MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 caf302690e65ad76f77a448418213a592015893fd2ff22b4c9e6c1119cc4a49a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 17

Intelligence 17 IOCs YARA 2 File information Comments

SHA256 hash:	caf302690e65ad76f77a448418213a592015893fd2ff22b4c9e6c1119cc4a49a
SHA3-384 hash:	874532558f590ebbb86510c72cfec44a4e419f70f1e34d864692ea33649a567fe708856585e2754587c702a1af03d3b2
SHA1 hash:	7c1dc57f9c57aa727686be8184c95934a91e9805
MD5 hash:	6698ed4cca8027d7a15d0fb3acf7dbb9
humanhash:	twelve-blossom-east-network
File name:	caf302690e65ad76f77a448418213a592015893fd2ff22b4c9e6c1119cc4a49a
Download:	download sample
Signature	Loki Create hunting rule
File size:	783'360 bytes
First seen:	2023-05-05 11:19:04 UTC
Last seen:	2023-05-13 22:48:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:f+/9WflU/9516zSM/8nd0J3cufqFpzKCB0L86C+XN1Y:mylUn162Mc+XCFpKCOYo9
Threatray	4'122 similar samples on MalwareBazaar
TLSH	T1A6F4273C19BD263BC179D7A6CFE1C427B514A8AF3521ED64A8D747A60346E2235C323E
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	adrian__luca
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

237

Origin country :

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

caf302690e65ad76f77a448418213a592015893fd2ff22b4c9e6c1119cc4a49a

Verdict:

Malicious activity

Analysis date:

2023-05-05 11:18:00 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/4dca41b4-dec0-466b-a3db-6bb67cb893ff

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/386778/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

Sending a custom TCP request

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/6454e6641b83d256ad16a867/reports/72a2deb6-8c9d-4bdc-8235-1d4a65a3d769/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/caf302690e65ad76f77a448418213a592015893fd2ff22b4c9e6c1119cc4a49a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5435a190-4122-45c3-88d8-6350c77090a6

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1227304

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/caf302690e65ad76f77a448418213a592015893fd2ff22b4c9e6c1119cc4a49a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-05-05 11:20:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 37 (51.35%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zlzqe2iomwwxn532iscbqij2leqblcj72l7sfngj43ardhgeusna._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

13b7f376d27ce6de51165613f7faf54350e0fbd2c50b509df1bdc3704e26808f

Loki

5c8cebda365a042d04dc1734322b809fdb56e95f0a7ce0b7bd3e141ebccc07bf

Loki

78a5a0b0bed684217ba65ee4f92daebaa0ef82c9f95d9a5999e0b3755e2ba823

Loki

7e44c6fb6963620960fe0f8574af42ec032aaff7238bf470cba2c4af3a9da77d

Loki

aa5db1e76d992d81c9b6f368bc705f4240512bc4aa193cc23fa3ba50ce48d1fc

Loki

c4359763aa0cac9b3d55b130cca1f38e1a4b3a2b80c55feff4e048b86d2e9c0f

Loki

e2de9b40fe4d786cefc62428bb7e17d2268f5bf6c8c939e576d86be69c90af90

Loki

e3bd0660f61bc671f91a00cac1734dd1854d7c7a2ae4293ddc960d274fdfbe6e

Loki

+ 4'112 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230505-nfezlshg22/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://104.156.227.195/~blog/?p=78405647195
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

dd942869a0c14ac107709e4244d7ccda9344c6441cd361fc92208e1fb220dd52

MD5 hash:

beef22303793584755858466859d4482

SHA1 hash:

f890bc6c05afa855ecf6f3cc279058b491bce2b7

Link:

https://www.unpac.me/results/addb12c4-975e-48b5-8054-fb8fcdae87af/

SH256 hash:

dee5712ec158918b22267ba3f87fb1759d7355616938c1af5518880d3e769709

MD5 hash:

e050c89d9dddb2b7820934370418f866

SHA1 hash:

8972112be37ce65455071233271ac4ee8d32be3a

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/addb12c4-975e-48b5-8054-fb8fcdae87af/

Parent samples :

6f6d9a1e3f836778793c6c4d52bed1d222ecdf63aac071109f69e7fc2e268d7c
e9179d5b024e8d1d72b2338377afdcce5b33bd2272eeb19b2b136d5d8baeded7
caf302690e65ad76f77a448418213a592015893fd2ff22b4c9e6c1119cc4a49a
b0d4208da27fb1e62586bae0beb7b01dab7fd10f06aaf065e7000614120b1572

SH256 hash:

c8808b69b0f4d52c253e35b001da94086786b34162fd51daa3f17eda94bac7f0

MD5 hash:

da56041df789c24cb2a36a364431f766

SHA1 hash:

876e6c579d1092a76ce90c500c43af0cf11724a4

Link:

https://www.unpac.me/results/addb12c4-975e-48b5-8054-fb8fcdae87af/

SH256 hash:

bdeee91a93a93599da300ad2da6754b7cab04d1ba8eec30dc9e256514887dd5f

MD5 hash:

3da42c5fd656db51be4c29828f8408de

SHA1 hash:

763969c2534eda185c3ace514a4b9b18d6ae3ae3

Link:

https://www.unpac.me/results/addb12c4-975e-48b5-8054-fb8fcdae87af/

SH256 hash:

774f7c4efd77b4e392697f490dc75f03cddce2043dc0de206b4be806417a4518

MD5 hash:

81fe1ab928c7f6fe9aa7ab630d78fe22

SHA1 hash:

4e2ba626fb2bb0b5a95e0bb368e5404c32dbfa35

Link:

https://www.unpac.me/results/addb12c4-975e-48b5-8054-fb8fcdae87af/

SH256 hash:

caf302690e65ad76f77a448418213a592015893fd2ff22b4c9e6c1119cc4a49a

MD5 hash:

6698ed4cca8027d7a15d0fb3acf7dbb9

SHA1 hash:

7c1dc57f9c57aa727686be8184c95934a91e9805

Link:

https://www.unpac.me/results/addb12c4-975e-48b5-8054-fb8fcdae87af/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/caf302690e65/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/caf302690e65ad76f77a448418213a592015893fd2ff22b4c9e6c1119cc4a49a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/386778/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample