MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d74ebe06d17fc8e347dda04ca17006fa2f24deb7df06617feb13bffdc9bee476. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d74ebe06d17fc8e347dda04ca17006fa2f24deb7df06617feb13bffdc9bee476
SHA3-384 hash: e6ade87a949d87ee04a8edfa8a2d1f8ecb9edbd32f17a0b85c5bcb81fa2f91036a681a2ed7fa55d2bd8e3f2db3a6dff3
SHA1 hash: 9d939273f145ee1d05d226d44e1256ea45625e4f
MD5 hash: dbdc2f5b2f7b338a4673cb4b5b207d72
humanhash: one-hawaii-orange-hotel
File name:C5FB4D13BB4B34F9670BC238A047B53C4392B299139C3DA8B2B70BA9DDD3DB2D.exe
Download: download sample
Signature Loki
Create hunting rule
File size:277'504 bytes
First seen:2024-07-24 21:18:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e22fde80595c4bea0880fd6845018d6a (7 x RedLineStealer, 6 x Loki, 6 x Worm.Ramnit)
ssdeep 3072:C072IS3LradTKvOypCmyGJOB9P4+5F0Ogp/fqzVkB9a5nLum2/ZWbjM+dlNR6tAm:kaRY/0jWt+MOgpfqCBKL4B6p+tA8JoX
TLSH T1D144AE00BB90D035E1B712F4887A93ACB53E7AA15B3590CB62D52BEF66356E4EC31317
TrID 29.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
21.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
16.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
6.7% (.SCR) Windows screen saver (13097/50/3)
File icon (PE):PE icon
dhash icon b2dacabecee6baa2 (33 x RedLineStealer, 30 x Smoke Loader, 28 x Stop)
Reporter Anonymous
Tags:exe Loki


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
360
Origin country :
CN CN
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Virus.Wapomi-9802127-0
Create hunting rule

Win.Dropper.Generickdz-9939781-0
Create hunting rule

Win.Trojan.Generickdz-9950759-0
Create hunting rule

Win.Trojan.Generickdz-9951389-0
Create hunting rule

Win.Packed.Crypterx-9954995-0
Create hunting rule

Win.Malware.Wapomi-10020301-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a16fcacb3d02fa0e4960c3
Tags:
Execution Generic Network Static Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing an executable file
Creating a window
Sending an HTTP GET request to an infection source
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for analyzed file
Modifying an executable file
Query of malicious DNS domain
Connection attempt to an infection source
Stealing user critical data
Moving of the original file
Infecting executable files
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint lolbin microsoft_visual_cc packed shell32
Link:
https://www.filescan.io/uploads/66a16fc7dfa8b2fced4e28e8/reports/1e183890-eceb-41cc-908d-836d8452122e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e89f994e-a72e-4e34-9dca-0d102c0a0584
Result
Threat name:
Bdaejec, Lokibot
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1480779
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
PE file contains section with special chars
PE file has a writeable .text section
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses known network protocols on non-standard ports
Yara detected aPLib compressed binary
Yara detected Bdaejec
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1480779 Sample: C5FB4D13BB4B34F9670BC238A04... Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 28 ddos.dnsnb8.net 2->28 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for URL or domain 2->38 40 12 other signatures 2->40 8 C5FB4D13BB4B34F9670BC238A047B53C4392B299139C3DA8B2B70BA9DDD3DB2D.exe 58 2->8         started        signatures3 process4 dnsIp5 30 164.90.194.235, 49731, 49732, 49733 DIGITALOCEAN-ASNUS United States 8->30 20 C:\Users\user\AppData\Local\Temp\wueVEg.exe, PE32 8->20 dropped 42 Detected unpacking (changes PE section rights) 8->42 44 Detected unpacking (overwrites its own PE header) 8->44 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 8->46 48 4 other signatures 8->48 13 wueVEg.exe 18 8->13         started        file6 signatures7 process8 dnsIp9 32 ddos.dnsnb8.net 44.221.84.105, 49730, 49734, 49736 AMAZON-AESUS United States 13->32 22 C:\Program Files\7-Zip\Uninstall.exe, PE32 13->22 dropped 24 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 13->24 dropped 26 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 13->26 dropped 50 Antivirus detection for dropped file 13->50 52 Detected unpacking (changes PE section rights) 13->52 54 Machine Learning detection for dropped file 13->54 56 Infects executable files (exe, dll, sys, html) 13->56 18 WerFault.exe 21 16 13->18         started        file10 signatures11 process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d74ebe06d17fc8e347dda04ca17006fa2f24deb7df06617feb13bffdc9bee476
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d74ebe06d17fc8e347dda04ca17006fa2f24deb7df06617feb13bffdc9bee476/
Threat name:
Win32.Virus.Jadtre
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 21:19:05 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
37 of 38 (97.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=25hl4bwrp7eogr65ubgkc4ag7ixsjxvx34dgc77lco773sn64r3a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot aspackv2 collection credential_access discovery spyware stealer trojan
Link:
https://tria.ge/reports/240724-z56peazhrg/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Accesses Microsoft Outlook profiles
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Credentials from Password Stores: Credentials from Web Browsers
Lokibot
Malware Config
C2 Extraction:
http://164.90.194.235/?id=17007285853618101
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5d7bd476-53cd-4547-a9fd-9140cb6d95dc
Unpacked files
SH256 hash:
5ef5622dbc703f03e928b6c5924d5dc84bf5a1b5f9b2f9372afaf5e8dc2323fb
MD5 hash:
1bc58cb103bb1d43219e88ea27651ca8
SHA1 hash:
eebfc51c136c667f9bad76d856de9fedb3705dba
Detections:
Lokibot
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
STEALER_Lokibot
Create hunting rule
Link:
https://www.unpac.me/results/ea406d80-e513-4c8d-8ecc-df2ad04c9dfe/
Parent samples :
96d4f14f8d1be02a21feb4533eca4f270716e7b0feefe6e5a477454f13db99d1
082565f03fa8f59b87354a271edcf92c6559472043e21fef60a47cfc6072f495
fd43579434ad0575895c12d783158f56396c725639c76f9ce04d00f6026c19a8
29e35c799198c6801c422f8d1f014d8c2e024186220fc959de30e222f6be286d
8c6e740b2a9841664d6824708850c48260c34646dae42455a6b9e31863a26bf9
c5fb4d13bb4b34f9670bc238a047b53c4392b299139c3da8b2b70ba9ddd3db2d
d74ebe06d17fc8e347dda04ca17006fa2f24deb7df06617feb13bffdc9bee476
SH256 hash:
1b4fc72e53d33113e4d52e45bfa545582daeb7358bc73ddc93d22b19ba1897f8
MD5 hash:
ae7eb71fee5d0dce1c17e24ea6f81eb2
SHA1 hash:
56a8f46a7dafcfefe9f0ebbde6ef9bf8e5fe20d9
Link:
https://www.unpac.me/results/ea406d80-e513-4c8d-8ecc-df2ad04c9dfe/
SH256 hash:
d74ebe06d17fc8e347dda04ca17006fa2f24deb7df06617feb13bffdc9bee476
MD5 hash:
dbdc2f5b2f7b338a4673cb4b5b207d72
SHA1 hash:
9d939273f145ee1d05d226d44e1256ea45625e4f
Link:
https://www.unpac.me/results/ea406d80-e513-4c8d-8ecc-df2ad04c9dfe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d74ebe06d17fc8e347dda04ca17006fa2f24deb7df06617feb13bffdc9bee476

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe d74ebe06d17fc8e347dda04ca17006fa2f24deb7df06617feb13bffdc9bee476

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::SetProcessShutdownParameters
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::FindNextVolumeW
KERNEL32.dll::FindNextVolumeMountPointA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::FillConsoleOutputCharacterA
KERNEL32.dll::FillConsoleOutputCharacterW
KERNEL32.dll::FlushConsoleInputBuffer
KERNEL32.dll::WriteConsoleInputA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleOutputCharacterA
KERNEL32.dll::WriteConsoleA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileWithProgressW
KERNEL32.dll::MoveFileA

Comments