MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf60dd8e927a419d76dfb060c649c888dacc338cc14b5e3abf5e388213fec520. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf60dd8e927a419d76dfb060c649c888dacc338cc14b5e3abf5e388213fec520
SHA3-384 hash: b0a4d0f2b5abaf6d43bdb327ee3f73ee68d13eefe6803b1a5b6ea179a8ef2e0217feb1fa1fed99b30b500a8abc134a21
SHA1 hash: 9d189e6c51bc1cb9ff860eb4d8a0c9aef6487aee
MD5 hash: df440b940c5398f756ed55785c9307a8
humanhash: six-queen-five-georgia
File name:Request For New Order05.com
Download: download sample
Signature Loki
Create hunting rule
File size:717'824 bytes
First seen:2020-07-16 18:29:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:8p+oczpg/4W7dm3p74KoXERim9lJXWueQbXhWA+x+Fv0nqfzUBeYF5b1Mym3:Loczpg/4DRGkP/9L8x+QDW3
Threatray 1'533 similar samples on MalwareBazaar
TLSH 52E4AE00C6285CE7EEDD56FAC4945184E7F9CC3A8D0EE64B974538D9CE3B7A1A9032C6
Reporter abuse_ch
Tags:com Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: siloscordoba.pw
Sending IP: 192.3.3.153
From: Silos.Syla <silos@siloscordoba.pw>
Subject: RE: Urgent Request Quotation (SILOSCORDIOBA GLOBAL COMPANY)
Attachment: Request For New Order0558992005.img (contains "Request For New Order05.com")

Loki C2:
http://kranement.tk/wealth/five/five/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26933/
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/388712
Signature
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 246530 Sample: Request For New Order05.com Startdate: 18/07/2020 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 6 other signatures 2->72 7 Request For New Order05.exe 1 6 2->7         started        11 wscript.exe 1 2->11         started        13 wscript.exe 1 2->13         started        process3 file4 36 C:\818225\CIOdPO\CIOdP.exe, PE32 7->36 dropped 38 C:\Users\...\Request For New Order05.exe.log, ASCII 7->38 dropped 40 C:\818225\CIOdPO\CIOdPOnvL.vbs, ASCII 7->40 dropped 42 C:\818225\CIOdPO\CIOdP.exe:Zone.Identifier, ASCII 7->42 dropped 74 Creates autostart registry keys with suspicious values (likely registry only malware) 7->74 76 Maps a DLL or memory area into another process 7->76 15 RegSvcs.exe 55 7->15         started        20 RegSvcs.exe 7->20         started        22 CIOdP.exe 1 11->22         started        24 CIOdP.exe 13->24         started        signatures5 process6 dnsIp7 50 104.27.160.59, 49719, 80 CLOUDFLARENETUS United States 15->50 52 kranement.tk 172.67.210.59, 49716, 49717, 49718 CLOUDFLARENETUS United States 15->52 34 C:\Users\user\AppData\Roaming\...\AA2F06.exe, PE32 15->34 dropped 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->54 56 Tries to steal Mail credentials (via file access) 15->56 58 Tries to steal Mail credentials (via file registry) 20->58 60 Multi AV Scanner detection for dropped file 22->60 62 Machine Learning detection for dropped file 22->62 64 Maps a DLL or memory area into another process 22->64 26 RegSvcs.exe 1 53 22->26         started        30 RegSvcs.exe 22->30         started        32 RegSvcs.exe 53 24->32         started        file8 signatures9 process10 dnsIp11 44 kranement.tk 26->44 46 104.27.161.59, 49727, 80 CLOUDFLARENETUS United States 32->46 48 kranement.tk 32->48 78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->78 80 Tries to steal Mail credentials (via file access) 32->80 82 Tries to harvest and steal ftp login credentials 32->82 signatures12
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cf60dd8e927a419d76dfb060c649c888dacc338cc14b5e3abf5e388213fec520/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 18:31:06 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z5qn3duspjaz25w7wbqmmsoirdnmym4myffv4ov7ly4iee76yuqa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
025088f7c1db9c5f9472badb6d1c4f119868b922c52b6bed896e8e2ff746f955
Loki
1f1745eb2812b5c0cc6c26b69661ea1d8ab78a541271950e7b97d0cd2b502db1
Loki
2b419f986ea266fa5826fbb6858782f7c2acfda73aa5ec5cb21d64537d6a4ea1
Loki
2c64af2b995ad6b33bc90f4103e1ae990db77c9c341279c0ab0af1c38d414405
Loki
6b95bdd0d0a511eb1fb20709941e92eb049f4e246b5615554090520a9a509799
Loki
77777da436f12d38fe7834a137bc2bf51c1f09324a1e274d22e51c2ee0b4b8c3
Loki
894a27ced4c36d822d725c58c772cf092cc61cfdfa049c935bf09e83fae6de56
Loki
be64654bb507094ad7ace4a1da27dfe42dd6451d9dadb24b8310aa50e8ff5f34
Loki
ceeffdff4b0af45c77f3923e47c03a529c87dd4e0e92fdc88b0551857df53239
Loki
d050b76ba909799dc235b62e32658b86294dbd5c8282df0c4c3f4a5581373603
Loki
+ 1'523 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
persistence spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/200716-wxrmrbagcs/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Adds Run key to start application
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://kranement.tk/wealth/five/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

img d600f8b667574c6a1977500843d7d15bfed55e4fc7ebb4cb66e72660414eb0f7

Loki

Executable exe cf60dd8e927a419d76dfb060c649c888dacc338cc14b5e3abf5e388213fec520

(this sample)

  
Dropped by
MD5 133091204ee0ff958d1ed43cea31b0cd
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d600f8b667574c6a1977500843d7d15bfed55e4fc7ebb4cb66e72660414eb0f7
Cape
Cape
https://www.capesandbox.com/analysis/26933/

Comments