MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd1a88e1b94ca63fb0f613006ca666dc69baad7abb86129df1b825f8e48d8265. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd1a88e1b94ca63fb0f613006ca666dc69baad7abb86129df1b825f8e48d8265
SHA3-384 hash: 39aa70b6fba062a1013f2f266f9ebfc9821a4f0315d261441bc01e77c2c22d0e8e50959ec5826f41bc7db6a4e0ab78af
SHA1 hash: 4531ff8af3dfe1ac82bf2047f4d03b93200f05ba
MD5 hash: 3c628bc76cd0e54e4ba30ea6e15de0bc
humanhash: ohio-charlie-queen-bravo
File name:FAKTURA #180222BG24 & #160222BG71.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'378'304 bytes
First seen:2023-09-27 05:45:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e334390d0a0362adbede139565beb211 (2 x Loki, 1 x RemcosRAT)
ssdeep 24576:GnBFEzLlVyPFK0IxsyRAJ2fPU8wgr/ciEFAfoEKyqoGGHf2dG7Oo/H7:GnWbX3kmU8trk45h2dG7
Threatray 27 similar samples on MalwareBazaar
TLSH T16455D030E6905933DC731A38D99AC2A4982FBE2019546C5565D97F0C8F723BD3CFA1AE
TrID 30.5% (.SCR) Windows screen saver (13097/50/3)
24.5% (.EXE) Win64 Executable (generic) (10523/12/4)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 74e4d4c4c1c1d4dc (2 x Loki, 2 x PureLogsStealer, 1 x RemcosRAT)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://45.77.76.224/~clinics/eVI28q6BOshwTRKh6fW

Intelligence

File Origin
# of uploads :
1
# of downloads :
348
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FAKTURA #180222BG24 & #160222BG71.exe
Verdict:
Malicious activity
Analysis date:
2023-09-27 05:47:46 UTC
Tags:
dbatloader
Link:
https://app.any.run/tasks/b25a3a58-6628-4ad4-9898-e12007c8a2a3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
ModiLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/451433/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.21120.29039.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Reading critical registry keys
Changing a file
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control keylogger lolbin packed
Link:
https://www.filescan.io/uploads/6513c19a1edabd9982a0a277/reports/1fe36028-3e2b-43b1-92fc-de0c99aa688b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/bd1a88e1b94ca63fb0f613006ca666dc69baad7abb86129df1b825f8e48d8265
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9352a209-1d59-4f2b-b57a-a519b56217fe
Result
Threat name:
DBatLoader, Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1314958
Signature
Adds a directory exclusion to Windows Defender
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected DBatLoader
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1314958 Sample: FAKTURA_#180222BG24_&_#1602... Startdate: 27/09/2023 Architecture: WINDOWS Score: 100 88 Snort IDS alert for network traffic 2->88 90 Multi AV Scanner detection for domain / URL 2->90 92 Found malware configuration 2->92 94 9 other signatures 2->94 11 FAKTURA_#180222BG24_&_#160222BG71.exe 1 8 2->11         started        16 Eqzrfdvj.PIF 1 2->16         started        18 Eqzrfdvj.PIF 2->18         started        process3 dnsIp4 72 web.fe.1drv.com 11->72 80 3 other IPs or domains 11->80 60 C:\Users\Public\Libraries\netutils.dll, PE32+ 11->60 dropped 62 C:\Users\Public\Libraries\jvdfrzqE.pif, PE32 11->62 dropped 64 C:\Users\Public\Libraries\easinvoker.exe, PE32+ 11->64 dropped 66 C:\Users\Public\Librariesqzrfdvj.PIF, PE32 11->66 dropped 114 Drops PE files with a suspicious file extension 11->114 116 Writes to foreign memory regions 11->116 118 Allocates memory in foreign processes 11->118 20 cmd.exe 1 11->20         started        23 jvdfrzqE.pif 54 11->23         started        74 192.168.2.1 unknown unknown 16->74 76 web.fe.1drv.com 16->76 82 3 other IPs or domains 16->82 120 Antivirus detection for dropped file 16->120 122 Multi AV Scanner detection for dropped file 16->122 124 Sample uses process hollowing technique 16->124 27 jvdfrzqE.pif 16->27         started        78 web.fe.1drv.com 18->78 84 3 other IPs or domains 18->84 126 Allocates many large memory junks 18->126 29 jvdfrzqE.pif 18->29         started        file5 signatures6 process7 dnsIp8 96 Uses ping.exe to sleep 20->96 98 Drops executables to the windows directory (C:\Windows) and starts them 20->98 100 Uses ping.exe to check the status of other devices and networks 20->100 31 easinvoker.exe 20->31         started        33 PING.EXE 1 20->33         started        36 xcopy.exe 2 20->36         started        39 8 other processes 20->39 70 45.77.76.224, 49798, 49799, 49800 AS-CHOOPAUS United States 23->70 58 C:\Users\user\AppData\...\B52B3F.exe (copy), PE32 23->58 dropped 102 Detected unpacking (changes PE section rights) 23->102 104 Detected unpacking (overwrites its own PE header) 23->104 106 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->106 108 4 other signatures 23->108 file9 signatures10 process11 dnsIp12 41 cmd.exe 1 31->41         started        68 127.0.0.1 unknown unknown 33->68 54 C:\Windows \System32\easinvoker.exe, PE32+ 36->54 dropped 56 C:\Windows \System32\netutils.dll, PE32+ 39->56 dropped file13 process14 signatures15 110 Adds a directory exclusion to Windows Defender 41->110 44 cmd.exe 1 41->44         started        47 conhost.exe 41->47         started        process16 signatures17 112 Adds a directory exclusion to Windows Defender 44->112 49 powershell.exe 23 44->49         started        process18 signatures19 86 DLL side loading technique detected 49->86 52 conhost.exe 49->52         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd1a88e1b94ca63fb0f613006ca666dc69baad7abb86129df1b825f8e48d8265/
Threat name:
Win32.Trojan.ModiLoader
Create hunting rule
Status:
Malicious
First seen:
2023-09-27 05:46:05 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xunirynzjstd7mhwcmagzjtg3ru3vll2xodbfhprxas7rzenqjsq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0451434391ff07fc5849fb0720ab7f9959314aab5bcffe37490c1a893ba15d6c
Loki
25a3c31cfefacd58b5175960891d0c14d3201a99ef57011186849e0fd50c7174
Loki
347cfd6ac482e6562d6a8bb4029ed095936599ee3de2498f91171c135f9b4632
Loki
3f91df1694752e2393e88e98c63348a310db58b7665d6e9d2ec7b2e84344aeda
Loki
6f4aeb9995526d099eba9f227cd9282e2bbd43e190442be3355f07e8b41609a9
Loki
852cc0f22ea3ace2856b9f5ec32a80446829f692bed524d843927ccb2807439e
Loki
920c77fdc169434909d771b4929da0fbf5e749694b05b165529913074b7024d2
Loki
a80244841abcc266e558917b5758808c11aad9703b51de0469639d2f32153abd
Loki
bfb3b7f5c73f6c15389fe5240d0388044d3663724cfe6461b9fabe2639fb045d
Loki
+ 17 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:lokibot family:modiloader collection persistence spyware stealer trojan
Link:
https://tria.ge/reports/230927-ggamyshe97/
Behaviour
Enumerates system info in registry
Runs ping.exe
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
ModiLoader Second Stage
Lokibot
ModiLoader, DBatLoader
Malware Config
C2 Extraction:
http://45.77.76.224/~clinics/eVI28q6BOshwTRKh6fW
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
MD5 hash:
c116d3604ceafe7057d77ff27552c215
SHA1 hash:
452b14432fb5758b46f2897aeccd89f7c82a727d
Link:
https://www.unpac.me/results/fbf72816-d892-431a-923c-2bc4428a7811/
SH256 hash:
5bdf307af2e036541a716e8abfc28df166c5ddbe69dadffbf1ec8bd8a4572988
MD5 hash:
bd0c8ebcef949b313c56fcdec51fc005
SHA1 hash:
0dda2d3a46bb4961d8e0266b6e221d773eca0cc9
Link:
https://www.unpac.me/results/fbf72816-d892-431a-923c-2bc4428a7811/
SH256 hash:
bd1a88e1b94ca63fb0f613006ca666dc69baad7abb86129df1b825f8e48d8265
MD5 hash:
3c628bc76cd0e54e4ba30ea6e15de0bc
SHA1 hash:
4531ff8af3dfe1ac82bf2047f4d03b93200f05ba
Link:
https://www.unpac.me/results/fbf72816-d892-431a-923c-2bc4428a7811/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bd1a88e1b94c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd1a88e1b94ca63fb0f613006ca666dc69baad7abb86129df1b825f8e48d8265

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/451433/

Comments