MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb5b0574dd40638d9f65473bd5f2c3353ea76d5f2cdd1d2c7d748d1b2b16ecf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 2 File information Comments

SHA256 hash:	bb5b0574dd40638d9f65473bd5f2c3353ea76d5f2cdd1d2c7d748d1b2b16ecf5
SHA3-384 hash:	7dcf86f09920933d8ec2796bd67551638780ca4e59840b7f933d21ab4ed23dda0bf69ad8bdb91fb4be32feb9b88e19a2
SHA1 hash:	6c8f73e78f20dace8666785c4677047088653328
MD5 hash:	338e104e88293c37313d649b7ee54b65
humanhash:	twelve-grey-johnny-robin
File name:	SecuriteInfo.com.Trojan.PackedNET.1461.13177.17751
Download:	download sample
Signature	Loki Create hunting rule
File size:	580'096 bytes
First seen:	2022-07-27 10:50:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:HbMaR5IFdlfyhN5v/0u9QR57NnmL0MBOxvX5AHoJ2qx8:HbMiGFdNOTvMFR57lmQJxvko5x
Threatray	11'038 similar samples on MalwareBazaar
TLSH	T157C401A123389B76D6BF03BF90204219CBF9B24BE083D7DE5E8876D92D53760854176B
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	86738c8d86966992 (12 x AgentTesla, 6 x Loki, 6 x Formbook)
Reporter	SecuriteInfoCom
Tags:	exe Loki

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://66.29.145.162/?12495881296063980	https://threatfox.abuse.ch/ioc/839806/

Intelligence

File Origin

# of uploads :

# of downloads :

357

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/294611/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1461.13177.17751.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62e1191391ccf3d70e851d9f/reports/27e94bd6-a9ce-4b30-940d-96917934a257/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3981eb50-26eb-4a3b-9f8d-a2e761694326

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1041773

Signature

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/bb5b0574dd40638d9f65473bd5f2c3353ea76d5f2cdd1d2c7d748d1b2b16ecf5/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-07-27 10:40:48 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xnnqk5g5ibry3h3fi455l4wdgu7ko3k7ftor2ld5osgrwkyw5t2q._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/220727-mxtcwsdaej/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://66.29.145.162/?12495881296063980
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

06f302c9a69dc6274008b006cf051b1cb14db14cd218f969bbeff25463359447

MD5 hash:

f32c7f1bc099da7b607835a2ade6aef6

SHA1 hash:

ec7ac08ae8336306bace4d509bdec2dfa9d7a2e2

Detections:

win_lokipws_g0

win_lokipws_auto

lokibot

Link:

https://www.unpac.me/results/e95fdb03-7a53-45a7-88b6-2a952b1f8ab6/

Parent samples :

bb5b0574dd40638d9f65473bd5f2c3353ea76d5f2cdd1d2c7d748d1b2b16ecf5
3414fa26fc151944191196875c23a49683db37899e819d3cea7f5bfba6c6af52

SH256 hash:

39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807

MD5 hash:

db51fe170a9e5d6ec5429a2fbd9d0353

SHA1 hash:

e30a58125fc41322db6cf2ccb6a6d414ed379016

Link:

https://www.unpac.me/results/e95fdb03-7a53-45a7-88b6-2a952b1f8ab6/

SH256 hash:

9b1e43072bd02b01880f8be28642dab9362707f7a0affd51f836bae31bfdda56

MD5 hash:

fe752e22599471bcbb5ef181a3282286

SHA1 hash:

d527dc94d2ddfbcc2ff4c03452c6143d7bc4ff8b

Link:

https://www.unpac.me/results/e95fdb03-7a53-45a7-88b6-2a952b1f8ab6/

SH256 hash:

e564513c43380315992640814660840a5b4703eb1bdd83e4bfb41adc8b00a952

MD5 hash:

745a8ebc59de416f9fd30feff3a73c8c

SHA1 hash:

929a6c83ae8973d863cf4640a979b86da829b988

Link:

https://www.unpac.me/results/e95fdb03-7a53-45a7-88b6-2a952b1f8ab6/

SH256 hash:

1a2bbc0f74ec41733f7cfb63b51cf924503efe06206870bc011fa75eed35294f

MD5 hash:

31e9f7128747365df37917ac87ccdc89

SHA1 hash:

0616309f1d1123bc125e3c08892a75448b236157

Link:

https://www.unpac.me/results/e95fdb03-7a53-45a7-88b6-2a952b1f8ab6/

SH256 hash:

bb5b0574dd40638d9f65473bd5f2c3353ea76d5f2cdd1d2c7d748d1b2b16ecf5

MD5 hash:

338e104e88293c37313d649b7ee54b65

SHA1 hash:

6c8f73e78f20dace8666785c4677047088653328

Link:

https://www.unpac.me/results/e95fdb03-7a53-45a7-88b6-2a952b1f8ab6/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bb5b0574dd40/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/294611/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample