MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca00e552544b5c316d1fe6739c87302a5444889c9a426ed558e26d0de82db4ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 2 File information Comments

SHA256 hash:	ca00e552544b5c316d1fe6739c87302a5444889c9a426ed558e26d0de82db4ff
SHA3-384 hash:	fa1f22668b1cc463cab869acd24199b722c51bab4082f27dc0e274759d0c09a202eb2d9771aaa190df0f4644e1349b8e
SHA1 hash:	a30da6c3b59788e87ed8c9387edcca3b799a741b
MD5 hash:	90bffdb34cd5aafe15351e34449d02bb
humanhash:	avocado-undress-island-glucose
File name:	documents.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	598'528 bytes
First seen:	2022-05-31 06:50:26 UTC
Last seen:	2022-05-31 08:07:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:TrXpUSlB61512Wx5Aa0LUTEB7/J+KwoU4qyP+W+0MomBIQ2cdt:3XpUSlB61512WxuXwKsKDU4qJWrlmBIk
TLSH	T1CED4123826AC4752C9FF0FB894A651809374C2165B07E73EDDE575A828E33E11A07BE7
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	70f8ecccece87070 (15 x Formbook, 9 x AgentTesla, 8 x Loki)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://blinkcard.co.vu/shin/five/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://blinkcard.co.vu/shin/five/fre.php	https://threatfox.abuse.ch/ioc/643467/

Intelligence

File Origin

# of uploads :

# of downloads :

313

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

documents.exe

Verdict:

Malicious activity

Analysis date:

2022-05-31 06:55:08 UTC

Tags:

trojan lokibot stealer opendir

Link:

https://app.any.run/tasks/9ae06f7b-9c5c-434c-a79a-1b267bcd04e4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/275642/

Detection(s):

SecuriteInfo.com.Trojan.Siggen17.60305.12512.18918.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/6295bae46eb3ff3263436492/reports/73c09450-2aa0-433e-9cf3-0fccfe7d6a44/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/da20a859-da66-4076-87fd-6e8b380dffee

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1003982

Signature

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/ca00e552544b5c316d1fe6739c87302a5444889c9a426ed558e26d0de82db4ff/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-05-31 06:51:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ziaokusujnodc3i74zzzzbzqfjkejce4tjbg5vky4jwq32bnwt7q._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer suricata trojan

Link:

https://tria.ge/reports/220531-hmgtwshfd7/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Lokibot

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

https://blinkcard.co.vu/shin/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

9817859ba216d41fcdf6cba462f6fdb0c5ba479ab87d64ab3974b447bec29129

MD5 hash:

28f6585f1143d0b1bf8345dbcccbe217

SHA1 hash:

e6f3da2b05d20da8aa499cce2f238d55dc28b918

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/3dfbc66d-0a25-4c1d-9c3a-807f1306b363/

Parent samples :

9d39d5e879fbf69a66c504a727dd38dc01d5555f324017888b8679c42a42ce03
f634dff5e11e123a3495dd867ff9300fb3eb22c0f2ca0b2f5d6e014b391bc9be
ca00e552544b5c316d1fe6739c87302a5444889c9a426ed558e26d0de82db4ff
d11d8fee0ee2b06c3290996b33a81bab51abf0281c27f2e9890fcb8377671040
23d09cab4649a3c8aa20f7cf4e3b671f5902e71e181c2c3a86bdaeb92e104c6f
a82a9113b739395948f36574b52ffe432c60778fbf2773796641198cd4ce505f
701c8a49d43fddc123ff023f82f058a7c7657689379d00d114354b03817e837f
a79d5d696650b4f3f5f764ca655ddd6817a38ff469d09090d98141e84963248c
4f7536dab8041ebc8e43c2334ce18be0b98228cb192a05297ab5b80ae6d147aa
18f4fcd5e0df3982c65feadfe5ae92c26c798873c543028bfa76d939305c15f4
8a6bffed79d6eb5c57b4eb47aba7789b3498b54845519a8db65bc1de3f37d982
4101090ade3774633d6ad416ca263c15a6890dd865f493d0f1ea3a2fcfddb2bf
752c92310cd1d5e610fe6fd659385f4d311fe96db287758e5e9df42ec3061ca0
763b9ddb8670835d34e5ecbd031c8077ad8c1e1572e43f558fa664a8d6b0c4d5
33a7a8caf94cce1c24fdd52abe6c8d7708d7d937811ba936495c6f103e2457f0

SH256 hash:

fe3b2e8c7b1ae5a60318d606f9cccad253ba8d3d20c9d5b8120bbc4b72c8fc06

MD5 hash:

dd49e5986371cef88c4c4102b7d0af4c

SHA1 hash:

6b262a1d9617eb08438facc0f73c79d74be9c0bb

Link:

https://www.unpac.me/results/3dfbc66d-0a25-4c1d-9c3a-807f1306b363/

SH256 hash:

7bc2f8c1c02ebeb42b344ce175973e9bcfc0763a7a2ce7699458dd85e137ca13

MD5 hash:

bcf9fc7a2c621f869843a80391eb8760

SHA1 hash:

7009f4a75a79de837ec7525c3bd5d5c43dbd9c56

Link:

https://www.unpac.me/results/3dfbc66d-0a25-4c1d-9c3a-807f1306b363/

SH256 hash:

879c29560b21be7d9b69ca27ca4756df86e080fa3e34cb191aad5cb1e5f05504

MD5 hash:

30b6a54a992eae921a2eb8c5ea130911

SHA1 hash:

1c83f0319bffe007077c6656418c9b7344d5affe

Link:

https://www.unpac.me/results/3dfbc66d-0a25-4c1d-9c3a-807f1306b363/

SH256 hash:

ca00e552544b5c316d1fe6739c87302a5444889c9a426ed558e26d0de82db4ff

MD5 hash:

90bffdb34cd5aafe15351e34449d02bb

SHA1 hash:

a30da6c3b59788e87ed8c9387edcca3b799a741b

Link:

https://www.unpac.me/results/3dfbc66d-0a25-4c1d-9c3a-807f1306b363/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ca00e552544b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ca00e552544b5c316d1fe6739c87302a5444889c9a426ed558e26d0de82db4ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/275642/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample