MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c013ec7ffc307a96a83494d9c838f60be692507aede1a0b5d7288a3993ccc57b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 17

Intelligence 17 IOCs YARA 2 File information Comments

SHA256 hash:	c013ec7ffc307a96a83494d9c838f60be692507aede1a0b5d7288a3993ccc57b
SHA3-384 hash:	b4664621a8aa8b26b616e6ead5802a11200195b897c9db22ef98606a7a295148de21f9cb702ade7e5056eec3bfb23f2a
SHA1 hash:	464e72166772199be7e4e7e73437df6ecf43132c
MD5 hash:	bc447c220338886975fd9d6b16999e4f
humanhash:	hydrogen-tennis-five-pasta
File name:	AWB#8457108962.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	671'744 bytes
First seen:	2023-03-20 16:07:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:GdfmYMUnFW/Nqb1t3MC/4ZlxWAwewhaG2KeAlks8EudHoQqk59KRz:GdfU4Zt54ZlxWDXzQ1p1os/
Threatray	248 similar samples on MalwareBazaar
TLSH	T186E402252BAA4635F1365BBC95E42285A77EB3B32717D44D04B210CE4B67B438ED0A3F
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	209488c66eb85922 (14 x AgentTesla, 7 x Loki, 7 x Formbook)
Reporter	malwarelabnet
Tags:	exe Loki Lokibot

Intelligence

File Origin

# of uploads :

# of downloads :

281

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

AWB#8457108962.exe

Verdict:

Malicious activity

Analysis date:

2023-03-20 16:09:57 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/f8ba8cb8-a4a8-4c5c-8ead-ac22245603a5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/375973/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Win.Trojan.EmbeddedDotNetBinary-9940868-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Changing a file

Sending an HTTP POST request

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for analyzed file

Stealing user critical data

Moving of the original file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo fareit formbook packed remcos

Link:

https://www.filescan.io/uploads/641884a7c60b3295f52c1da1/reports/18f1f75e-30f8-45fb-b8c6-3bb7b157273f/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/c013ec7ffc307a96a83494d9c838f60be692507aede1a0b5d7288a3993ccc57b

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9498e6fe-00b0-45c7-8115-92db35e57fca

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1197870

Signature

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/c013ec7ffc307a96a83494d9c838f60be692507aede1a0b5d7288a3993ccc57b/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2023-03-20 02:36:39 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yaj6y774gb5jnkbustm4qohwbptjeud25xq2bnoxfcfdte6myv5q._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

50ee6f613fdfbbe0ab3745d1641f98df80be37ab88bb587cde4baf3835e5637c

Loki

512c02ea092713ae33b44e5074b6d0e35d934fc9dc3b1c7a6f789ec010d77f71

Loki

66891afe754c3aab6b8fa33af83ed871fc37d7e6668f02b3b0c7ef0e96756b20

Loki

6bd93280c677623b4c964daf8cea0c20ae3c32ea8cee4c2e52da9a8b3dfc5ec8

Loki

8e8f0ef7fe5176d9ca580c127a9476ca505c4990c317ebd7b18b92129eac4bb2

Loki

93c302b6c6f9186edb01c0192fccec2b77274a243e3eb049ae8c99679f57c9f1

Loki

fccebf9b597398ab3e46b9f50076f8a3bcdb24cd4f3786e1c4540637cf32d96b

Loki

fd63f671c5984fd1cd39cf00e35bf5e978b8dedce3e209d29c120325f1984254

Loki

+ 238 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230320-tkmg5sec82/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://64.227.48.212/?page_id=6303
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

30780f2a50e90cd2774acd886918d8d92ea624a05b12d0e1faf7cec64a426edd

MD5 hash:

8d4982d22e42360c6097abdcf0ed79dd

SHA1 hash:

d7df2a1af071b636182c8f77affb9bcd9dc8c88e

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/d996a209-d957-4908-9273-799f6607bb9c/

Parent samples :

93c302b6c6f9186edb01c0192fccec2b77274a243e3eb049ae8c99679f57c9f1
8e8f0ef7fe5176d9ca580c127a9476ca505c4990c317ebd7b18b92129eac4bb2
c013ec7ffc307a96a83494d9c838f60be692507aede1a0b5d7288a3993ccc57b
d8bcf863b8af5d3a0622ab2fe468752219a1e80e85ccb1e7d29608cb49350f46
a4d692bd2c6bc99530e231e63c93ee24629894b4f9391debdafcc0c161ec972d
b3a40483ab494f036bce8494672fcabc9719ac985979446135ca2625de80056d
3a7511034e72aa8874f3763cb01604464c74571237bc08906578ed9dcf2c137f
453b2c84056cde325f4e314ecb272996714901ced897e8605658d25f1036aee6

SH256 hash:

e5c3f3ee928543be13f2741a3ce9030ad53c194113e14ae5614a17f5ed2889db

MD5 hash:

9e8309817a07c2bc7e5a6e5ad5ead7d4

SHA1 hash:

cbbef314d64f15773d836a7260552395dfe45251

Link:

https://www.unpac.me/results/d996a209-d957-4908-9273-799f6607bb9c/

SH256 hash:

494de00f272494d84488d142c16473200d88dcbb8505162b70a5cd24370c22c6

MD5 hash:

155741c6e70bc153c7944cdd067f9198

SHA1 hash:

b84378b14493a86a768f1a0bb6ac948fceae67db

Detections:

lokibot

Link:

https://www.unpac.me/results/d996a209-d957-4908-9273-799f6607bb9c/

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/d996a209-d957-4908-9273-799f6607bb9c/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

000c0889c2d93807781cb5e2c212d07bd38c6fed9b738530f2515640306b5f44

MD5 hash:

8d369299a047f228593293887092e43d

SHA1 hash:

7e38cd87127c3ea59ddba80f7ddf35fb105a7f6c

Link:

https://www.unpac.me/results/d996a209-d957-4908-9273-799f6607bb9c/

SH256 hash:

c013ec7ffc307a96a83494d9c838f60be692507aede1a0b5d7288a3993ccc57b

MD5 hash:

bc447c220338886975fd9d6b16999e4f

SHA1 hash:

464e72166772199be7e4e7e73437df6ecf43132c

Link:

https://www.unpac.me/results/d996a209-d957-4908-9273-799f6607bb9c/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c013ec7ffc30/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/c013ec7ffc307a96a83494d9c838f60be692507aede1a0b5d7288a3993ccc57b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/375973/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample