MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcbec7985540b0bef3dc49943360237dd6566c1be790f77a0288d7ca6bb53e23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 11

Intelligence 11 IOCs YARA 7 File information Comments

SHA256 hash:	dcbec7985540b0bef3dc49943360237dd6566c1be790f77a0288d7ca6bb53e23
SHA3-384 hash:	8721e1147a6fb95fb9480546e90c5ecdb80d12857417a1ae51ce465d6c79e83158c89fe9fbada5a29b4ec6af3558a7e9
SHA1 hash:	af502be793b24fe3324e36f66f45c2a3b384225a
MD5 hash:	e8987dc10cf551f9cd981a4a2705d593
humanhash:	chicken-zulu-august-glucose
File name:	SCAN_DOCUMENT.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	358'912 bytes
First seen:	2020-10-13 07:21:35 UTC
Last seen:	2020-10-13 13:51:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:dfP65HsW7kFuG97mwIxeKg0xb5+aYVfp8RMEkct8Y3gsvI3OuZ:dOHVywgE5+aCyWTq9QsvIT
Threatray	1'815 similar samples on MalwareBazaar
TLSH	5B74CFF1728E495AF5AA027281A6B4C3F17E15CA3F1D850DAD5B830C4DA271F07DAA4F
Reporter	abuse_ch
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Loki

Link:

https://www.capesandbox.com/analysis/70308/

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Generic.fc.7305.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% subdirectories

Creating a window

Unauthorized injection to a recently created process

Reading critical registry keys

Creating a file

Changing a file

Replacing files

Creating a file in the %AppData% subdirectories

Deleting a recently created file

Stealing user critical data

Connection attempt to an infection source

Moving of the original file

Sending an HTTP POST request to an infection source

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/489298

Signature

.NET source code contains very large array initializations

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/dcbec7985540b0bef3dc49943360237dd6566c1be790f77a0288d7ca6bb53e23/

Threat name:

ByteCode-MSIL.Infostealer.Fareit

Status:

Malicious

First seen:

2020-10-13 04:04:17 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3s7mpgcvicyl5464jgkdgybdpxlfm3a346ipo6qcrdl4u25vhyrq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

spyware trojan stealer family:lokibot

Link:

https://tria.ge/reports/201013-fgd64sfeq6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://195.69.140.147/.op/cr.php/3IAhLIb1TTSzV
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

dcbec7985540b0bef3dc49943360237dd6566c1be790f77a0288d7ca6bb53e23

MD5 hash:

e8987dc10cf551f9cd981a4a2705d593

SHA1 hash:

af502be793b24fe3324e36f66f45c2a3b384225a

Link:

https://www.unpac.me/results/3176ef0b-b6b3-4c80-b45b-f821074e1432/

SH256 hash:

88c1ca6811286ba82321c7ffe5e38ad8e3b5ed35f8d593fa5005baabc8064664

MD5 hash:

827df12d52d6e144fa5a06fdb1e85a3e

SHA1 hash:

2619270bb021b6e3064405f6776f6603871913d9

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/3176ef0b-b6b3-4c80-b45b-f821074e1432/

Parent samples :

8ea5067082a325edf7c4436c4543c8620b4b65306c5bb582d8e962bca151f1b5
b252ee4bb76b6f31587ea0820ee4c3989f39e7f4c921397ecd79f1718c854cbe
dcbec7985540b0bef3dc49943360237dd6566c1be790f77a0288d7ca6bb53e23

SH256 hash:

19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267

MD5 hash:

811864a0b06c529af894a7fec6ddbf47

SHA1 hash:

d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2

Link:

https://www.unpac.me/results/3176ef0b-b6b3-4c80-b45b-f821074e1432/

Parent samples :

afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb

SH256 hash:

f8bee4108a324df32ad5a2ebafa6b7f411402a21e2598cf9db66486970f80fdd

MD5 hash:

a92da98ff6f5ae608503d074617bcc2a

SHA1 hash:

d3eafcccca011bb3a7a5ae52dd9704ceafcde472

Link:

https://www.unpac.me/results/3176ef0b-b6b3-4c80-b45b-f821074e1432/

SH256 hash:

e3f3f21f1da73f127615d0ce7f20b1159facd9b5015ef223de73dddbcdf1f59a

MD5 hash:

7a4f8f06291d4cff66c36c4963e2d0e6

SHA1 hash:

dfe8b19e175fb63bd891664e11e9f7fa646f4bf1

Link:

https://www.unpac.me/results/3176ef0b-b6b3-4c80-b45b-f821074e1432/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dcbec7985540b0bef3dc49943360237dd6566c1be790f77a0288d7ca6bb53e23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	Lokibot Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_lokipws_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/70308/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample