MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc8a12bfd7a792586d78f4fac22f22ac9d2dfe31452d2e99b7cd47180bd4b295. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 14

Intelligence 14 IOCs YARA 16 File information Comments

SHA256 hash:	bc8a12bfd7a792586d78f4fac22f22ac9d2dfe31452d2e99b7cd47180bd4b295
SHA3-384 hash:	86c2df9aab9dea95b9097ef80780ca3af5f480a916de69d0e600e76cb4da9f66874e1cf9cc643aff1c5a50bf1324a1af
SHA1 hash:	4d0918da815050a31e3df4d299e979f5972064bf
MD5 hash:	6161586cab6dbbe35b513f84486e8d6b
humanhash:	carolina-leopard-nuts-texas
File name:	FedEx Receipt_AWB# 771596460800.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	859'136 bytes
First seen:	2023-03-22 19:01:13 UTC
Last seen:	2023-03-30 09:14:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:fhl06MFkUpkYXjPg7v1dNE4zrV5u50cXkJ:5lL89tTI7Lm43Pe1M
Threatray	66 similar samples on MalwareBazaar
TLSH	T11C05121577A59B52C2FD9BFC08B391802379BF3A2322EB4C2EC534DA1A37758C662553
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe FedEx Loki

Intelligence

File Origin

# of uploads :

# of downloads :

221

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

FedEx Receipt_AWB# 771596460800.exe

Verdict:

Malicious activity

Analysis date:

2023-03-22 19:14:16 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/22e2d257-d0ff-4e3e-a41f-efe40efbdebb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/376599/

Detection(s):

Sanesecurity.Rogue.0hr.20230322-0833.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Changing a file

Sending an HTTP POST request

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for analyzed file

Stealing user critical data

Moving of the original file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/641b50aac60b3295f52cb272/reports/9efd4385-328c-41c4-aad4-21e43755a4d7/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/bc8a12bfd7a792586d78f4fac22f22ac9d2dfe31452d2e99b7cd47180bd4b295

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/945b087b-6acc-4f0b-b375-71704d6c75e7

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1199943

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/bc8a12bfd7a792586d78f4fac22f22ac9d2dfe31452d2e99b7cd47180bd4b295/

Threat name:

ByteCode-MSIL.Trojan.LokiBot

Status:

Malicious

First seen:

2023-03-22 06:34:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xsfbfp6xu6jfq3ly6t5melzcvsos37rriuws5gnxzvdrqc6uwkkq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

0cd6273cb957d6e97a533d50c86de4980c956f55119bb511f17a5c0458f10f21

Loki

57dd90f650bd99263dc2a2b8dffe69d09c191c84483b5bad8cd322d1e0b39287

Loki

6a81850f474caf72930d65ed4f929b9084aa8b68573368c2af897c1412f3ac58

Loki

9235e70ae950a3b47729b9cd33bd38b37a0f89b855f4d171ff04a907815b3c65

Loki

b46bad53e429d0e8448e3887355ae7b83c08f397ff30be8a8c6866ad2d9177db

Loki

b53d6ce1c2366c6c8eae28514dc9aa86b0dfa7f6c18ace6df1db1681f295955c

Loki

+ 56 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230322-xpsrhacf6t/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://64.227.48.212/?page_id=215360
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

85feecfde5072a9b6e186f634d9a2426970bf88af6366955bcb11b6adba9a741

MD5 hash:

2bcd15d3a3a173c705c08897e08cdcda

SHA1 hash:

f0f97f36a561e911ad811826ee9dc97257bef1d0

Link:

https://www.unpac.me/results/e35a2bb6-873d-4245-a3ef-062f04fec561/

SH256 hash:

b52cf1bf7ad6d3db607b1734255b77c795324a18c3deae2d1a13feb13cb1f1a9

MD5 hash:

cca99ae353c9d525ad1792cd65e8b746

SHA1 hash:

ec389c64b74473a877a96603eb27dfe31b8f7841

Link:

https://www.unpac.me/results/e35a2bb6-873d-4245-a3ef-062f04fec561/

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/e35a2bb6-873d-4245-a3ef-062f04fec561/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

1d69a988f929de8a3a7418c1d95b99f98837a2eeeee4c78fddf5bb6ea2a5f3a7

MD5 hash:

91e860509944f7ab6a535e601787c217

SHA1 hash:

812cadc7759b4ae8fd15ac755afb2a4e61383b81

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/e35a2bb6-873d-4245-a3ef-062f04fec561/

Parent samples :

99c37556d4debad09e566c314982ebd1510dd493dbe4bbe9e4ea3857df9ac1e3
1ebedb652fa27423240c3efa860e7551958811120737ee5d3ea7badf671fbacf
bc8a12bfd7a792586d78f4fac22f22ac9d2dfe31452d2e99b7cd47180bd4b295
5224ad26b096f110856cfa5e9713928ba3704c860b3ea022ff4c8b271c2a6997
7589df135ac8e8da5e6e8bef446256bccbdbb92831e8cf89705bb2a19f5317e2

SH256 hash:

0ae199f2b643f0afff0bcced9ece53bd24cf21956ce04e4fab26ae72e6764b0e

MD5 hash:

678ddcd2f38405b95f5049bd8d3fcf2d

SHA1 hash:

52d982d8e62eaab5a4b0c01456a0c6eac23054e1

Link:

https://www.unpac.me/results/e35a2bb6-873d-4245-a3ef-062f04fec561/

SH256 hash:

bc8a12bfd7a792586d78f4fac22f22ac9d2dfe31452d2e99b7cd47180bd4b295

MD5 hash:

6161586cab6dbbe35b513f84486e8d6b

SHA1 hash:

4d0918da815050a31e3df4d299e979f5972064bf

Link:

https://www.unpac.me/results/e35a2bb6-873d-4245-a3ef-062f04fec561/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bc8a12bfd7a7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	infostealer_loki Create hunting rule

Rule name:	infostealer_xor_patterns Create hunting rule
Author:	jeFF0Falltrades
Description:	The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.

Rule name:	Loki Create hunting rule
Author:	kevoreilly
Description:	Loki Payload

Rule name:	LokiBot Create hunting rule
Author:	kevoreilly
Description:	LokiBot Payload

Rule name:	malware_Lokibot_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	Windows_Trojan_Lokibot_0f421617 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Lokibot_1f885282 Create hunting rule
Author:	Elastic Security

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/376599/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample