MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c324fe32df959176f968d80a6ff1914f2b195c1796376f2511cb97f763f1d905. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 18

Intelligence 18 IOCs 1 YARA 8 File information Comments

SHA256 hash:	c324fe32df959176f968d80a6ff1914f2b195c1796376f2511cb97f763f1d905
SHA3-384 hash:	ac9bb293d3d6e87f50ef3a7619c6d3568ec6738bc3f4aa8bf2880729588af0fe3b786d8a4fbbece453e004b2029f28e4
SHA1 hash:	559232b44c7583f26ce53f2e199d5a08b2d95abd
MD5 hash:	fdfbbc8edd70b51d54176815b77d2a26
humanhash:	massachusetts-alaska-montana-white
File name:	GT98765678000800.pif.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	472'064 bytes
First seen:	2024-11-20 05:25:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:NJOr0Yb59iAIYhQZSjNxfZzT4yoQ8BTjIz562JVbY:Ng7junZapbY
Threatray	94 similar samples on MalwareBazaar
TLSH	T1E2A46B9163FC921DFAFBAB34AA35B2105A36FD8F4476D28C1560316D1832F82DA60777
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://87.120.113.235/18/pin.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://87.120.113.235/18/pin.php	https://threatfox.abuse.ch/ioc/1346057/

Intelligence

File Origin

# of uploads :

# of downloads :

469

Origin country :

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

GT98765678000800.pif.exe

Verdict:

Malicious activity

Analysis date:

2024-11-20 05:26:09 UTC

Tags:

lokibot xor-url generic

Link:

https://app.any.run/tasks/9fdaee72-f4bf-4a55-af38-9544ed3ca751

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.FileRepMalware.32222.16907.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=673d737f7b9ab5fcc4dba5ed

Tags:

autorun gumen

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

Unauthorized injection to a recently created process

Restart of the analyzed sample

Сreating synchronization primitives

Reading critical registry keys

Changing a file

Connection attempt

Sending an HTTP POST request

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for analyzed file

Stealing user critical data

Moving of the original file

Enabling autorun by creating a file

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/c324fe32df959176f968d80a6ff1914f2b195c1796376f2511cb97f763f1d905

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0035c081-6c12-4495-834b-bbbde7aed3e5

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

spre.troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1559067

Signature

.NET source code references suspicious native API functions

AI detected suspicious sample

Antivirus detection for URL or domain

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Creates executable files without a name

Drops PE files to the startup folder

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Powershell drops PE file

Sigma detected: Copy file to startup via Powershell

Suricata IDS alerts for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c324fe32df959176f968d80a6ff1914f2b195c1796376f2511cb97f763f1d905

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/c324fe32df959176f968d80a6ff1914f2b195c1796376f2511cb97f763f1d905/

Threat name:

Win32.Trojan.Acll

Status:

Malicious

First seen:

2024-11-20 04:20:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ymsp4mw7swixn6li3afg74mrj4vrsxaxsy3w6jirzol7oy7r3ecq._file

Verdict:

malicious

Label(s):

lokibot

lokipasswordstealer(pws)

Loki

433cb2143587bacd21ada6c2c15ca014a20d3a1f5f78c495e307f81442f2a382

Loki

4e8b17d34495b7e4397939448da55c81d186794fa6a1f00a5e3cbd4659dd74ac

Loki

7eebc8928fee351d731226a9abbf7ce6e5833072b18721c603573fc8ff4c6e16

Loki

b6856c9f31a306accbaec81ae104cba40b2088ff32131532b4bb52eb70e2d13c

Loki

c324fe32df959176f968d80a6ff1914f2b195c1796376f2511cb97f763f1d905

Loki

error

Loki

+ 84 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection discovery execution spyware stealer trojan

Link:

https://tria.ge/reports/241120-f4ve7s1gnd/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Drops startup file

Reads user/profile data of web browsers

Lokibot

Lokibot family

Malware Config

C2 Extraction:

http://87.120.113.235/18/pin.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c2f85f2f-3158-412c-9dfe-048a67dd84cb

Unpacked files

SH256 hash:

4080f041c0d248fea39e9a2649cb9ef7748764755e022ae3d79b0bce2d20326e

MD5 hash:

ac347d3b3a710682340d9de47cdfd624

SHA1 hash:

c9bac003e88498b6b08fd8243eefce42cb889820

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Lokibot

SUSP_XORed_URL_In_EXE

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_GENInfoStealer

STEALER_Lokibot

Link:

https://www.unpac.me/results/b4e6b6a3-7bbc-4ea6-b823-0896c43b9159/

Parent samples :

a4e13d5ddfed2748925ccf8cb2a08cf03f992de943e195aa73411e1fd2efab80
041c73bd4c470d02db20ef282a1a8550f8987e362cbd07fc3828c14873a7f772
c324fe32df959176f968d80a6ff1914f2b195c1796376f2511cb97f763f1d905
234c88ce76cde3cb4510ae1532863bb3c29efa0e94889d5dd30818f084c3b958
ecc61fe635e2cdb0859441ef90e330230094e7514cf00cb48829e136d713b63b
be789d9c5185f7f04ddb78f2b39f9dd7415080c4d975139fc612158b0b3a5bad
afd5885712157bf7e51471f21b977788084aa78bf58d45287b4043edb2ee3495

SH256 hash:

45c7b64a55dca23ee1239649e03a7c361813dbcfc2a0817b0d8e94c907d6ed4b

MD5 hash:

fb1bc19121c4e190d83672bc71b493f0

SHA1 hash:

c3488b969ba578e28ee360be24b6416425a224a0

Link:

https://www.unpac.me/results/b4e6b6a3-7bbc-4ea6-b823-0896c43b9159/

SH256 hash:

45be9b193aa95f062f20dc5a15e23a493382520be5ec6ce30a8039106d3aa0c4

MD5 hash:

80ef9b7d4a6d8a9a33acdbb7f75ece2c

SHA1 hash:

36e426bb625afe48cdcc8bdfa9081e665cfeb6c9

Link:

https://www.unpac.me/results/b4e6b6a3-7bbc-4ea6-b823-0896c43b9159/

SH256 hash:

c324fe32df959176f968d80a6ff1914f2b195c1796376f2511cb97f763f1d905

MD5 hash:

fdfbbc8edd70b51d54176815b77d2a26

SHA1 hash:

559232b44c7583f26ce53f2e199d5a08b2d95abd

Link:

https://www.unpac.me/results/b4e6b6a3-7bbc-4ea6-b823-0896c43b9159/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c324fe32df95/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c324fe32df959176f968d80a6ff1914f2b195c1796376f2511cb97f763f1d905

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RansomPyShield_Antiransomware Create hunting rule
Author:	XiAnzheng
Description:	Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)

Rule name:	RSharedStrings Create hunting rule
Author:	Katie Kleemola
Description:	identifiers for remote and gmremote

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample