MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be339cfeb53653747aae71f7d9853019bd536777a475b3933583389a4b53a8af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	be339cfeb53653747aae71f7d9853019bd536777a475b3933583389a4b53a8af
SHA3-384 hash:	04da70666374ff6469d5b72fcd2ef9b01789e28187fdfa36feb498f74eba7fc688e46ee81ce071cd936ac5392905c755
SHA1 hash:	8a8c2201c884abd3dcccaf7a51d600f7725bbfc3
MD5 hash:	ad1d6d9412db416cb662edbab0fb2db0
humanhash:	football-coffee-avocado-asparagus
File name:	SecuriteInfo.com.W32.AIDetectNet.01.19222.29228
Download:	download sample
Signature	Loki Create hunting rule
File size:	709'632 bytes
First seen:	2022-07-18 04:32:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:JCXrNNzB0W8NnCB1lo9RYx0OPOLdCZGkbseSmWb2gb3IU3ScaFlSNS:JCXrNNl0r1CDVx0OPOAkXmO9VaQS
Threatray	8'730 similar samples on MalwareBazaar
TLSH	T141E4020637A96B06C8BA8BFDA935444083F97A663175D74D4ED1B0CF1AE1B828A11F1F
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter	SecuriteInfoCom
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

293

Origin country :

n/a

Vendor Threat Intelligence

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/291445/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.19222.29228.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Enabling the 'hidden' option for analyzed file

Moving of the original file

Gathering data

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ce1fa8d9-5457-46b4-882b-32fceed69a53

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1035472

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Generic Downloader

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/be339cfeb53653747aae71f7d9853019bd536777a475b3933583389a4b53a8af/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-07-18 03:06:20 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xyzzz7vvgzjxi6vooh35tbjqdg6vgz3xur23hezvqm4jus2tvcxq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

1065589a9340762824a0d03fff314f61e65083bf59cbc457e7ebb4986d871611

Loki

6224386940968b1bd3bf7b45310af4170d355155e3a4e31719d4ae31a537e272

Loki

66f0af4a5029d6776422a80253a4e54afb934e5f575a75b4035eff989e575699

Loki

82168c370bb28d4673cddf35511f20cb647547d01858d931d25c59f16e804ec6

Loki

a81a1c397fa0a995ed31c5754a34d50b7bfab50b5473966fa0ab9e891987b703

Loki

e3bd0660f61bc671f91a00cac1734dd1854d7c7a2ae4293ddc960d274fdfbe6e

Loki

+ 8'720 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer suricata trojan

Link:

https://tria.ge/reports/220718-e6hzhshda4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot Fake 404 Response

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://s509040.smrtp.ru/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807

MD5 hash:

db51fe170a9e5d6ec5429a2fbd9d0353

SHA1 hash:

e30a58125fc41322db6cf2ccb6a6d414ed379016

Link:

https://www.unpac.me/results/7fd14e68-fb47-4639-9b91-0dd86b2fcbe8/

SH256 hash:

673c5d75bbb563754906b8b6126250a3d838d16a67d3a583440af8cacc96d6cd

MD5 hash:

2c304ea9c2c1cfbaa7de2e84cc24fdd5

SHA1 hash:

b89f60d7c401764781d3f03ddb5bb75fc0dee2b3

Detections:

win_lokipws_g0

win_lokipws_auto

lokibot

Link:

https://www.unpac.me/results/7fd14e68-fb47-4639-9b91-0dd86b2fcbe8/

Parent samples :

1d1288c2ce2893c49f8b5415034de067a2d68ccddc08fe89f8711e568d777505
ce1338ddf58f4b9b71750384ef4c5e6ed06beacb6dc6182eb4deb796da4ccfb6
3f2292c2e24fc2f0e2c5aa18cc28c19ea4c05600a8b3c4f3a7d97991425cd7fc
be339cfeb53653747aae71f7d9853019bd536777a475b3933583389a4b53a8af
7e3d633c1840ccfb34563bb3f937a4b11f7c2eb36b8733d06023c3cb7f0667fc
81c113815c984e85f8a855ad0ef10b8d1a0b217912df74df139c8c5c4a1a7192

SH256 hash:

5498ff5cd5ccd093b4e721cc646905c5b1438f3a3dacaf0b3b56f7dfd897ad0b

MD5 hash:

72a218535d33a3f36e2b5e6b2d13127b

SHA1 hash:

69f355fc68d5efe1c5686e456c80b9369bdc1366

Link:

https://www.unpac.me/results/7fd14e68-fb47-4639-9b91-0dd86b2fcbe8/

SH256 hash:

dffdee6d85a6175722f94567ab1efe5845ba1c67a567beb1b78be708d554ad3b

MD5 hash:

9081799c3a0301d276d0bd54672174b1

SHA1 hash:

59ccf00ae7b8b159916567cb148a70c4d47c0258

Link:

https://www.unpac.me/results/7fd14e68-fb47-4639-9b91-0dd86b2fcbe8/

SH256 hash:

1bced31aaeda54366fcea3f04bdf8a1aa89f54c48660a8919c7b6fdfd23ed0a9

MD5 hash:

2e3d8682972eda68494caee2f811b692

SHA1 hash:

55d5852a851f14796027574e0713ddc59fe24369

Link:

https://www.unpac.me/results/7fd14e68-fb47-4639-9b91-0dd86b2fcbe8/

SH256 hash:

be339cfeb53653747aae71f7d9853019bd536777a475b3933583389a4b53a8af

MD5 hash:

ad1d6d9412db416cb662edbab0fb2db0

SHA1 hash:

8a8c2201c884abd3dcccaf7a51d600f7725bbfc3

Link:

https://www.unpac.me/results/7fd14e68-fb47-4639-9b91-0dd86b2fcbe8/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/be339cfeb536/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/be339cfeb53653747aae71f7d9853019bd536777a475b3933583389a4b53a8af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/291445/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample