
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses known network protocols on non-standard ports
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1486846 Sample: XFJur2XHeg.exe Startdate: 02/08/2024 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 7 other signatures 2->46 10 XFJur2XHeg.exe 9 2->10         started        process3 file4 34 C:\Users\user\AppData\...\hdfgthxfc.sfx.exe, PE32 10->34 dropped 13 cmd.exe 1 10->13         started        process5 process6 15 hdfgthxfc.sfx.exe 8 13->15         started        18 conhost.exe 13->18         started        file7 36 C:\Users\user\AppData\Local\...\hdfgthxfc.exe, PE32 15->36 dropped 20 hdfgthxfc.exe 1 15->20         started        process8 signatures9 48 Detected unpacking (changes PE section rights) 20->48 50 Tries to steal Mail credentials (via file registry) 20->50 52 Machine Learning detection for dropped file 20->52 23 hdfgthxfc.exe 117 20->23         started        28 hdfgthxfc.exe 20->28         started        process10 dnsIp11 38 94.156.66.169, 49705, 49706, 49707 TERASYST-ASBG Bulgaria 23->38 32 C:\Users\user\AppData\...\31437F.exe (copy), PE32 23->32 dropped 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->54 56 Tries to steal Mail credentials (via file / registry access) 23->56 58 Tries to harvest and steal ftp login credentials 23->58 60 Tries to harvest and steal browser information (history, passwords, etc) 23->60 30 WerFault.exe 2 28->30         started        file12 signatures13 process14
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/abeeca1676f089cfcc80ad5126fe4849b701bf185aebb30ab96b7c89490a73b3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/abeeca1676f089cfcc80ad5126fe4849b701bf185aebb30ab96b7c89490a73b3/
Threat name:
Win32.Infostealer.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2024-08-02 14:01:05 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vpxmuftw6ce47teavvisn7sijg3qdpyyllv3gcvznn6issikoozq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
04f557582bc8b4c4af843d0c837124da73f887ac5b997efdd78f96d45caced85
Loki
0bcb9bf4516773558cd8464a3b7795d3752f8eb27840e848db87a55df9393d25
Loki
0dc69e491c783527c6465e25b8b33447391ae9d7ace6e4c1c20db8047aa1918a
Loki
0f499eaeeba3237aedfb784cf65c67ef9aae645ab0d4153cb6af1289e37040d7
Loki
16510508a55e331de91a5e246b4d0174a419203d557d7407861bf24a947ce16c
Loki
4e12ca0674f72503e00f35b8b27aa98da0855baa9e25264b357bb934e31a2217
Loki
79866667d5cd578a1c6eda54a748ff9d316fff39064eecd282bc2a9ad8a5ac7d
Loki
7f0fcb4f3651ec6a3b273322857afe8aa8373f77964afd0bb592378a4a97fe1a
Loki
+ 4'335 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection credential_access discovery spyware stealer trojan
Link:
https://tria.ge/reports/240802-rbjc1ssapa/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Credentials from Password Stores: Credentials from Web Browsers
Lokibot
Malware Config
C2 Extraction:
http://94.156.66.169:5734/topwttsg/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8a5e0043-9ad6-48ae-bca7-b60d4d7e1aee
Unpacked files
SH256 hash:
89dae4d0e3562071321a49708d75da93dce2ebde5dc7b42a24906045dbba496e
MD5 hash:
9d0d301afc330da43c05d74fe3215b37
SHA1 hash:
f14b71131d9dba27323cef84add0e639468114bf
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Lokibot
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
STEALER_Lokibot
Create hunting rule
Link:
https://www.unpac.me/results/fe0d38fe-944f-4b3c-9a1a-7ea5a6cda629/
Parent samples :
cc34009402c9e1a52c70b4f88a817c974a2fc454d4f1b7dbb3cdd21c24fbc073
abeeca1676f089cfcc80ad5126fe4849b701bf185aebb30ab96b7c89490a73b3
SH256 hash:
0a1a60659ef14b55dadb6df5063e1492e147d4fca8f11305942c0e2c005a1d18
MD5 hash:
d4f95f5e224965d95fc824740ee8558a
SHA1 hash:
6f4b5c554e8a42f878477ad9354d85a3483579c7
Link:
https://www.unpac.me/results/fe0d38fe-944f-4b3c-9a1a-7ea5a6cda629/
SH256 hash:
ebd78dbe7be3bd30f702600043bb0984d1856660306c92e038948c8ee1885cdc
MD5 hash:
4ef0fdb57d524265ba5dd6d7cade4287
SHA1 hash:
6294e70432067e4f3fec88424606d0f14f4af9cf
Link:
https://www.unpac.me/results/fe0d38fe-944f-4b3c-9a1a-7ea5a6cda629/
SH256 hash:
7242a1d3d56a039f622a6a2328025675520a244a4e70cfc4116b1c7f759edf14
MD5 hash:
cab367ff995d03149272e154fb4fde6b
SHA1 hash:
0d9617593727b9f073a0ae6521d9493664fe15a5
Link:
https://www.unpac.me/results/fe0d38fe-944f-4b3c-9a1a-7ea5a6cda629/
SH256 hash:
dc0b7dbf26c0a14aa131b6b090ede58c929a242e77b0d3fd507d9e1213f6178e
MD5 hash:
fc9a6dae87affe6110a9a84f2abc8022
SHA1 hash:
97a8ac065400569650aa9d282909b8779f13e79f
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/fe0d38fe-944f-4b3c-9a1a-7ea5a6cda629/
SH256 hash:
abeeca1676f089cfcc80ad5126fe4849b701bf185aebb30ab96b7c89490a73b3
MD5 hash:
52b90d1eed8e25aeebdce06a38f093dc
SHA1 hash:
7bbb45387c64ee4288d0d6996084dce62f1edbb3
Link:
https://www.unpac.me/results/fe0d38fe-944f-4b3c-9a1a-7ea5a6cda629/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe abeeca1676f089cfcc80ad5126fe4849b701bf185aebb30ab96b7c89490a73b3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3084846/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments