MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4af4fff61cf428f03cfe550f759d56a6a6a9922aaf00f9954e5fb33c78da476. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4af4fff61cf428f03cfe550f759d56a6a6a9922aaf00f9954e5fb33c78da476
SHA3-384 hash: 3450e04e9ec71fc1e3be5792428fdde2eebc9f358479e6acf89c292eda91a34b791859d31b442bb15fe6cabbd967ba11
SHA1 hash: 2aaec95b89491eaa55e4e055429d5e75cdbbca39
MD5 hash: ef36a5b4ab6cfc60657a8d3202c73ff6
humanhash: six-item-lemon-triple
File name:gunzipped.exe
Download: download sample
Signature Loki
Create hunting rule
File size:618'496 bytes
First seen:2022-05-28 06:51:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'754 x AgentTesla, 19'660 x Formbook, 12'251 x SnakeKeylogger)
ssdeep 12288:lwH22qla5w/yXbxF0lS9tcl2+v0tw/yw9Hxn0ZS7DBWAIMwsbGzKLiR:lwH0MW/IbxF0lSzCcS//Hxn0ZSB
Threatray 8'983 similar samples on MalwareBazaar
TLSH T1DED40249ABC142D4D869063B4DB3B7247F01BBA2806B9F2F5C93345D9A26BC21EF11DC
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 32ceaeaeb2968eca (42 x SnakeKeylogger, 23 x Loki, 9 x AgentTesla)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://climatte.uz/nn/Panel/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://climatte.uz/nn/Panel/fre.php https://threatfox.abuse.ch/ioc/643027/

Intelligence

File Origin
# of uploads :
1
# of downloads :
438
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
gunzipped.exe
Verdict:
Malicious activity
Analysis date:
2022-05-28 06:53:04 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/a756ca0f-86aa-4960-a923-b0926552269b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/275128/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Launching a process
Creating a file
Reading critical registry keys
Changing a file
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6291c69e3ec49f83a6d35506/reports/d792f2f9-85cd-4498-a11d-132cf83196a8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1003212
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 635704 Sample: gunzipped.exe Startdate: 29/05/2022 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic 2->32 34 Multi AV Scanner detection for domain / URL 2->34 36 Found malware configuration 2->36 38 10 other signatures 2->38 7 gunzipped.exe 5 2->7         started        process3 file4 24 Lgiyznljgorgptoauc...ran copy tt_pdf.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\...\gunzipped.exe.log, ASCII 7->26 dropped 48 Writes to foreign memory regions 7->48 50 Injects a PE file into a foreign processes 7->50 11 Lgiyznljgorgptoauccpembayaran copy tt_pdf.exe 3 7->11         started        14 InstallUtil.exe 54 7->14         started        signatures5 process6 dnsIp7 52 Injects a PE file into a foreign processes 11->52 17 Lgiyznljgorgptoauccpembayaran copy tt_pdf.exe 53 11->17         started        30 198.187.30.47, 49780, 49783, 49784 NAMECHEAP-NETUS United States 14->30 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->54 56 Tries to steal Mail credentials (via file registry) 14->56 58 Tries to steal Mail credentials (via file / registry access) 14->58 signatures8 process9 dnsIp10 28 climatte.uz 176.96.243.100, 49790, 49798, 49801 QWARTARU Czech Republic 17->28 22 C:\Users\user\AppData\...\B52B3F.exe (copy), PE32 17->22 dropped 40 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->40 42 Tries to steal Mail credentials (via file / registry access) 17->42 44 Tries to harvest and steal ftp login credentials 17->44 46 Tries to harvest and steal browser information (history, passwords, etc) 17->46 file11 signatures12
Gathering data
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-05-28 02:21:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
22 of 41 (53.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wsxu773bz5bi6a6p4vipowovnjvgvgjcvlya7gku4x5thr4nur3a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
83f05fb746411cb7fea562f8a7dd8f14af9200570e907c5c3a2d9e0349f971da
Loki
876f3fcba5ba440d8e92fd71304bda4657c8810540fd9632199b28696f43501d
Loki
8fbad32c3c2d6fac4ca37cdc496440e2fe4b4d5063f909e87229aba77f9a9f8b
Loki
9e7c79d11e8a4bd9e42aab819dcd7ebe8a062ce57c01a36dda572404695cab7c
Loki
ada9d56dd5b2d71b1c472891e8985ab68e42cca617e935346c886c50d980ea20
Loki
cb0296fcb9331c1896041c12cce327ef3f1801bd9dbb177bacc6b42a0d391e8f
Loki
e44f8de002dca1e0be09c6e43035f805e8796d15a3eb6b47e8f4751ee7f96e2a
Loki
+ 8'973 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220528-hm25tscfe5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://198.187.30.47/p.php?id=53652306313539112
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://climatte.uz/nn/Panel/fre.php
Unpacked files
SH256 hash:
a60942df3c19a85b3c9b60341020332971b7cfe23a9387cb58e126f2449ca8a9
MD5 hash:
1f5e32838f64fadcbfb8d752a9bca8d6
SHA1 hash:
5d13de72183a3525420fc3b30ea0779971b79619
Link:
https://www.unpac.me/results/58160fe7-e06b-4fc1-bcee-1fbdba357e7b/
SH256 hash:
229fa00e405876ef0a23d59d387cbe1ac6e57da1fda242c2c2118c9f4e31472e
MD5 hash:
af799612456d549821b9e1acae73514a
SHA1 hash:
5c0b4cc1bdac7fa1ac6c23b38b19c7ee75085be1
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/58160fe7-e06b-4fc1-bcee-1fbdba357e7b/
SH256 hash:
0d44a0ad43a26edc31397c2e3ab63c87f0c28da753f52e442bacdea96d399d68
MD5 hash:
acef141870f14917f8abc2159f442e76
SHA1 hash:
b7092ef1fec0112d68ad75af2b7ad7aeb33c6d38
Link:
https://www.unpac.me/results/58160fe7-e06b-4fc1-bcee-1fbdba357e7b/
SH256 hash:
0eaaa778bb63baec4ffa4698e1a2006c31a62ea471efdf0594c47294324d46b0
MD5 hash:
e26013599de1e003d649f9fe51442391
SHA1 hash:
45cd522ef389d5cbfc77ca8824a6d6be08e03a9c
Link:
https://www.unpac.me/results/58160fe7-e06b-4fc1-bcee-1fbdba357e7b/
SH256 hash:
83166151d7494e94c6b946c4b7f05f7d56d686aa6192b7da9d34b30f41d0c111
MD5 hash:
289a75a020d78490d5d5bd3e34bbdbfa
SHA1 hash:
27748a22041393c6b02c96d804978f6edc2782d2
Link:
https://www.unpac.me/results/58160fe7-e06b-4fc1-bcee-1fbdba357e7b/
SH256 hash:
b4af4fff61cf428f03cfe550f759d56a6a6a9922aaf00f9954e5fb33c78da476
MD5 hash:
ef36a5b4ab6cfc60657a8d3202c73ff6
SHA1 hash:
2aaec95b89491eaa55e4e055429d5e75cdbbca39
Link:
https://www.unpac.me/results/58160fe7-e06b-4fc1-bcee-1fbdba357e7b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4af4fff61cf428f03cfe550f759d56a6a6a9922aaf00f9954e5fb33c78da476

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:LokiBot
Create hunting rule
Author:kevoreilly
Description:LokiBot Payload
Rule name:malware_Lokibot_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/275128/

Comments