MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be6f35f126b524e098bc655f0b8676d617219b8dd6940b52783959e330e942d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be6f35f126b524e098bc655f0b8676d617219b8dd6940b52783959e330e942d4
SHA3-384 hash: 04853085c901c9feb8e06bba64ab9c192d095655a12bec7fbf2e8feebd8b36e38d99d66a51621ca590cf8b772ba968c8
SHA1 hash: dacd3dce02952bab0586410eb97a53eebb316e25
MD5 hash: 36fd37054aff41f0a2b7151d37020207
humanhash: fanta-diet-eight-purple
File name:RFQ #3142022.exe
Download: download sample
Signature Loki
Create hunting rule
File size:640'512 bytes
First seen:2022-03-14 07:20:04 UTC
Last seen:2022-03-14 09:05:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:ywoeqKoI4JsPzbWWwdQ0JR5227VOcTvQECsUygCcqChNZhfbqytN92rLCOdZ3j5i:EeTo9WwQ0Z570ZE5UygXh/9+OOdZF4p
Threatray 6'053 similar samples on MalwareBazaar
TLSH T1CED49E3927C51B54D07E5B34A378808423F1764BDB25C79E3DB101ECAFA1E46A633AA7
Reporter GovCERT_CH
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/249963/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.GKL.genEldorado.14925.6862.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Creating a file in the %temp% directory
Launching a process
Creating a file
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/622eeca9dfdfa8501c9c902c/reports/3aa73fd8-0f28-4301-a1b4-2e110269bc79/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bab84e7c-dccb-4add-9aba-c2dbd4d77db0
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/955836
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 588317 Sample: RFQ #3142022.exe Startdate: 14/03/2022 Architecture: WINDOWS Score: 100 42 qtd8gcdoplav737wretjqmaiy.cf 2->42 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Multi AV Scanner detection for domain / URL 2->60 62 Found malware configuration 2->62 64 8 other signatures 2->64 8 RFQ #3142022.exe 4 2->8         started        signatures3 process4 file5 34 C:\Users\user\...\RFQ #3142022.exe.log, ASCII 8->34 dropped 36 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 8->36 dropped 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->66 12 cmd.exe 3 8->12         started        16 cmd.exe 1 8->16         started        signatures6 process7 file8 38 C:\Users\user\AppData\Roaming\Sunnugato.exe, PE32 12->38 dropped 40 C:\Users\...\Sunnugato.exe:Zone.Identifier, ASCII 12->40 dropped 68 Uses ping.exe to sleep 12->68 18 Sunnugato.exe 2 12->18         started        21 conhost.exe 12->21         started        23 PING.EXE 1 12->23         started        25 PING.EXE 1 12->25         started        70 Uses ping.exe to check the status of other devices and networks 16->70 27 reg.exe 1 1 16->27         started        29 PING.EXE 1 16->29         started        32 conhost.exe 16->32         started        signatures9 process10 dnsIp11 48 Antivirus detection for dropped file 18->48 50 Multi AV Scanner detection for dropped file 18->50 52 Machine Learning detection for dropped file 18->52 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->54 56 Creates an undocumented autostart registry key 27->56 44 127.0.0.1 unknown unknown 29->44 46 192.168.2.1 unknown unknown 29->46 signatures12
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/be6f35f126b524e098bc655f0b8676d617219b8dd6940b52783959e330e942d4/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-03-14 07:20:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
77
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xzxtl4jgwusobgf4mvpqxbtw2ylsdg4n22kawutyhfm6gmhjilka._file
Verdict:
unknown
Similar samples:
142dc674a687ade3bc56e2e78f0a6dc0603d81f176f8a9d794d909b6839bcc5b
Loki
1db2ec499c11b096c4a468a878a9e6bb791183ca2156eb2e8c233fd7b172b607
Loki
361ea662d75ba904bd3f0fbba782ef03eeab294f6dd736b79090fcfc2dd25166
Loki
4f48ef3036b8e2b724cbf9ec618f35baf7cb5e2017dc5fae4825659a28b58e68
Loki
67e030c1c7dd08138eb1d6a12a4d652c4a304f22db556afce411c32a23bddf23
Loki
b2b62a37a18c2eeaffe26fb8f15af6964efa41f0bcdda7550a03c58a02653b3e
Loki
d1000588f8a0fb8debc8ca3133fcbc32806b9dc5d7844157f171790cf5d86946
Loki
ec8915aa703260e0b1f1aa7d221c89cf5da6a330b0944d8f32e4159020617edb
Loki
ee34f06a904be05303304e7d9c018c7e12efb83cb9b93544c00a0385da5d1716
Loki
eee3d70ef0eb418264c10075b901845b097297613637892efb77aecb236c5e11
Loki
+ 6'043 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/220314-h55cxafgam/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
Modifies WinLogon for persistence
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://qtd8gcdoplav737wretjqmaiy.cf/Kent1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
c611a6ceb263401ed18ff93961bd6d0cdf8757e48d8e76b13943e85b9d3b5a0b
MD5 hash:
f9b293305bd04eee511c0ffd0e7f29d7
SHA1 hash:
fd981a9537a903422311f582defc1c8fd97248af
Link:
https://www.unpac.me/results/4b9e674f-ab03-45da-a9d1-4703da165dfd/
SH256 hash:
7d170109f352f251d7ac012882e005b059b0db5ecce7520acf7be2ba8f13792a
MD5 hash:
72403055ee098f50bcc8a238fdbef878
SHA1 hash:
eb5ed9b38f5a23bb00b221acf3f7233aa2e9299d
Link:
https://www.unpac.me/results/4b9e674f-ab03-45da-a9d1-4703da165dfd/
SH256 hash:
80e637b0cbb85c377102ee9479fbb73cf54ac1ff21207a9298aa4e98251e6e26
MD5 hash:
f6713013b888f728dcca5180404a5d0a
SHA1 hash:
d1407832df42ead11807e105bc174027001b878e
Link:
https://www.unpac.me/results/4b9e674f-ab03-45da-a9d1-4703da165dfd/
SH256 hash:
fc4b5f53362334630b1f94201178275ecfb79ef4f4610c2211d146d791b29c27
MD5 hash:
4ec66a90617192d4ec943da97c64c622
SHA1 hash:
6c8de23a2b4b5cfdd04f5b8a02d6e9c74ae1f39a
Link:
https://www.unpac.me/results/4b9e674f-ab03-45da-a9d1-4703da165dfd/
SH256 hash:
e052b79a3deb3930269bc9368953a124a36802379033237cc52f0b1128a813f7
MD5 hash:
20c1640a992a742d1197cdbf58f079ee
SHA1 hash:
628a80b81cf6a843f17d622615904db16d768c24
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/4b9e674f-ab03-45da-a9d1-4703da165dfd/
Parent samples :
8fd730d159022d6d231ef67ff5da12f800e8376cd511ba854df504efdef94c05
be6f35f126b524e098bc655f0b8676d617219b8dd6940b52783959e330e942d4
SH256 hash:
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
MD5 hash:
0e362e7005823d0bec3719b902ed6d62
SHA1 hash:
590d860b909804349e0cdc2f1662b37bd62f7463
Link:
https://www.unpac.me/results/4b9e674f-ab03-45da-a9d1-4703da165dfd/
SH256 hash:
a4ad262051ed2de2d106d703645a4a5a67d039881e6367e842f32f4a19d74f86
MD5 hash:
05fcbc9d79fd6f5e3147e636f9b413c2
SHA1 hash:
58cfe2bf03ec5d28a3dae3344ae3ea8c17a64593
Link:
https://www.unpac.me/results/4b9e674f-ab03-45da-a9d1-4703da165dfd/
SH256 hash:
b874dad75a321d23ce7e452f7e9843b07f644742302b3bd925d0c27aecef375b
MD5 hash:
38c43af23def3d726397e3913f99a12d
SHA1 hash:
51194a2b685c77a95e81bbeb4ba6189d1c308201
Link:
https://www.unpac.me/results/4b9e674f-ab03-45da-a9d1-4703da165dfd/
SH256 hash:
be6f35f126b524e098bc655f0b8676d617219b8dd6940b52783959e330e942d4
MD5 hash:
36fd37054aff41f0a2b7151d37020207
SHA1 hash:
dacd3dce02952bab0586410eb97a53eebb316e25
Link:
https://www.unpac.me/results/4b9e674f-ab03-45da-a9d1-4703da165dfd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/be6f35f126b524e098bc655f0b8676d617219b8dd6940b52783959e330e942d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe be6f35f126b524e098bc655f0b8676d617219b8dd6940b52783959e330e942d4

(this sample)

  
Dropped by
loki
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/249963/
  
URLhaus
https://urlhaus.abuse.ch/url/2095961/

Comments