MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2e2d25ea8a06a42c9d5e4ce95245ad1bfe75311db885264d412654db43b80e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	c2e2d25ea8a06a42c9d5e4ce95245ad1bfe75311db885264d412654db43b80e8
SHA3-384 hash:	08ef04fc0b1c667f4484e63b70c32c22b4e4de1f43c64d61594b1adf3676ed8f5597b1417fdc55e04b84371ac588f1fe
SHA1 hash:	f3180d21d72454e22a754b006a0fd42f0ddd90ff
MD5 hash:	fb56d1b5896520a2dbd64398b9708a8c
humanhash:	mirror-aspen-magazine-arkansas
File name:	SecuriteInfo.com.Win32.PWSX-gen.31946.24700
Download:	download sample
Signature	Loki Create hunting rule
File size:	744'448 bytes
First seen:	2022-11-07 05:02:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:A6cIxQiP/FyL4BNgaVT7ZZ7DiJUSjTpjzXI7OPVRSWe8c:A6cqH1ySX6J7nQOtYD8c
Threatray	13'150 similar samples on MalwareBazaar
TLSH	T194F49CEF66A2B4ECCEF08C79F4756B1C02605A009A17A347247FFE56763927D4F90A09
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	d0f8ececece8f0f8 (9 x AgentTesla, 1 x Loki, 1 x CyberGate)
Reporter	SecuriteInfoCom
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

153

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.31946.24700

Verdict:

Malicious activity

Analysis date:

2022-11-07 05:03:59 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/c9d9b86c-e0b4-42f0-8c41-b3af728ab640

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/329668/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.31946.24700.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63689187925ebadf879d2c17/reports/806d09c1-ad78-4ca4-8c16-ffb3bafe4dee/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/57ecede0-64fc-4809-95f3-53a66a3e5b65

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1106936

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c2e2d25ea8a06a42c9d5e4ce95245ad1bfe75311db885264d412654db43b80e8/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2022-11-07 02:44:29 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 42 (52.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ylrnexviubvefsov4thjkjc22g76ouyr3oefezgucjsu3nb3qdua._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

4e12ca0674f72503e00f35b8b27aa98da0855baa9e25264b357bb934e31a2217

Loki

7f0fcb4f3651ec6a3b273322857afe8aa8373f77964afd0bb592378a4a97fe1a

Loki

def88fc364ed03678d528bfd6bc39f19ff1831b098aaf0705fa13063c4044a2a

Loki

ec2a93f1858ba7e0de894944d57fb4b2f3021e5574d1b3594bfd8ffe32f7b029

Loki

f998a60cb95f390ca201950cf41b1764646f2f8ca91f13c05fbf78282518e741

Loki

fa4058c30f37d1cdb72e5bbcc467ff8f9b584b090bfdf723ac1f04817980096a

Loki

+ 13'140 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/221107-fpnzwacbak/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://sempersim.su/gm1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/0557a2f0-3f11-4c6c-8116-1fa78e51378c

Unpacked files

SH256 hash:

e32751f9f031b81437ba996ade82a8e68c5d668b811f9ffc8279ab4cd4257fd3

MD5 hash:

ecfe00faf31e26000b81b2d92707ca6c

SHA1 hash:

cc3d5b7dd6df67830487c1868b03a333a7aa2c46

Link:

https://www.unpac.me/results/9c431f4f-2580-4efa-b00c-998df43c2cf2/

SH256 hash:

bc444c4ec803b91da7af06cb0eb233fe69f565067f89544bf750fc17a9ede6dd

MD5 hash:

b52058082749f08bbcb7036b0d4189e8

SHA1 hash:

90365baf6b18ff3139da00cd5caf30660643110e

Link:

https://www.unpac.me/results/9c431f4f-2580-4efa-b00c-998df43c2cf2/

SH256 hash:

f8fecc7c0cf1b218d0c111a5c1e496999efb5d96941778e44d572c7d495eec12

MD5 hash:

0ecf91ad7d7d6c0ac607f398a51d4d27

SHA1 hash:

515621ed5f3e902fc7c6495863e27b1738b569a8

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/9c431f4f-2580-4efa-b00c-998df43c2cf2/

Parent samples :

c2e2d25ea8a06a42c9d5e4ce95245ad1bfe75311db885264d412654db43b80e8
18ec83d51c479e8dc33f7b248b7592c4f0f5ee50de5796e76b61d3f71018dd16
cba7baf628490fc7d5c033273fdbfb60fe28c091ba961f396841cd122f0df70b
5cd5cbdb883fcd9f6fbcc823d3e5473ca2e993772b4dacc45b66564f556eddc7
c358e010fdfea392f73173b0ab4a9b486a8d9a193bd2e8a71c50b39c14602741
2bfd8562d48b7fed321eaf2be83f37271d08b16341d37990e0782f36c98c9efc
8c35ed8135282731632f1b5037593356af2c2d47d5cd12638556924c4be2c95e

SH256 hash:

92bd802a0f7eb1213758a6c1a4c07302e0320c3a2aeb6273b0303dd3bbdefe90

MD5 hash:

046e97119545e5abde2f40b5dc3a0344

SHA1 hash:

3e69b67ddff2554c8cd72e129d4da9c8acd9d331

Link:

https://www.unpac.me/results/9c431f4f-2580-4efa-b00c-998df43c2cf2/

SH256 hash:

86671cd7a6713847885d6bb7f0d38fc46a3bd6540b0f9849ae57f23666852098

MD5 hash:

3202ac03b3d458d762827bd5b3436057

SHA1 hash:

1a61e3f1ce1284d742c39c9daa8e47ab587c13fe

Link:

https://www.unpac.me/results/9c431f4f-2580-4efa-b00c-998df43c2cf2/

SH256 hash:

c2e2d25ea8a06a42c9d5e4ce95245ad1bfe75311db885264d412654db43b80e8

MD5 hash:

fb56d1b5896520a2dbd64398b9708a8c

SHA1 hash:

f3180d21d72454e22a754b006a0fd42f0ddd90ff

Link:

https://www.unpac.me/results/9c431f4f-2580-4efa-b00c-998df43c2cf2/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c2e2d25ea8a0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/c2e2d25ea8a06a42c9d5e4ce95245ad1bfe75311db885264d412654db43b80e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/329668/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample