MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db83a3e2df5a18c17425bfd6e073a153975b2127712cfea49ea3212068cd77f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db83a3e2df5a18c17425bfd6e073a153975b2127712cfea49ea3212068cd77f6
SHA3-384 hash: 3b96045d455fa163bea3233c057bedc8bccf36658d36b541182ecda3a74d134e997678c4c76d4f672411f371532f02e5
SHA1 hash: f349c627b4628fca6aa500920d80cb497a0d66b6
MD5 hash: b64b557e0972cda4484713d25d7d0fa3
humanhash: finch-happy-sodium-blue
File name:5260231.jpg.exe
Download: download sample
Signature Loki
Create hunting rule
File size:358'912 bytes
First seen:2020-10-13 17:19:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:EdfP65HsW7kFuG97mwIxeKg0xb5+aYVfphu2fUUy/CEO7vk:EdOHVywgE5+aCJOCEU
Threatray 1'850 similar samples on MalwareBazaar
TLSH 6574BFF13F8E5A39F6560B3191E6B0C3F23D21CB3E5D8A0DAE5A831C5E91217079664B
Reporter James_inthe_box
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70555/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.fc.22394.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a window
Creating a file
Running batch commands
Launching a process
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/490096
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 297494 Sample: 5260231.jpg.exe Startdate: 13/10/2020 Architecture: WINDOWS Score: 100 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 5 other signatures 2->60 7 5260231.jpg.exe 9 2->7         started        11 pcalua.exe 1 2->11         started        13 pcalua.exe 1 2->13         started        process3 file4 30 C:\Users\user\oih.exe, PE32 7->30 dropped 32 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 7->32 dropped 34 C:\Users\user\oih.exe:Zone.Identifier, ASCII 7->34 dropped 36 2 other files (1 malicious) 7->36 dropped 62 Drops PE files to the user root directory 7->62 64 Tries to detect virtualization through RDTSC time measurements 7->64 15 oih.exe 4 7->15         started        19 cmd.exe 1 7->19         started        21 oih.exe 3 11->21         started        signatures5 process6 file7 38 C:\Users\user\AppData\...\AgileDotNetRT.dll, PE32 15->38 dropped 40 Writes to foreign memory regions 15->40 42 Allocates memory in foreign processes 15->42 44 Injects a PE file into a foreign processes 15->44 23 AddInProcess32.exe 15->23         started        25 reg.exe 1 1 19->25         started        28 conhost.exe 19->28         started        46 Antivirus detection for dropped file 21->46 48 Multi AV Scanner detection for dropped file 21->48 50 Machine Learning detection for dropped file 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 signatures8 process9 signatures10 66 Creates an autostart registry key pointing to binary in C:\Windows 25->66
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/db83a3e2df5a18c17425bfd6e073a153975b2127712cfea49ea3212068cd77f6/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 17:18:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
09e967e35d3f03784901577e89322f008ed33c6b26453256d5b2492cab996c8d
Loki
199528b69b42d1af70f525973be5e53bcd16c19b39a117cfaa27ba1a515723f8
Loki
3d611ca54f64546327d9bc6993662d5058a7f07fa8e16b81fc7ee6ff60d952f2
Loki
53edc68ef8a890aac3c8f6fe8c72e1a8cf5057c600a3f85d12b99b59b05e47be
Loki
814b0968761c0dbd4a43208cd82d150aa6608538abb845561257687ed9cd0524
Loki
8867e72aaf3985ed148d3049c628d73ba0024e3129e466c17bd6a665be9e84f0
Loki
89aa89c61fae1a3590e3e0e60bac9191774881f0cc931a4609151067520bb293
Loki
96ff361eeb8ab440652d1cbb8b28146f8dd9ee8cf9885f84ff4592b2551da57f
Loki
a702e991a5cf37a366df45fe22e62035795de3d38a36b87c17403c4283abf369
Loki
f94e8615fb3b739ab3ad8ec81511b5439a72d4e865a5f9975aa524ac6036d3c2
Loki
+ 1'840 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
persistence spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/201013-ghhke9an3n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
Malware Config
C2 Extraction:
http://192.236.178.210/sick1/33/cgi.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
db83a3e2df5a18c17425bfd6e073a153975b2127712cfea49ea3212068cd77f6
MD5 hash:
b64b557e0972cda4484713d25d7d0fa3
SHA1 hash:
f349c627b4628fca6aa500920d80cb497a0d66b6
Link:
https://www.unpac.me/results/58c64788-00eb-42cd-a217-00c3e66cf7d9/
SH256 hash:
fe2704a83d24aeed843b24544f1097fac72c778ae366013d467c856f89516012
MD5 hash:
426994c458b2db44f9d1965ec016af2b
SHA1 hash:
2b5b5a39d1fed3925e05ce730a85e542e0d5b1cc
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/58c64788-00eb-42cd-a217-00c3e66cf7d9/
Parent samples :
db83a3e2df5a18c17425bfd6e073a153975b2127712cfea49ea3212068cd77f6
771446f2808b2b3f82b2140a833e68c3eec3e2d1e1ccc68b43e2ec25560cd19c
SH256 hash:
5ee2e42944f690d2c7fda9df4527b2d32dce8e41e58ef85115d0b2227e5c986b
MD5 hash:
08184777f9453791241e68eca251fa83
SHA1 hash:
baab5bb4b1a3d261acb034043ac82bd2ed96cd6d
Link:
https://www.unpac.me/results/58c64788-00eb-42cd-a217-00c3e66cf7d9/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/58c64788-00eb-42cd-a217-00c3e66cf7d9/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
e3f3f21f1da73f127615d0ce7f20b1159facd9b5015ef223de73dddbcdf1f59a
MD5 hash:
7a4f8f06291d4cff66c36c4963e2d0e6
SHA1 hash:
dfe8b19e175fb63bd891664e11e9f7fa646f4bf1
Link:
https://www.unpac.me/results/58c64788-00eb-42cd-a217-00c3e66cf7d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db83a3e2df5a18c17425bfd6e073a153975b2127712cfea49ea3212068cd77f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_lokipws_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/70555/
  
URLhaus
https://urlhaus.abuse.ch/url/686820/

Comments