MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5e1923de474408cc5f31650c36345027663f0411bef1e1ef4fa3a2d56bc5d42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5e1923de474408cc5f31650c36345027663f0411bef1e1ef4fa3a2d56bc5d42
SHA3-384 hash: 292220da1e7523161598edd85db580bf61af822f43f48f321cffd7dfa53382a574ea7936f9014d2dce9c67d66f33c9d6
SHA1 hash: a578b132b87ea4cf22a602bcc84188afc531d55e
MD5 hash: 20ee82eec74bcf77008236d08a4e63ea
humanhash: sink-nebraska-friend-vermont
File name:MV SILVER GLOBE Hire.exe
Download: download sample
Signature Loki
Create hunting rule
File size:247'296 bytes
First seen:2021-05-03 03:35:44 UTC
Last seen:2021-05-03 04:00:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:wUa3ttHyLp/ChdWKEsth6x/d/tQdseKrxK4Cj7MoRs7BkcCTiil7wrGWK:43t22NEi6x/d1S8KJ0bB1jaiG
Threatray 87 similar samples on MalwareBazaar
TLSH 7D34DFFFBA685B2EC1E808B465C541DA86D3AC12DB736ED275CC732E833B076450536A
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://finacafe.net/OG/news/school/boy/choo/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://finacafe.net/OG/news/school/boy/choo/fre.php https://threatfox.abuse.ch/ioc/28105/

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/148111/
Detection(s):
SecuriteInfo.com.Artemis20EE82EEC74B.20512.3552.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/706969
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Wscript starts Powershell (via cmd or directly)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 402405 Sample: MV SILVER GLOBE Hire.exe Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 39 finacafe.net 2->39 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 6 other signatures 2->53 9 MV SILVER GLOBE Hire.exe 18 8 2->9         started        signatures3 process4 dnsIp5 41 launcher.worldofwarcraft.com 137.221.106.103, 49733, 80 BLIZZARDEU United Kingdom 9->41 31 C:\Users\user\...\MV SILVER GLOBE Hire.exe, PE32 9->31 dropped 33 MV SILVER GLOBE Hire.exe:Zone.Identifier, ASCII 9->33 dropped 35 C:\Users\...\MV SILVER GLOBE Hire.exe.log, ASCII 9->35 dropped 37 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 9->37 dropped 13 MV SILVER GLOBE Hire.exe 54 9->13         started        17 wscript.exe 1 9->17         started        19 AdvancedRun.exe 1 9->19         started        21 2 other processes 9->21 file6 process7 dnsIp8 43 finacafe.net 103.74.123.18, 49760, 49761, 49762 FPT-AS-APTheCorporationforFinancingPromotingTechnolo Viet Nam 13->43 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->55 57 Tries to steal Mail credentials (via file access) 13->57 59 Tries to harvest and steal ftp login credentials 13->59 61 Tries to harvest and steal browser information (history, passwords, etc) 13->61 63 Wscript starts Powershell (via cmd or directly) 17->63 65 Adds a directory exclusion to Windows Defender 17->65 23 powershell.exe 23 17->23         started        45 192.168.2.1 unknown unknown 19->45 25 AdvancedRun.exe 19->25         started        27 AdvancedRun.exe 21->27         started        signatures9 process10 process11 29 conhost.exe 23->29         started       
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d5e1923de474408cc5f31650c36345027663f0411bef1e1ef4fa3a2d56bc5d42/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-05-03 03:36:08 UTC
AV detection:
7 of 47 (14.89%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2xqzeppeoraizrptczimgy2faj3gh4cbdpxr4hxu7i5c2vv4lvba._file
Verdict:
unknown
Similar samples:
59a7beab1c7583b7995b157e9e87beb6fa0785c49784bf0b9d13bd143a696541
Loki
654fee180d29661e28f504f62affb32a366e1ba97b01cc8de69854e8bc032b63
Loki
754415201ac666285c12b35d0fc3ab30f7fb48d7a9c9c54c8cee746be8ed4e7a
Loki
82426d67e219a1d9ac41d9bd9e3d4a74beb90472176320a5ace56d295ce3dd9c
Loki
a9a3bb0f7160512839169fd9095821469bbfd54228b6c4c7dc9da4a53cafffb9
Loki
c8f09665c4c94041dd63191d0ea1b0f5092dc636eea7191242a7d7da9d7fa8b6
Loki
cfda81fea66e56fe0f6a8eed267b836f31c7c3f1d7ecdf08fb0c13f8203e7dcb
Loki
ea31b5ce4282473fcb609cdc4c66649b2e79bbe96125b35954c015266f22a95c
Loki
f98f307a6a414fcbe42e1017d720f1ed8c9e0df21b703f74e94dbe1afa8b32ff
Loki
fb91f67073fef8d391ccb08c31183ff2ff00e8a8ca0f71fb5bfce17fb0ddbd26
Loki
+ 77 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210503-5mqptxtena/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Nirsoft
Lokibot
Malware Config
C2 Extraction:
https://finacafe.net/OG/news/school/boy/choo/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
db7782bc89d355c9aa31252035736c3059bbc25a032884fe8c7fc0e79e57bab1
MD5 hash:
799f9bb8b419b1d0f4e2e5f8fa29fc1c
SHA1 hash:
d1fd66b0fa2f0b7e6a4b367f6b30fbeb284a33e0
Link:
https://www.unpac.me/results/1c55ad4d-6258-4765-b654-c3957ef56965/
SH256 hash:
f74019066aec6a8f35b0298decce968df3979d6abf3fabe736770803af713d82
MD5 hash:
7e42fe2405f053faa1d9321e9a080f86
SHA1 hash:
8ee3bd3d1440bdfeb375be27425739e24ffb4381
Link:
https://www.unpac.me/results/1c55ad4d-6258-4765-b654-c3957ef56965/
SH256 hash:
035202732688242aa21bf21667d25c3568067e3ac01508aa942255db7f90bbaa
MD5 hash:
e10267b149f3c6d033f64b03a1169189
SHA1 hash:
5ba9a6e91961922ba54379c52354ddcdfb8cba1f
Link:
https://www.unpac.me/results/1c55ad4d-6258-4765-b654-c3957ef56965/
SH256 hash:
b5dca9224bea601fbe41d8e77c5ece992691f7fa04db3a4c429ec494e9399c7d
MD5 hash:
6d337a3db9c5811486122e2d8eaef1a0
SHA1 hash:
19c685a49035f92037de5cb252430bf85827cbba
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/1c55ad4d-6258-4765-b654-c3957ef56965/
SH256 hash:
d5e1923de474408cc5f31650c36345027663f0411bef1e1ef4fa3a2d56bc5d42
MD5 hash:
20ee82eec74bcf77008236d08a4e63ea
SHA1 hash:
a578b132b87ea4cf22a602bcc84188afc531d55e
Link:
https://www.unpac.me/results/1c55ad4d-6258-4765-b654-c3957ef56965/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.91
Link:
https://yomi.yoroi.company/submissions/d5e1923de474408cc5f31650c36345027663f0411bef1e1ef4fa3a2d56bc5d42

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/148111/

Comments