MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db43155423f8824b324cc9ddfb85f9ae31e64aeb31052f672313dc0ad8bf21a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	db43155423f8824b324cc9ddfb85f9ae31e64aeb31052f672313dc0ad8bf21a1
SHA3-384 hash:	35918d2921078eb85227d0512d9202eb5fdc52a9d14588de9ed0ee6812d812aa94901cc1d825042d273b02f5baaee838
SHA1 hash:	e97536334c29ae25f00d88c6bec52e313d946b6c
MD5 hash:	88ccdfd18692298af41fb3b594f5b8f1
humanhash:	snake-fifteen-artist-alabama
File name:	New Quotation.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	766'976 bytes
First seen:	2022-02-17 07:32:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:P5Vko+brlIExBy03sD0uyDYEtTa63ZvTznpMj5puqqV+M1YolvszBUq6:mbrlIEx41D0cEtTa8/np8YvV+MaomF56
Threatray	6'911 similar samples on MalwareBazaar
TLSH	T1DEF4AE5631FF1056C3A2EBF20BD8E8BF866EF173160F763A31811B4A8766A40D942775
Reporter	cocaman
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

214

Origin country :

n/a

Vendor Threat Intelligence

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/242181/

Detection(s):

Sanesecurity.Rogue.0hr.20220217-0403.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Changing a file

Sending an HTTP POST request

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for analyzed file

Stealing user critical data

Moving of the original file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware obfuscated packed remote.exe replace.exe

Link:

https://www.filescan.io/uploads/620df9fc875593a3ccdc4330/reports/254ac832-1fcc-4640-a743-92410d8c8dbc/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/941407

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/db43155423f8824b324cc9ddfb85f9ae31e64aeb31052f672313dc0ad8bf21a1/

Threat name:

ByteCode-MSIL.Trojan.LokiBot

Status:

Malicious

First seen:

2022-02-17 05:33:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3nbrkvbd7cbewmsmzho7xbpzvyy6msxlgecs6zzdcpoavwf7egqq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

58540b0c7fa89e78f3a5c8f47beda3c43dd1a960ecd732ebc5ec203711d812ce

Loki

8745bcfcc6dcae5b29429a611278c58127abaf751650d7177bb94b801ea67e81

Loki

8cce39c9d68c3ddba4ec97275d8832ff04d88c0ad1eb2a68972f5d9fffc35c95

Loki

c001fd5c9e06d93a19f6be3b36c0878b29915228430f71d20ffbb536d8aa6a58

Loki

ce0a5022e983a49cc2f1a62ea955670379f073ff5ef0e74ada79a8b91a10ee4c

Loki

ef85d2ccb9824e4eb3436002c2ddb3d96ad999f6e8c96382e0c9b6d95f3440aa

Loki

f92ed4b914d93884de367cf9e7878d68bf45f7ab2b6c46abb425c029e791208f

Loki

+ 6'901 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer suricata trojan

Link:

https://tria.ge/reports/220217-jc1dxsbgcr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://164.90.194.235/?id=13524038937789651
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

ff82cead2455de256e9590429888c01b14df4fb61102ef49a270e2a04d632bbe

MD5 hash:

89490197bc89f840ecaa77e0bb7e2669

SHA1 hash:

b3a56df082e4b09f1a81ef25e038e494812da0ac

Link:

https://www.unpac.me/results/93a2c821-e5f7-480a-a71a-cc2e681426a5/

SH256 hash:

046de8d77344b3f6f1786756e07c2ed7a49916242e21789d032d387431ccd3a4

MD5 hash:

a84151b0f4259f0a096bfc75e67516ff

SHA1 hash:

acc9eca7efa770ec09f3938992aa3f3d2bdcd63b

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/93a2c821-e5f7-480a-a71a-cc2e681426a5/

Parent samples :

4dd4e59368f5e310bdebc4f7ee60778446873c9b930f16366592b471a86f3718
d3217fc16fe7991314f5f0fada36ed506921272105b0e230a0a37c1c1ae3f83d
a712c93c2e0a8ceeb5c34dc11c10e78416c1f992c9ef933740297862de1173d7
db43155423f8824b324cc9ddfb85f9ae31e64aeb31052f672313dc0ad8bf21a1
e1d54d2244d2ee82170a78ae2d63cfde1338a1678aca6679bb9f315d04ca4ba4
00f3c0a599cd58c1725d868ed98835b88a582d32c2a28ac0fee1ef59c84f1c92
df5a9a7702209f24b61b8a6cc48a911ffdab1a8591fc91f61fef4466ebbb70f9
c563c22a6ef57303146195f39aba8eff9dff5e46ddc85e05fb6dab4d14543bfa

SH256 hash:

8c6f5cc4884275927f9a05512099ed1ddc94aa5449974bf453855da9f2b6c1d9

MD5 hash:

890a67390dc6af6cf362c5b38b512af2

SHA1 hash:

92ed138218154f61ad4dd466a0fc1a6728d07226

Link:

https://www.unpac.me/results/93a2c821-e5f7-480a-a71a-cc2e681426a5/

SH256 hash:

86deb3d3213b1126141f567c14feac6df3dc7b70c12d44c8e723925d5a0b92ab

MD5 hash:

cb924aeaebb8851539923b8313ca3c42

SHA1 hash:

0f9dd0c583ba845eb3e9e8eed6ee40f97563843b

Link:

https://www.unpac.me/results/93a2c821-e5f7-480a-a71a-cc2e681426a5/

SH256 hash:

db43155423f8824b324cc9ddfb85f9ae31e64aeb31052f672313dc0ad8bf21a1

MD5 hash:

88ccdfd18692298af41fb3b594f5b8f1

SHA1 hash:

e97536334c29ae25f00d88c6bec52e313d946b6c

Link:

https://www.unpac.me/results/93a2c821-e5f7-480a-a71a-cc2e681426a5/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/db43155423f8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/db43155423f8824b324cc9ddfb85f9ae31e64aeb31052f672313dc0ad8bf21a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.