MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d69e20f3df6a35c1e51faef8fca17243fbee2c86d085aaeca466041af0d52c95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	d69e20f3df6a35c1e51faef8fca17243fbee2c86d085aaeca466041af0d52c95
SHA3-384 hash:	daf5f7f674b12306131f05b982a288a05eadb51f778bba740d610f5a867088c52f43011b22155ef0ff0dc45ef7c1d408
SHA1 hash:	b1b2d30d5b3358dafa290b5c0dd440da7f76b35e
MD5 hash:	c7043889b4c2d4cb2e88202f22d611a2
humanhash:	ten-saturn-paris-equal
File name:	D69E20F3DF6A35C1E51FAEF8FCA17243FBEE2C86D085A.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	385'024 bytes
First seen:	2021-06-24 16:36:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	979835f0aa6ba5221b2d1f69f920683d (1 x Loki)
ssdeep	6144:i/Lya8OvDatQOTn/y835Ws6KF/CGoBwMM1MM:Ha8OvWtQQf59aGoBwMM1MM
TLSH	3084CEBCA654D61CC0563A32187883E6703C7E9AAFB38CE41B1C5C8ACD3D567EE54D4A
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://hostinggdl.com/images/Panel/five/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://hostinggdl.com/images/Panel/five/fre.php	https://threatfox.abuse.ch/ioc/153397/

Intelligence

File Origin

# of uploads :

# of downloads :

136

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

D69E20F3DF6A35C1E51FAEF8FCA17243FBEE2C86D085A.exe

Verdict:

Suspicious activity

Analysis date:

2021-06-24 16:42:16 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5ef58e3d-93bd-4d30-9a79-2070e3cdcb2b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/168097/

Detection(s):

SecuriteInfo.com.Heur.PonyStealer.2.6596.18894.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0abb90c7-6b24-42fd-a0b3-45ee12dfb448

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/807627

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Changes security center settings (notifications, updates, antivirus, firewall)

Deletes keys which are related to windows safe boot (disables safe mode boot)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Disables user account control notifications

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the windows firewall

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected aPLib compressed binary

Yara detected Generic Dropper

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d69e20f3df6a35c1e51faef8fca17243fbee2c86d085aaeca466041af0d52c95/

Threat name:

Win32.Infostealer.PonyStealer

Status:

Malicious

First seen:

2018-08-30 00:37:44 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=22pcb467ni24dzi7v34pzilsip564leg2cc2v3femycbv4gvfskq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot evasion spyware stealer trojan upx

Link:

https://tria.ge/reports/210624-mzdrvf7xne/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System policy modification

Drops file in Program Files directory

Drops file in Windows directory

Drops autorun.inf file

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Enumerates connected drives

Windows security modification

UPX packed file

Lokibot

Modifies firewall policy service

UAC bypass

Windows security bypass

Malware Config

C2 Extraction:

http://hostinggdl.com/images/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

f3d74280b82433aed6c43c586ed9d6a8999e0af5c63063fdcc36291f4c8ab8ec

MD5 hash:

4c81e6fc2b61ca6cde7e45a5dd878f32

SHA1 hash:

27ec8082c11098b1c6609a7d55f591c3be95a84a

Link:

https://www.unpac.me/results/d6d8562b-f455-426e-a463-1a44288476f9/

SH256 hash:

2e4e816f5839e007149a8987d871776a64b5eeea9a3df7f71b0db12b9ed8d517

MD5 hash:

57cde8ddd4261277272a6151855f8966

SHA1 hash:

9afc39cfad97a3ce12949b65c05f438025fdbac2

Detections:

win_sality_auto

Link:

https://www.unpac.me/results/d6d8562b-f455-426e-a463-1a44288476f9/

Parent samples :

bdb1b6c2151038f1023b551d26ef4eab2d5321066d3352d5357b8bee301b67b0
d69e20f3df6a35c1e51faef8fca17243fbee2c86d085aaeca466041af0d52c95
4ee41060b8f1c5679b10bebb8378f353ea62eb38ab27f041e3727dd8cb06b19d
f3dda8f48606c448d22a7b407f61757605acc028d3deddd0ad8c1e2742efcf86
39a77ef363317beea8cad0c8dfe80791ee12647f61396cbfa0128b73113bab8d
1a01e198f114dda369db7002b3ab6689c015405ed3837b458eb914eb48b0be45
537b10cf8e13513c59002c768458b911fb39b95a9d5d7cf28455577b26f86af3
eb88869b7f1bc3f33bb3cd56d6cf4d81fbb0beb590cb9678cc1acf3206f3056f
11df6b403ee5a2e308eff2382fe7ec896a087d14bbee47ed8a02c0a4d940bccf
40f6ef54f565857eedc2823d556b6e48f446526b2f8e490f473d79c5b8534849
50d803405e13a8749bbbc53185cc4e3d104ab2dd1d85e3c4c375a95697908ba1
48029d524b58b030cbe0e7dfed75a17aab0f68a316b26bf3f99f59a3f94cb248
db7d41592820a1b25476bdc4abcde914f4be174429866e26af9aed84a71f10e3
a4ef531f35ec95d7ea3310eb9a2ded322d2cdbf57eabe96aa491b8202a420c24
69735cd8499cfbf56dab45602c168d9ce3bec18f106935f17b311c0b17e5ec37
497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191
aae8a9852809300d5ee4f5a8031f42f660dff3e427aef081d9aeabb2dca84058
30a9291c7713404a55cc3025689f8305aaf31fb9492a5612841b80f1d2aa45ad

SH256 hash:

44a14cfab13e3660e7405924493e367ad3cffa3e0f73e81b639c2ce4ee6cbefd

MD5 hash:

a962ba9684259a1b9fe55fb7879499a1

SHA1 hash:

5da7d57b54fc8697995308854d392e13e4d74fb2

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/d6d8562b-f455-426e-a463-1a44288476f9/

SH256 hash:

33335237720ec4bc5b09d005e1e3a3171838ebe085450f9441c82e034600c1c5

MD5 hash:

ae14ab9a80254dd65894f394db995868

SHA1 hash:

eaf9ae270220e18e1ff553f4029b4ef29bebff27

Detections:

win_lokipws_g0

win_lokipws_auto

win_sality_auto

Link:

https://www.unpac.me/results/d6d8562b-f455-426e-a463-1a44288476f9/

SH256 hash:

d69e20f3df6a35c1e51faef8fca17243fbee2c86d085aaeca466041af0d52c95

MD5 hash:

c7043889b4c2d4cb2e88202f22d611a2

SHA1 hash:

b1b2d30d5b3358dafa290b5c0dd440da7f76b35e

Link:

https://www.unpac.me/results/d6d8562b-f455-426e-a463-1a44288476f9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d69e20f3df6a35c1e51faef8fca17243fbee2c86d085aaeca466041af0d52c95

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/168097/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample