MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8f3640dea3f2e076ea541cc764cef60ac8cdf9f25f01e728ae68dced5d04714. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments 1

SHA256 hash:	b8f3640dea3f2e076ea541cc764cef60ac8cdf9f25f01e728ae68dced5d04714
SHA3-384 hash:	e309e09166da66cb31846e6f5a37ba39c9616a5e033a7c6f039a465098df9ae0914726ea05593c766d6924d62920eb53
SHA1 hash:	b39454398278b23bca8997db00e240746d7b78eb
MD5 hash:	a111770c4c83a727c0569a8a5f82867c
humanhash:	thirteen-whiskey-tango-lima
File name:	a111770c4c83a727c0569a8a5f82867c
Download:	download sample
Signature	Loki Create hunting rule
File size:	198'144 bytes
First seen:	2023-10-02 17:01:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	42367a22e1010f39e39654573a05e25f (2 x Tofsee, 2 x Smoke Loader, 1 x CoinMiner)
ssdeep	3072:lDEz2VBHnvGRDCimuLXQkqawnzLf4UJdhzrowNha34dxNcE50trm+b+ovV:DtuROim8X+awfPTFowNS4bArbZV
Threatray	4'325 similar samples on MalwareBazaar
TLSH	T12A14CF6139F0C072E7AB45744834D7A06ABBB8739FA3869F335C162F4E306D18A69717
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0000005000281809 (1 x Loki)
Reporter	zbetcheckin
Tags:	32 exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

355

Origin country :

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

payment proof.xls

Verdict:

Malicious activity

Analysis date:

2023-10-02 16:49:02 UTC

Tags:

exploit cve-2017-11882 opendir loader trojan lokibot

Link:

https://app.any.run/tasks/b9d5a585-3fd0-4ba2-add6-90f6782b2492

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/452716/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/651af78d32ffdb7a7a1cf8a4/reports/2d6fff05-a978-4103-b184-a29eca093e7f/overview

Verdict:

Malicious

Labled as:

Ransom.E605D898

Link:

https://www.hybrid-analysis.com/sample/b8f3640dea3f2e076ea541cc764cef60ac8cdf9f25f01e728ae68dced5d04714

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3f901174-4380-4bfc-a62b-e740555e2620

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1318156

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/b8f3640dea3f2e076ea541cc764cef60ac8cdf9f25f01e728ae68dced5d04714/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2023-10-02 15:40:04 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 23 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xdzwidpkh4xao3vfihghmthpmcwizx47exyb44uk42g45voqi4ka._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/231002-vj4wgaeg27/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

https://sempersim.su/a14/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

601477fd9a5eddcb2edc4c14984d4ab3a8bbc70b6f8d8aeb4d4dcdfbf9a306ec

MD5 hash:

38de09e1e8b3ddb2de5bee69493bdef0

SHA1 hash:

760f70c1b10c59f4fc93c15cb7ee1b4f3fa2b1ea

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/dc812891-6182-4585-8f32-c49b9e8502dd/

Parent samples :

b8f3640dea3f2e076ea541cc764cef60ac8cdf9f25f01e728ae68dced5d04714
d581e18227b09069cce82bcb38f8bc2706ce37400e23ab173a903c4b01804275
af0b630ad64ed3f1b91f55389e78fe82c2b0dcaee4965b6442ec2c6814a38da5
da5c8721b3c8624f2234309272d145894cbb0242281c5bd7cfa9e804842fc6e2
bf9544ac2abf7d615418a8e03e8226820c8ba48e049467136b257825ccf730f7
ae8131e8c5b55b77c69a8962dcf41b811b0411f1b4c1d9e702d446e639648e97
47828de9e3c3b3bf2955c6cd2a72f2d75cb54c91756eee1b56a42bd1bf09f7f2
a3a3d37f3ca0dc20bb1e4ef9c90925369e9d5713e7ddb797ca2b7c2cea0414c3
da21ece2f4aa50ee504970a2fefed88038ade14bb3f68b0d6e388da6f40628c9
f12f178cdc9b61ea03883a0f9f82b317a2db0ef1afe629704b8738ec7a9bad8e
9b84ca1d7fb41a824ccb4693789fee6b94cea21cbd8645840814dfb650ffdb20
b37c2f6f3a9d1b078d6ca93e073a14baa50bb7496280d3529c87b0e8e2d1a36c

SH256 hash:

b8f3640dea3f2e076ea541cc764cef60ac8cdf9f25f01e728ae68dced5d04714

MD5 hash:

a111770c4c83a727c0569a8a5f82867c

SHA1 hash:

b39454398278b23bca8997db00e240746d7b78eb

Link:

https://www.unpac.me/results/dc812891-6182-4585-8f32-c49b9e8502dd/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b8f3640dea3f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b8f3640dea3f2e076ea541cc764cef60ac8cdf9f25f01e728ae68dced5d04714

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

exe b8f3640dea3f2e076ea541cc764cef60ac8cdf9f25f01e728ae68dced5d04714

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2715871/

Cape

https://www.capesandbox.com/analysis/452716/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-10-02 17:01:57 UTC

url : hxxp://46.183.223.121/ansi/loki.exe