MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d581e18227b09069cce82bcb38f8bc2706ce37400e23ab173a903c4b01804275. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments

SHA256 hash:	d581e18227b09069cce82bcb38f8bc2706ce37400e23ab173a903c4b01804275
SHA3-384 hash:	7c34799c0e9071a1319123aa515c9e2ccca836472cdcbd16293fec5ca3d96cda77ba2376350e1d3ec46fd6889be13d7d
SHA1 hash:	6acaf889207e36b7b92b24c634cb45059e40fc0a
MD5 hash:	f125944b096766c72464bd730ca095d3
humanhash:	happy-november-cup-johnny
File name:	f125944b096766c72464bd730ca095d3.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	232'960 bytes
First seen:	2023-10-02 23:50:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a7960cb042304220b44306228fd698f9 (3 x Stealc, 2 x Tofsee, 2 x Smoke Loader)
ssdeep	3072:f8f8syVXqL665gjX47euvlNWCu0WygtPZ5qwKnF2R/Q:EigDec6zQwKF2R
Threatray	4'316 similar samples on MalwareBazaar
TLSH	T1B134D02239B0C072D6A746755830DB952F7FB97273B4C57B37160AAEEE203C19B26316
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	0819101640a08000 (1 x Loki)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://sempersim.su/a14/fre.php

Intelligence

File Origin

# of uploads :

# of downloads :

364

Origin country :

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

f125944b096766c72464bd730ca095d3.exe

Verdict:

Malicious activity

Analysis date:

2023-10-03 00:20:20 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/7fcc7f82-d498-4211-b49a-4ae6a85224bc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/452760/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/651b576c64965c51f77273a4/reports/16abd385-d4ff-4b1e-967e-efba53d7ef08/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/d581e18227b09069cce82bcb38f8bc2706ce37400e23ab173a903c4b01804275

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7e8e1f9d-019d-49b2-b803-4c915f1de623

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1318352

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/d581e18227b09069cce82bcb38f8bc2706ce37400e23ab173a903c4b01804275/

Threat name:

Win32.Trojan.Smokeloader

Status:

Malicious

First seen:

2023-10-02 23:51:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 23 (82.61%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2wa6darhwcigtthifpftr6f4e4dm4n2abyr2wfz2sa6ewamaij2q._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

2ef5a24a26c31f7354dfedf1fe3479fd404033790eba2592f3ee4f5a5a3f687e

Loki

5a03844c03ea9b4e34f2ada73b4f8d88b7f3a22a5672bfa6b6e2c88001f537bf

Loki

aee50d82b5d6c5a831a657c80fcd337e4288fc7f1de662b841ec53499d57b625

Loki

b3d81043a45b2c155f866d7710200892b12a9f31472c594e664e0a83ea959f85

Loki

c2e87e031cf06cfbc066444c30dc76d1377857012a034143c7b039b292da73b9

Loki

dbfb7fe4882a662e88d24b69b6e2fe33bafc95124d20b1db754ce05698527eff

Loki

f104365d9d691369911b38002c19e70d462a50a243a35bca970cc00f80040f52

Loki

+ 4'306 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/231002-3v5k5sha94/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

https://sempersim.su/a14/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

601477fd9a5eddcb2edc4c14984d4ab3a8bbc70b6f8d8aeb4d4dcdfbf9a306ec

MD5 hash:

38de09e1e8b3ddb2de5bee69493bdef0

SHA1 hash:

760f70c1b10c59f4fc93c15cb7ee1b4f3fa2b1ea

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/88a89d79-1ab3-422e-bc6c-e9cb12955490/

Parent samples :

b8f3640dea3f2e076ea541cc764cef60ac8cdf9f25f01e728ae68dced5d04714
d581e18227b09069cce82bcb38f8bc2706ce37400e23ab173a903c4b01804275
af0b630ad64ed3f1b91f55389e78fe82c2b0dcaee4965b6442ec2c6814a38da5
da5c8721b3c8624f2234309272d145894cbb0242281c5bd7cfa9e804842fc6e2
bf9544ac2abf7d615418a8e03e8226820c8ba48e049467136b257825ccf730f7
ae8131e8c5b55b77c69a8962dcf41b811b0411f1b4c1d9e702d446e639648e97
47828de9e3c3b3bf2955c6cd2a72f2d75cb54c91756eee1b56a42bd1bf09f7f2
a3a3d37f3ca0dc20bb1e4ef9c90925369e9d5713e7ddb797ca2b7c2cea0414c3
da21ece2f4aa50ee504970a2fefed88038ade14bb3f68b0d6e388da6f40628c9
f12f178cdc9b61ea03883a0f9f82b317a2db0ef1afe629704b8738ec7a9bad8e
9b84ca1d7fb41a824ccb4693789fee6b94cea21cbd8645840814dfb650ffdb20
b37c2f6f3a9d1b078d6ca93e073a14baa50bb7496280d3529c87b0e8e2d1a36c

SH256 hash:

d581e18227b09069cce82bcb38f8bc2706ce37400e23ab173a903c4b01804275

MD5 hash:

f125944b096766c72464bd730ca095d3

SHA1 hash:

6acaf889207e36b7b92b24c634cb45059e40fc0a

Link:

https://www.unpac.me/results/88a89d79-1ab3-422e-bc6c-e9cb12955490/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d581e18227b0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d581e18227b09069cce82bcb38f8bc2706ce37400e23ab173a903c4b01804275

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

exe d581e18227b09069cce82bcb38f8bc2706ce37400e23ab173a903c4b01804275

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2715871/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/452760/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample