MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5c3c233551f93893a0cd5fdcc2f51bb1fd76c22a92028dbb460071504ef67fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5c3c233551f93893a0cd5fdcc2f51bb1fd76c22a92028dbb460071504ef67fb
SHA3-384 hash: 5e5a45982e89b0b5e3fc8cd875740ee52512ca62b0af314e41c91c3df4f02e64701b01855475691f4bd9866c0d40143f
SHA1 hash: 9a8f18c06ee87585f6e56554d57a89f5c6843546
MD5 hash: 9d250d679da4026a80422e187bb0d357
humanhash: quiet-blossom-yankee-pluto
File name:QT 70090.exe
Download: download sample
Signature Loki
Create hunting rule
File size:18'432 bytes
First seen:2022-09-23 05:26:57 UTC
Last seen:2022-09-23 05:53:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 384:vIFDhgTk3mHP5hRTpZvz7n7jWPiWVNLpUp8oCQ5E:vIfqkKxJB0ZLmIQy
Threatray 9'280 similar samples on MalwareBazaar
TLSH T12282AF007FEE6235EE6AD6F1AE930A548D71D10D211BEFA468D472AE3A137D10B22770
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 924d51137349552b (4 x Loki, 1 x SnakeKeylogger)
Reporter adrian__luca
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
292
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312498/
Detection(s):
SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/632d43c0865ed83c011f4f8a/reports/2a17655f-82f3-4de6-bd1e-9c90827364bd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e2fbe249-5833-4500-a21c-2af1d8711621
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1075670
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected aPLib compressed binary
Yara detected Costura Assembly Loader
Yara detected Lokibot
Yara detected MSILDownloaderGeneric
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 708212 Sample: QT 70090.exe Startdate: 23/09/2022 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 8 other signatures 2->56 7 QT 70090.exe 16 7 2->7         started        12 Tyxki.exe 14 3 2->12         started        14 Tyxki.exe 2 2->14         started        process3 dnsIp4 36 cdn.discordapp.com 162.159.135.233, 443, 49699, 49706 CLOUDFLARENETUS United States 7->36 28 C:\Users\user\AppData\Roaming\...\Tyxki.exe, PE32 7->28 dropped 30 C:\Users\user\...\Tyxki.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\Users\user\AppData\...\QT 70090.exe.log, ASCII 7->32 dropped 58 Encrypted powershell cmdline option found 7->58 60 Injects a PE file into a foreign processes 7->60 16 QT 70090.exe 41 7->16         started        20 powershell.exe 16 7->20         started        38 162.159.134.233, 443, 49705 CLOUDFLARENETUS United States 12->38 62 Multi AV Scanner detection for dropped file 12->62 22 powershell.exe 9 12->22         started        40 192.168.2.1 unknown unknown 14->40 file5 signatures6 process7 dnsIp8 34 162.0.223.13, 49701, 49702, 49703 ACPCA Canada 16->34 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->42 44 Tries to steal Mail credentials (via file / registry access) 16->44 46 Tries to harvest and steal ftp login credentials 16->46 48 Tries to harvest and steal browser information (history, passwords, etc) 16->48 24 conhost.exe 20->24         started        26 conhost.exe 22->26         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d5c3c233551f93893a0cd5fdcc2f51bb1fd76c22a92028dbb460071504ef67fb/
Threat name:
ByteCode-MSIL.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2022-09-21 12:42:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
24 of 40 (60.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2xb4em2vd6jysoqm2x64yl2rxmp5o3bcveqcrw5umadrkbhpm75q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
02aeff4e07664864d428440cab4be050ddc1504ff997ce0fef7068899139318d
Loki
965de97271f1f38f4a967f5301237a77b00fb891065a96b9eb2fcc1702e4a512
Loki
aa9233aa16889193c6d866d7dc25f1eba29498b7f6a56820abca133e98a8b7f7
Loki
acbc5e7367f627f945f99b9b6e5b3debe0ab53bd62474f2c8e59564e2883217f
Loki
d75f3fa994fec99e6ea86198ce856501a41e70f61b668faf58a233f5c7e6806d
Loki
eaad0fe6a049dd65cfe9d8d720b88a706b43e7512391d19e5cb8254f5b814d11
Loki
+ 9'270 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection persistence spyware stealer trojan
Link:
https://tria.ge/reports/220923-f5e2xahbfl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://162.0.223.13/?rujsZEinqQuPZBS8kKnSq21shtrtBBS26bv5QNtgEY6EzZMUJaM9cOCuh3YSFQVL2qQSek9TifxRfkMYuy8HmK
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0f18be72-8565-4b4a-8fc3-4089ddabd7dd
Unpacked files
SH256 hash:
d5c3c233551f93893a0cd5fdcc2f51bb1fd76c22a92028dbb460071504ef67fb
MD5 hash:
9d250d679da4026a80422e187bb0d357
SHA1 hash:
9a8f18c06ee87585f6e56554d57a89f5c6843546
Link:
https://www.unpac.me/results/3d6f5dba-e956-4142-9bb0-ae433b038ceb/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d5c3c233551f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/d5c3c233551f93893a0cd5fdcc2f51bb1fd76c22a92028dbb460071504ef67fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Discord_Attachments_URL
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe d5c3c233551f93893a0cd5fdcc2f51bb1fd76c22a92028dbb460071504ef67fb

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/312498/

Comments