MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7a4a6c62e00f32f0432a8c80c556a3734d8375b01ef8722216f6a4250656210. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 17


Intelligence 17 IOCs YARA 11 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7a4a6c62e00f32f0432a8c80c556a3734d8375b01ef8722216f6a4250656210
SHA3-384 hash: 6e23af38d1bba5c5a97ab0cdbcf952da68734d81b02e668206ab8bfe17a2ad9e5b0b7cb6c6480bda454d9c8b456f5642
SHA1 hash: 663325ee06150cc250e097d32929b3d30fd232ac
MD5 hash: 821990e48b938fb06f660dc84e7df41e
humanhash: maine-gee-snake-carolina
File name:821990e48b938fb06f660dc84e7df41e
Download: download sample
Signature Loki
Create hunting rule
File size:237'653 bytes
First seen:2022-04-04 16:20:22 UTC
Last seen:2022-04-04 17:07:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:HNeZmhVe1N0dppdbGcU78Uhluymz+dInT:HNlhAn+/dbG77nhlUwoT
TLSH T13A34125837C4D0B3E4530BB21D3AA72A6BEA620121629D4B2B604F6DBC317C1DE5E776
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
http://192.3.247.131/002/vbc.exe
Verdict:
Malicious activity
Analysis date:
2022-04-04 16:24:46 UTC
Tags:
opendir loader trojan lokibot stealer
Link:
https://app.any.run/tasks/ff242c17-7abb-40d0-a034-83d09a2e3d22

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/260669/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.34239.679.29569.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Query of malicious DNS domain
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12570/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/624b1b0740ce5db9f404b9c1/reports/dddeeaeb-de5c-4ec1-8280-86c5d3f37f65/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/55ab88fb-33d4-44c5-9a74-3ed444302893
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/970311
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 602799 Sample: U6ovlIylL2 Startdate: 04/04/2022 Architecture: WINDOWS Score: 100 17 Multi AV Scanner detection for domain / URL 2->17 19 Found malware configuration 2->19 21 Malicious sample detected (through community Yara rule) 2->21 23 6 other signatures 2->23 7 U6ovlIylL2.exe 18 2->7         started        process3 file4 15 C:\Users\user\AppData\Local\...\kclyknkk.exe, PE32 7->15 dropped 10 kclyknkk.exe 7->10         started        process5 signatures6 25 Multi AV Scanner detection for dropped file 10->25 13 kclyknkk.exe 10->13         started        process7
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b7a4a6c62e00f32f0432a8c80c556a3734d8375b01ef8722216f6a4250656210/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-04-04 02:44:08 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=w6sknrroadzs6bbsvdeayvlkg42nqn23ahxyoirbn5veeudfmiia._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/220404-ttmjhahbc6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
Malware Config
C2 Extraction:
http://mail.outlook-webpage-auth.ml/dan/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
b115e7bf0d9b526592c0a926b7c170d8bb1e03b240e7bfd032f1d096286b1c8e
MD5 hash:
bc302fe6349154d5063b332af2a0cfa5
SHA1 hash:
5a9b9ef3c7a6ebb184ead32471478097d006e83e
Link:
https://www.unpac.me/results/b672de19-c1ac-41d3-b9cb-756b4d883041/
SH256 hash:
2ac8be4130beeeb0113d3d493df898317eddf710da994caa8f7d1203ec8aa99a
MD5 hash:
0980e973167eb7ab8bbfb8f582a675df
SHA1 hash:
e6b47a5b1bfe855c1145ca5add9c9871efd0e67e
Link:
https://www.unpac.me/results/b672de19-c1ac-41d3-b9cb-756b4d883041/
SH256 hash:
de9fce4074bb96c7213420bb7e1c82fab5f7ca02d10cdad4872c2da5bb52fd9a
MD5 hash:
d022efb17e48df17f07d9202eda421d4
SHA1 hash:
6918c4bb54c20b99926e3cb28ba3b668c251cae7
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/b672de19-c1ac-41d3-b9cb-756b4d883041/
Parent samples :
06ca584a9d6554546f43c9e042d3f0a128906dfdf814e575ee736fb3014395fb
26070b1a05da0da550b286c83227def8b346570e3644b491cedf3e59b31ceb6f
b7a4a6c62e00f32f0432a8c80c556a3734d8375b01ef8722216f6a4250656210
72f1573437297c0ab5a041f1498939ff669c35ec868abe8ff613ae05ad5d7bbe
SH256 hash:
b7a4a6c62e00f32f0432a8c80c556a3734d8375b01ef8722216f6a4250656210
MD5 hash:
821990e48b938fb06f660dc84e7df41e
SHA1 hash:
663325ee06150cc250e097d32929b3d30fd232ac
Link:
https://www.unpac.me/results/b672de19-c1ac-41d3-b9cb-756b4d883041/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b7a4a6c62e00/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b7a4a6c62e00f32f0432a8c80c556a3734d8375b01ef8722216f6a4250656210

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:LokiBot
Create hunting rule
Author:kevoreilly
Description:LokiBot Payload
Rule name:malware_Lokibot_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe b7a4a6c62e00f32f0432a8c80c556a3734d8375b01ef8722216f6a4250656210

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2130909/
Cape
Cape
https://www.capesandbox.com/analysis/260669/

Comments


Avatar
zbet commented on 2022-04-04 16:20:26 UTC

url : hxxp://192.3.247.131/002/vbc.exe