MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c535edfc3c3a0b7421903298329a5931db817c5d3cc395bbf257724b9060cb3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 12 File information Comments

SHA256 hash:	c535edfc3c3a0b7421903298329a5931db817c5d3cc395bbf257724b9060cb3b
SHA3-384 hash:	9f761c734e8a390265f7b37eff422c2bdba7beb80119f9f6d348d569eb90c4c444f1ee136986df6a3753e310e5f0cb1c
SHA1 hash:	5a8f09d44d948b1b7547e78a0c4f8b6db82628cc
MD5 hash:	f827b18c05c97d481d84bd6b159922a8
humanhash:	neptune-tennessee-oxygen-nineteen
File name:	vbc.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	294'912 bytes
First seen:	2021-11-03 08:49:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7e51d9833813c1a3fb57baba54855909 (2 x RedLineStealer, 1 x Loki, 1 x IcedID)
ssdeep	6144:vjkTC8Dwmr4tDQmYLK4VZZEtN4QZzQIuUWbhcDD:v4+2ZEDAKgEtN4WQIuBbsD
Threatray	5'361 similar samples on MalwareBazaar
TLSH	T194548D00A6A1C035F0B256F889BAA379B53F7EA16B3451CF13E426ED5674AE1EC31347
File icon (PE):
dhash icon	b2dacabecee6baa6 (148 x RedLineStealer, 145 x Stop, 100 x Smoke Loader)
Reporter	pr0xylife
Tags:	exe Loki Lokibot

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://secure01-redirect.net/fd11/fre.php	https://threatfox.abuse.ch/ioc/241780/

Intelligence

File Origin

# of uploads :

# of downloads :

346

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

invc_00009499400049.rtf

Verdict:

Malicious activity

Analysis date:

2021-11-03 08:46:42 UTC

Tags:

opendir exploit CVE-2017-11882 loader lokibot stealer trojan

Link:

https://app.any.run/tasks/3ed8504c-d6b3-48da-9694-9b996006cefb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Loki

Link:

https://www.capesandbox.com/analysis/201697/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Reading critical registry keys

Changing a file

Replacing files

Connection attempt to an infection source

Creating a file in the %AppData% subdirectories

Deleting a recently created file

Stealing user critical data

Query of malicious DNS domain

Moving of the original file

Sending an HTTP POST request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/61824d3e9982ff7c3f7cf449/reports/88b020b1-96aa-4dfd-9ba6-c377afccd3c6/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8d38db12-798f-4da9-8e41-6a1aa05f2ae1

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/882011

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/c535edfc3c3a0b7421903298329a5931db817c5d3cc395bbf257724b9060cb3b/

Threat name:

Win32.Backdoor.Androm

Status:

Malicious

First seen:

2021-11-03 08:50:06 UTC

AV detection:

18 of 44 (40.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yu2637b4hifxiimqgkmdfgszghnyc7c5htbzlo7sk5zexedazm5q._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

39b95a1927b9cc2435642fc76dbeb4e7fae9a858ce4cc2664490de6f74662fbc

Loki

61469a1a12ec1dadb9f884a0f07c23d7de89e77cb687bb6919c555de6ca8dc22

Loki

711d41ba139f51e91bbb8f691f91e55655a0ad5a40f61a6bfebd9fe3d1ae2e37

Loki

a3237b31acd5448e7082cf28eb83ba819added0c2053c938cb603652aeecf177

Loki

e0c8153eb8485f67e45cdad68ec46fc5f84af757a69970856fdee671b2b8e07e

Loki

e4c1c0121487f83b014b8c81bbaf03db0b7f49584a268a5e67ca64ba6e64676f

Loki

+ 5'351 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/211103-krl1hsddf7/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Lokibot

Malware Config

C2 Extraction:

http://secure01-redirect.net/fd11/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

646d970fc23911f538faefd956eb87b1a956609c2af6d3213e15ef0d851d7e07

MD5 hash:

07c283b36280aac39eba0953212878eb

SHA1 hash:

e58e3af4a3e1cba07898f98449a16460d5eaaf37

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/9677fe13-45fd-4782-a5f3-d8ebbe99390b/

Parent samples :

c535edfc3c3a0b7421903298329a5931db817c5d3cc395bbf257724b9060cb3b
64ffb73a1276e203228435365263f1f53ce13722454ac08f092533b02c05104e
721426db54e80aa93306294236b93eda43ee5fe69ea47f27ac33a0ec6bf0dd74
0a66966f403ae52a8cbdc75066d7fe488ff6b152a05bb945a5b92e9b4ecf51d9
ee01efe5bc64a5e50dc0c495edea7d102d8f851bbe4f37f3ed91279c2e1fd2a5
3adcd6bfdb97a238c80d0cf8554fe4cabc22c50e03bd16985f8fcc02deb90f05
8e08e11a06efa2ed04641873284bb209fc777f147fbe7188d10b442f8bc8e3d3

SH256 hash:

c535edfc3c3a0b7421903298329a5931db817c5d3cc395bbf257724b9060cb3b

MD5 hash:

f827b18c05c97d481d84bd6b159922a8

SHA1 hash:

5a8f09d44d948b1b7547e78a0c4f8b6db82628cc

Link:

https://www.unpac.me/results/9677fe13-45fd-4782-a5f3-d8ebbe99390b/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/c535edfc3c3a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c535edfc3c3a0b7421903298329a5931db817c5d3cc395bbf257724b9060cb3b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	infostealer_loki Create hunting rule

Rule name:	infostealer_xor_patterns Create hunting rule
Author:	jeFF0Falltrades
Description:	The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.

Rule name:	Loki Create hunting rule
Author:	kevoreilly
Description:	Loki Payload

Rule name:	Lokibot Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lokipws.

Rule name:	XOREngine_Misc_XOR_Func Create hunting rule
Author:	smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:	Use with care, https://twitter.com/cyb3rops/status/1237042104406355968