MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b445a79380a50d3f1447597a287e3dda84286ee66d76d0fbda22a04edba1d16e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b445a79380a50d3f1447597a287e3dda84286ee66d76d0fbda22a04edba1d16e
SHA3-384 hash: 619554b5bb5c482e2bfb02ed6186acd4bfcd6be03722213733df8140fa509ca5bdd850b6399bc487d343bec76be7d6e3
SHA1 hash: 8c07c49d5abb7474eab731a8f3111a7dd62e7cb1
MD5 hash: 4f261af0216ef7306e2ff076a2462358
humanhash: spring-september-berlin-stairway
File name:scannedfiles-23.exe
Download: download sample
Signature Loki
Create hunting rule
File size:704'512 bytes
First seen:2021-06-23 09:20:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:wDFYJZaF9GF2gGf/J0L9bOw98CRV9S7puUbO2TAeMaETL/DnBeaFkkkv77:O7jzpC96wxVg8QO2TFMaEf/7Be9vv
Threatray 3'291 similar samples on MalwareBazaar
TLSH 5AE4D0203AEA512DF177AF745AF474D69ABFBB733706C82D1451034A8B23942CF9163A
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://63.141.228.141/32.php/hVjgJl5jKemRQ

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://63.141.228.141/32.php/hVjgJl5jKemRQ https://threatfox.abuse.ch/ioc/139928/

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
scannedfiles-23.exe
Verdict:
Malicious activity
Analysis date:
2021-06-23 09:22:20 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/c7a4a479-92da-4b8e-9107-574a5b3fe5dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/167774/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.867-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e1178867-b80b-44d9-bdc3-915e32c553d2
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/806488
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b445a79380a50d3f1447597a287e3dda84286ee66d76d0fbda22a04edba1d16e/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-06-23 09:21:09 UTC
AV detection:
5 of 46 (10.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wrc2pe4auugt6fchlf5cq7r53kccq3xgnv3nb662ekqe5w5b2fxa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
31a89c6783fa15dd53d37d649b2b870a217736e8793ec70ad9604ab8731092f4
Loki
716febe5997423d5119cf34fac0bc06ba25709982fb291c8d8ae57c47b923646
Loki
8487616e993913211f1c1d1888b24697f40132eed17e4f5ca2bf44b0edf036b7
Loki
8a91e2138a9a4052ae32d94ea0a88a0fab4028ed233bdcb6ff8d079882ad6e62
Loki
a0264203f40b4357874c587487d89572745aff024539e7ee971076053e5ec3c2
Loki
b1bbe8202c60b81262815ceed78ac80573eebec5ba82bb8660ca3bd331b4c33e
Loki
b8d1ed4f810b98ad1e086962a2ba39f923602a061944417884a30de92513e786
Loki
bb0a1c36697ce7271b0e78d81a2b0b66a635bd31c51bc30e2497344bd79fdebb
Loki
e8744060c5568394940066bc2a220430ab1d62fbaca0239d7a51352f666220ff
Loki
e9a75455976eccde50b6ce4c5bdf9c938e596764a5e440ec5550f36b4e24f1fb
Loki
+ 3'281 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210623-aqvjf9917e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://63.141.228.141/32.php/hVjgJl5jKemRQ
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
7cd97ca083888697fbc6ddd27f5aa7500c4a053ac17efc61546d6d3e107b30a7
MD5 hash:
eb489976416d42bfa3e9bbe3cbd53248
SHA1 hash:
7dbe6c8f07715cecb675d5d4422b5e56737d6786
Link:
https://www.unpac.me/results/fc7cd39f-d717-48e4-a9eb-21f65420fad5/
SH256 hash:
485c70224b01677aa5bc1278d7472a53f7917e3fa4ba86ffa475d9250b0a4d98
MD5 hash:
46937571f64345b65c05518b2fdd8264
SHA1 hash:
772211c2e2b8d1c32ae82c33e76e9e7b772516ec
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/fc7cd39f-d717-48e4-a9eb-21f65420fad5/
Parent samples :
d94c9ec0221c2e8a9d5f0846a4abb9210ac96f58ae11355d5094caafaac76b4a
31faaeb4816858f1780d975c523c3e6a9779231cbf2dace17b6b862b491cb00e
b445a79380a50d3f1447597a287e3dda84286ee66d76d0fbda22a04edba1d16e
SH256 hash:
c028ff1fe4af5aa6e10d30ebf7380b25e04c2c3b71d92f4dd7090a97c32d9719
MD5 hash:
88ffea6fba58b1e56dc81f4bcd7982fd
SHA1 hash:
50b9a4a80b92a9472e118ee9716345c0639d548c
Link:
https://www.unpac.me/results/fc7cd39f-d717-48e4-a9eb-21f65420fad5/
SH256 hash:
b445a79380a50d3f1447597a287e3dda84286ee66d76d0fbda22a04edba1d16e
MD5 hash:
4f261af0216ef7306e2ff076a2462358
SHA1 hash:
8c07c49d5abb7474eab731a8f3111a7dd62e7cb1
Link:
https://www.unpac.me/results/fc7cd39f-d717-48e4-a9eb-21f65420fad5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b445a79380a50d3f1447597a287e3dda84286ee66d76d0fbda22a04edba1d16e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167774/

Comments