MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd5c4335594b77493bc8960293af89aecce0c3ff6e66bdddd13d239f29929b2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd5c4335594b77493bc8960293af89aecce0c3ff6e66bdddd13d239f29929b2d
SHA3-384 hash: 92d48e2878b26c9f789541d46e4d6a3e0b4e753351c935d0d0151df734ffad71d7e31b014879c26eff167aabd3b25a52
SHA1 hash: 96b9a549ffdfe1ce9ebc42bfec89c3043a4073e8
MD5 hash: 67a55d19a84aec75df6f0f4e623db2fa
humanhash: tennessee-london-leopard-high
File name:MVKilburn.exe
Download: download sample
Signature Loki
Create hunting rule
File size:450'048 bytes
First seen:2021-11-22 07:01:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:8iJeztVVli6EICzdJSSkVLrRLfCy5F5A:hezfVlipI9S8PRLKyv
Threatray 6'299 similar samples on MalwareBazaar
TLSH T156A40DADBB870A62EDDDD0B049130A14FB6F0F1322D4E9A653DBE5CAA74F06D2C44D94
File icon (PE):PE icon
dhash icon aca299a68e86a2b0 (1 x Loki)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://doanlee.com/stop/need/work/Panel/five/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://doanlee.com/stop/need/work/Panel/five/fre.php https://threatfox.abuse.ch/ioc/251901/

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MVKilburn.exe
Verdict:
Malicious activity
Analysis date:
2021-11-22 07:04:27 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/a884481f-6aeb-4ccb-9244-8ddf8dd451ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Unauthorized injection to a recently created process
Running batch commands
Reading critical registry keys
Launching a process
Creating a file in the %AppData% subdirectories
Changing a file
Sending an HTTP POST request
Sending a custom TCP request
Enabling the 'hidden' option for analyzed file
Stealing user critical data
Moving of the original file
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm obfuscated
Link:
https://www.filescan.io/uploads/619b406b94a88037d2fdcffe/reports/cd913206-e008-4f14-90b2-2223205ff34e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c9f03804-b22d-4628-a657-92d7449e74a3
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/893594
Signature
Binary or sample is protected by dotNetProtector
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 526072 Sample: MVKilburn.exe Startdate: 22/11/2021 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 5 other signatures 2->53 7 MVKilburn.exe 3 2->7         started        10 ttf56.exe 2 2->10         started        process3 signatures4 55 Tries to steal Mail credentials (via file registry) 7->55 57 Tries to delay execution (extensive OutputDebugStringW loop) 7->57 59 Injects a PE file into a foreign processes 7->59 61 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->61 12 MVKilburn.exe 54 7->12         started        16 cmd.exe 3 7->16         started        19 cmd.exe 1 7->19         started        63 Machine Learning detection for dropped file 10->63 21 cmd.exe 1 10->21         started        23 cmd.exe 1 10->23         started        25 ttf56.exe 10->25         started        process5 dnsIp6 43 doanlee.com 45.252.248.18, 49760, 49763, 49764 AZDIGI-AS-VNAZDIGICorporationVN Viet Nam 12->43 45 192.168.2.1 unknown unknown 12->45 65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->65 67 Tries to steal Mail credentials (via file / registry access) 12->67 69 Tries to harvest and steal ftp login credentials 12->69 71 Tries to harvest and steal browser information (history, passwords, etc) 12->71 39 C:\Users\user\AppData\Roaming\...\ttf56.exe, PE32 16->39 dropped 41 C:\Users\user\...\ttf56.exe:Zone.Identifier, ASCII 16->41 dropped 27 conhost.exe 16->27         started        73 Uses schtasks.exe or at.exe to add and modify task schedules 19->73 29 conhost.exe 19->29         started        31 schtasks.exe 1 19->31         started        33 conhost.exe 21->33         started        35 schtasks.exe 1 21->35         started        37 conhost.exe 23->37         started        file7 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd5c4335594b77493bc8960293af89aecce0c3ff6e66bdddd13d239f29929b2d/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2021-11-22 07:02:07 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3voegnkzjn3uso6isybjhl4jv3gobq77nztl3xorhurz6kmstmwq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
00ad9c596b2af402b7d77a1b6d1c81337f76c3d4e4af1e429fafbdf6a8530ff7
Loki
4010e4cf063629069f5a7fc586b1845433b426d6c09f5a8eeabb348a2686f89f
Loki
9816d7c9ea6d500a83b2fac06aeb4fa26603b2eccf61c4c13ad7eff59505652f
Loki
a3f50eb98afaf1fa3611be5e129012a443fb0f7e248e8d1e2c2e395d69c4fae1
Loki
a821f6915c6407fe0347c376b15a83f7c63d253d7686040855c0e24ad0b57a5a
Loki
aa16e563346384cfcb7fbd83727cce3dfffa7ae31ee3581671ba3d57a5e21829
Loki
cc79b6addef36d35bd0bf4f00516feb820da0eb89d1768d79c98bc82b136dcc2
Loki
+ 6'289 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/211122-hts6hafaak/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
https://doanlee.com/stop/need/work/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
c3122773852e1069babb036f4623e313128ce0b7cbe8e97dd6622cf17149dd6f
MD5 hash:
7b2cb5f22ce60762d021ddd8975c6c28
SHA1 hash:
d464ef79cab0f8909e6988647570249db4290540
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/830f6d7d-9982-4808-9bfa-8c4718f9dc48/
SH256 hash:
dd5c4335594b77493bc8960293af89aecce0c3ff6e66bdddd13d239f29929b2d
MD5 hash:
67a55d19a84aec75df6f0f4e623db2fa
SHA1 hash:
96b9a549ffdfe1ce9ebc42bfec89c3043a4073e8
Link:
https://www.unpac.me/results/830f6d7d-9982-4808-9bfa-8c4718f9dc48/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dd5c4335594b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd5c4335594b77493bc8960293af89aecce0c3ff6e66bdddd13d239f29929b2d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:INDICATOR_EXE_Packed_dotNetProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with dotNetProtector
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/208020/

Comments