MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c70fd6881722dd5ececd355c1b516021a3704a3c70fa5b0a12c9a6989922ca7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c70fd6881722dd5ececd355c1b516021a3704a3c70fa5b0a12c9a6989922ca7d
SHA3-384 hash: 44bcfad0eca9e3f62637852c8dfe81e0b2a2d780baa26c1648dba090680c9d6c0b218fa73237cf0195608bed36b0dad8
SHA1 hash: 250e539ab3603c6ea755990b0d7068a717b23ac7
MD5 hash: 2fdefd9752f3754d05a8a0f7ce2e17eb
humanhash: cardinal-idaho-low-utah
File name:2fdefd9752f3754d05a8a0f7ce2e17eb.exe
Download: download sample
Signature Loki
Create hunting rule
File size:487'424 bytes
First seen:2021-05-22 15:55:22 UTC
Last seen:2021-05-22 16:01:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:+2NEi6xIXHpKDxv8BQLmdBRhKuztNqXhs4hlfhgBlsRUEdw0U:+2wx2pK18BQIRKuzyx/YOuEdw0
Threatray 3'261 similar samples on MalwareBazaar
TLSH 74A40260F944E553D9A18A3998C5E97A07B47E19EC13EB437080FF0F79BF3436912A92
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://vihaiha.com/.cc/news/school/boy/choo/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://vihaiha.com/.cc/news/school/boy/choo/fre.php https://threatfox.abuse.ch/ioc/57109/

Intelligence

File Origin
# of uploads :
2
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
booking-list-heroi-v.a2008-cs.cab
Verdict:
No threats detected
Analysis date:
2021-05-18 18:59:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4a3669fa-7f69-4615-a8fc-00271d4c2fa7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/788702
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 421098 Sample: t0w0yB62f5.exe Startdate: 22/05/2021 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 6 other signatures 2->41 7 t0w0yB62f5.exe 6 2->7         started        process3 file4 25 C:\Users\user\AppData\...\t0w0yB62f5.exe, PE32 7->25 dropped 27 C:\Users\...\t0w0yB62f5.exe:Zone.Identifier, ASCII 7->27 dropped 29 C:\Users\user\AppData\...\t0w0yB62f5.exe.log, ASCII 7->29 dropped 31 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->31 dropped 43 Writes to foreign memory regions 7->43 45 Allocates memory in foreign processes 7->45 47 Injects a PE file into a foreign processes 7->47 11 t0w0yB62f5.exe 54 7->11         started        15 t0w0yB62f5.exe 7->15         started        17 AdvancedRun.exe 1 7->17         started        19 2 other processes 7->19 signatures5 process6 dnsIp7 33 vihaiha.com 45.252.248.59, 49730, 49731, 49732 AZDIGI-AS-VNAZDIGICorporationVN Viet Nam 11->33 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->49 51 Tries to steal Mail credentials (via file access) 11->51 53 Tries to harvest and steal ftp login credentials 11->53 55 Tries to harvest and steal browser information (history, passwords, etc) 11->55 57 Antivirus detection for dropped file 15->57 59 Multi AV Scanner detection for dropped file 15->59 61 Tries to steal Mail credentials (via file registry) 15->61 63 Machine Learning detection for dropped file 15->63 21 AdvancedRun.exe 17->21         started        23 AdvancedRun.exe 19->23         started        signatures8 process9
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c70fd6881722dd5ececd355c1b516021a3704a3c70fa5b0a12c9a6989922ca7d/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-05-17 04:33:57 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y4h5ncaxelov5twngvobwulaegrxasr4od5fwcqszgtjrgjczj6q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
20956d9a3da8031d80b40f6e336ef44e640f7c81034ab3652647d0e10d27df31
Loki
40e8910e48e5bfde7fd30bbc51a1d371a378dc4a306ed2145990219554f80a4a
Loki
916ba1be726e073d46ce02d5697723823362efc881a4d13aa803fd137fa63adf
Loki
a40c892d5e52d65846c5d480df4a5f54dc82383a719463cc01c8b3cbad102ad7
Loki
a56b83419b879f415fcd6961f31ad0345305288cd67b61ce4a533f8c2ae12c25
Loki
aa458271d21aa803973dd66d28e10a031d03809a810fd91d1eaa7fcdeea85ef4
Loki
c791d87f2f2efe1788e8906c68c6dcd2a372b48cad386baf421910dfa9a537b1
Loki
d6f503ac829e215dadadccaaf0ff64d3ec02b0f15405ba79348cabb4af32b714
Loki
d92cff6842da2ab3bb0f2ed868b84b525071cb5c4b7a282974169cf14cae9ca4
Loki
e3d35560e1c376351a5d2eff7a7e0d44206bf04844239f368273756581ec29a2
Loki
+ 3'251 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210522-jg55d9pg2j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Nirsoft
Lokibot
Malware Config
C2 Extraction:
https://vihaiha.com/.cc/news/school/boy/choo/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c70fd6881722dd5ececd355c1b516021a3704a3c70fa5b0a12c9a6989922ca7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-22 16:02:21 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0023] Execution::Install Additional Program