MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b725e73edec2f3fcaca92038ddcaffd70a8209b5e86d503e70053e336975b58c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	b725e73edec2f3fcaca92038ddcaffd70a8209b5e86d503e70053e336975b58c
SHA3-384 hash:	5f62a2ba254be5b07146484d8c23413f1e7a5ac30ad6067eb3e33d7597740fc00b8206a88de739530cdfcd06c6888a93
SHA1 hash:	6f1886d4a3e8a1b791e541735d8f52b70e98e3d8
MD5 hash:	4f77dd842c1d9c7ee8a3350e79e8634a
humanhash:	hamper-carpet-three-high
File name:	Update SOA.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	444'928 bytes
First seen:	2022-06-20 14:04:30 UTC
Last seen:	2022-06-20 14:06:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:r2iNiDX9qWN0lYYDIz3u7df+34Auf4hHg:r1qcDtDF7plWHg
Threatray	8'859 similar samples on MalwareBazaar
TLSH	T19C94F1046AB88763ED3DCBFC48E3604043F864229256F79C4FD971DA9877B128B90767
TrID	61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.0% (.SCR) Windows screen saver (13101/52/3) 8.8% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	James_inthe_box
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

252

Origin country :

n/a

Vendor Threat Intelligence

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/281636/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process from a recently created file

Creating a file in the %temp% directory

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62b07e98f4dd1ffb77a4510f/reports/7af581ea-77be-496d-8c56-b8d7f7bbaa33/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7e31da4b-6bc5-4606-aec6-04afacbe2a79

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1016404

Signature

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/b725e73edec2f3fcaca92038ddcaffd70a8209b5e86d503e70053e336975b58c/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-06-20 12:59:31 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 26 (57.69%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=w4s6opw6ylz7zlfjea4n3sx724fiecnv5bwvaptqau7dg2lvwwga._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

154a02b254e2bf1230ad78ac790f65cf165a22642a1a9d9c17163adacfcaff41

Loki

2bf23bcaac2fa52fde6e170575defcc11807e3409747e92e1cd0b8cf93c898b6

Loki

56a9829d3a588c2a1f2a8e82f358214387d36cdf1a28afef973bfbae53ff888b

Loki

832a9690e4a0afc9c23d8836c249aa53c90fd78de02644a7898bcea36e9986fa

Loki

cd2b3a445788fa65a63cd9665d689f112b1e61e55a63cb2e97ba37bf00b2d3db

Loki

+ 8'849 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer suricata trojan

Link:

https://tria.ge/reports/220620-rdt8asfhf9/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Reads user/profile data of web browsers

Lokibot

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot Fake 404 Response

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://85.202.169.172/kelly/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://��Д��Й��Й��я��

Unpacked files

SH256 hash:

6de8bc7d4844efdb55328126b632a374bee9aaf3073cf9ca5fe5fdf303106f8e

MD5 hash:

7ce2d10bd0f02667bc0e1343d9ffc1c1

SHA1 hash:

c3a5b4e5721085022eb7bf0008b7e449f9369fcf

Link:

https://www.unpac.me/results/2b54a90b-a9d4-4b7c-98dc-eb2463b3f98f/

SH256 hash:

9147f59bdeaa27d396107b967cb2a8f0052ccd73e7a5d5ba023f9ee3fec8a454

MD5 hash:

c1a025576960a83052a5aaebdaec8843

SHA1 hash:

b899fc48edc7c98dada4372da6a44fa887ed6f5f

Link:

https://www.unpac.me/results/2b54a90b-a9d4-4b7c-98dc-eb2463b3f98f/

SH256 hash:

fd13b602480c31a3f08b1829e70549d1a29f3431c17358a138eb2dfea554e8bd

MD5 hash:

be924af60a6d69a24fcf0370c60183eb

SHA1 hash:

912fea8305cb381050db42133b938e28363fdbc8

Detections:

lokibot

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/2b54a90b-a9d4-4b7c-98dc-eb2463b3f98f/

Parent samples :

859c4d32d610fa0a47a5afd95c6dc1e1eb550ea8b93d6e2dc56f2db52354e345
212ceab3e02c1dbd8c6c6cca14c1ca6c1920b9c7d23bf3b5a6e208b9ca6447c6
e1d8eab874be46593faa035567ce4dbe32b61571533b46f115621a8b33b10181
b725e73edec2f3fcaca92038ddcaffd70a8209b5e86d503e70053e336975b58c
7776ef4785c6c59cef4ec63fc9ffcc85fd2dd7fb475baba35d1d85e876bc9104
bdbc86c0a5462911cfe1af9466eae05084b0aa1c4619cddc68129b3eb3fd81dc
6224386940968b1bd3bf7b45310af4170d355155e3a4e31719d4ae31a537e272
bfcc207c3754bfcdf3bf882cd8ff018f36d3cfd65f8d40700970d4e7a2d47cec

SH256 hash:

65d02fd5ad1b49b9e4e13edc5ceaf1d7f22d2e6329f810f431e53657cd5226f0

MD5 hash:

2810cef1bcfefafa815e3e14c0883254

SHA1 hash:

356f6071329e229bbe7bb465981e425d8dcac956

Link:

https://www.unpac.me/results/2b54a90b-a9d4-4b7c-98dc-eb2463b3f98f/

SH256 hash:

b725e73edec2f3fcaca92038ddcaffd70a8209b5e86d503e70053e336975b58c

MD5 hash:

4f77dd842c1d9c7ee8a3350e79e8634a

SHA1 hash:

6f1886d4a3e8a1b791e541735d8f52b70e98e3d8

Link:

https://www.unpac.me/results/2b54a90b-a9d4-4b7c-98dc-eb2463b3f98f/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b725e73edec2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b725e73edec2f3fcaca92038ddcaffd70a8209b5e86d503e70053e336975b58c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/281636/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample