MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be06b8eb9fc296493c0f6838ad4b55993e2076c53383565cbfa03715af7cc2cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be06b8eb9fc296493c0f6838ad4b55993e2076c53383565cbfa03715af7cc2cd
SHA3-384 hash: 14a02ed3779c1d8a641e4e8b8f215f6c50ab26023546f23be6b4224dafa6c0ba1e668b668eceecf52d03bf8b6d2e5bc5
SHA1 hash: 60203e9be1c7be54a5725f99d16c50d347e1d759
MD5 hash: 4cf22b7498169674c8702bc82ca2c4fe
humanhash: jersey-floor-blossom-triple
File name:PICKING LIST.exe
Download: download sample
Signature Loki
Create hunting rule
File size:246'272 bytes
First seen:2020-06-30 05:46:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 6144:1wC8Lx5DmvjLn2bSa4saHvyc21Y7YbzN3Anm+uvc:1wC8d5DYjLn2bssWvd21tzZhi
Threatray 3'066 similar samples on MalwareBazaar
TLSH 5434CF1C766E2837CEBD05F58483224007F5D8BD3862F7CA5DCC60E916D6BDD4682AAB
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: yuantai-visa.com
Sending IP: 45.35.196.152
From: Demon Tao(Accounting Department)<Demon.tao@yuantai-visa.com>
Subject: INCORRECT BANK DETAILS FOR PAYMENT
Attachment: PICKING LIST.iso (contains "PICKING LIST.exe")

Loki C2:
http://mecharnise.ir/ea1/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/16780/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be06b8eb9fc296493c0f6838ad4b55993e2076c53383565cbfa03715af7cc2cd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-30 04:25:59 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xydlr247yklespapna4k2s2vte7ca5wfgobvmxf7ua3rll34ylgq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
147408894fd77da6a8669e752089f4cc98286b9399b177b07fa8922d20a47874
Loki
1bf9db8285719827160844a6a51292c30346c3099a4753c92177cba4e59b2404
Loki
54bd5cfab1dd37a3b3c905c14768d9f2465e770a69dc0c057c2193c9ceeabed7
Loki
5706101b5ffaf565a5690227f1c273b174eb2dcd3565904984a36be84eca6645
Loki
8e46fce2bda79da5d4d8a9b5f3dc6c8295eee0968a9114e0559977f22dd71812
Loki
926e4cc83f26d59f2af152508ead9014b678c30a8024dd1182bde49feb158fc3
Loki
935e06731d9b88fcf33673ae11c9f9d184610aa64a6b7e1da89b1328a34e1b83
Loki
b3f42f7a9747edcd9d13cab3d0a41b3e0d3cde5a5548f5328b5fcf2f3e068d85
Loki
df1f012094e4d7601eecac850af54eb268691a8dd95f79fae052e6b7588780f5
Loki
f450de216509d54d57606d71016ad6749f124b789a35ceffbbc5f768d62bdf4d
Loki
+ 3'056 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/200630-5sszsjxjd2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Reads user/profile data of web browsers
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Lokibot
Malware Config
C2 Extraction:
http://mecharnise.ir/ea1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

iso f5fdfd64ee35404d0971d347d2e8172de0ceadb989171a2c1215ba89c0b8252f

Loki

Executable exe be06b8eb9fc296493c0f6838ad4b55993e2076c53383565cbfa03715af7cc2cd

(this sample)

  
Dropped by
MD5 81ac7647d979f093c67048c7dbd3cfe4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/16780/
  
Dropped by
SHA256 f5fdfd64ee35404d0971d347d2e8172de0ceadb989171a2c1215ba89c0b8252f

Comments