MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dddb0db17f3e37f65e313ae4110dd5ce5dbca0f51801d12e87cb602d36c34993. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 14

Intelligence 14 IOCs 1 YARA 2 File information Comments

SHA256 hash:	dddb0db17f3e37f65e313ae4110dd5ce5dbca0f51801d12e87cb602d36c34993
SHA3-384 hash:	e12b221f7c853a1eb500258b07575463af85fb71edb9caff99685461ac3bc1c1a46d4824afbff12b52e780d7a1d78374
SHA1 hash:	20eb4b20afbae940d3a21b43a18d67c3be7f8795
MD5 hash:	b1f199c338af2507f26048b0570c5b32
humanhash:	edward-queen-gee-cup
File name:	SecuriteInfo.com.W32.AIDetectNet.01.879.27921
Download:	download sample
Signature	Loki Create hunting rule
File size:	942'080 bytes
First seen:	2022-08-09 04:29:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	24576:l/yKZ+uOOOuYGLW9uJhZ1Q7LH8vjyug2ycScyiJAsPpqzZOz/:l/yK8uOOOuFLEO71QfcryugcymGZO
TLSH	T19515F141A3985731C66A7BF5925CFE900BE36DD6713EDA283EC200F9622476312A5D3F
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.3% (.SCR) Windows screen saver (13101/52/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2aeb8a0e8d48282 (6 x Loki, 5 x SnakeKeylogger, 4 x AgentTesla)
Reporter	SecuriteInfoCom
Tags:	exe Loki

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://208.67.105.162/cloud2/five/fre.php	https://threatfox.abuse.ch/ioc/842138/

Intelligence

File Origin

# of uploads :

# of downloads :

328

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

SecuriteInfo.com.W32.AIDetectNet.01.879.27921

Verdict:

Malicious activity

Analysis date:

2022-08-09 04:29:30 UTC

Tags:

trojan lokibot stealer

Link:

https://app.any.run/tasks/1d53cc0d-f1f5-41fc-b036-9b50356225ad

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/297225/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.879.27921.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Enabling the 'hidden' option for analyzed file

Moving of the original file

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fb5f40ac-fa73-46c3-915f-e8bf21a54c17

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1048250

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/dddb0db17f3e37f65e313ae4110dd5ce5dbca0f51801d12e87cb602d36c34993/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2022-08-09 01:04:04 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3xnq3ml7hy37mxrrhlsbcdovzzo3zihvdaa5cluhznqc2nwdjgjq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/220809-e4tcgachhk/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://208.67.105.162/cloud2/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

8f1a14d9384bd6ba88e1de26c6b8a90aa867df0b4481a184ef1b645612030770

MD5 hash:

44ff314a52bbebabdc8b613f6ba4ba8a

SHA1 hash:

9a7271e11fb42739c986abc9a7c4083e91de0b84

Link:

https://www.unpac.me/results/2a16428c-5e21-4cbe-aa27-c55b8cbe683a/

SH256 hash:

ec29023f4be0e9b300aabe8a73c10d58dd120da8c87202894414ccf2aeb6b223

MD5 hash:

e417e20ac857915ed30136bc62faebf7

SHA1 hash:

8fc74da06b24a99cec021a006778d4c951722c67

Link:

https://www.unpac.me/results/2a16428c-5e21-4cbe-aa27-c55b8cbe683a/

SH256 hash:

c9ccdfd868ee1c7a9054929665a8510d6ebd97640e2a1d083cf4cad125b422a5

MD5 hash:

5b98d6311865844f7a481d80328b9a4b

SHA1 hash:

3c2dd8c194790d31fe069c8903ef72fb9c5ff2f7

Detections:

win_lokipws_g0

win_lokipws_auto

lokibot

Link:

https://www.unpac.me/results/2a16428c-5e21-4cbe-aa27-c55b8cbe683a/

Parent samples :

dddb0db17f3e37f65e313ae4110dd5ce5dbca0f51801d12e87cb602d36c34993
8b00ebb30366c22ee6d5ef1f83d32875c9d905d431759a2b44a26b1a41f2e5d7
ffc688fdf5a5402bec02f7b2b07547550db12c71a3c7512a5a1aac68aaba4d68
6c2dbe9186cdc0420805503cfe596f45fe60929d00d4cf8d3a2677383ef7dd4c
16429487612585511ff35dabf771265f5b673b77bafcdacd833cb000e7a0bfbd
5b73830e66c1a307283252045a503c3542846f2e2d9a4d81d33f6fb175c56576
9b4f8e528119079279f3c8b7a39648b4513b99478429e38cc4c29f40c16171fe
c4ed389d2a13951afac8a80ed50b7e23fd90f99ae590360a6b7387aff965f104
4cfb81b3b66a709900d796d69de2013dcdc67f71e5c3c6a4424e8193b908fa06
947e2ac7336ec82cf2fe876c1d949021e580f6140ee560050beb441453db11c0
edaa61e2ce893718af9e07c6defee0a4a37cf2741c21ebf464c29d9e5ef49981
93ef79b87e5569ab94a7c5bcfa24cc8b9ecabee5f18ec90352cb00a315afb789

SH256 hash:

6f7d575e37ce699f66afcba0dbf44a9a0dd02f59b0002b9e31a6581ce6dd2cbb

MD5 hash:

92ba80692bca6e23842eec60f86d6a53

SHA1 hash:

3b2aad569a3943c5cd5bb415892262195d5f5d72

Link:

https://www.unpac.me/results/2a16428c-5e21-4cbe-aa27-c55b8cbe683a/

SH256 hash:

9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034

MD5 hash:

93c6391d23c1aa1ed66fb13f82f2ee31

SHA1 hash:

220098c3047c32b51ae13a5cc1e9beeef3da6e18

Link:

https://www.unpac.me/results/2a16428c-5e21-4cbe-aa27-c55b8cbe683a/

SH256 hash:

dddb0db17f3e37f65e313ae4110dd5ce5dbca0f51801d12e87cb602d36c34993

MD5 hash:

b1f199c338af2507f26048b0570c5b32

SHA1 hash:

20eb4b20afbae940d3a21b43a18d67c3be7f8795

Link:

https://www.unpac.me/results/2a16428c-5e21-4cbe-aa27-c55b8cbe683a/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/dddb0db17f3e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/dddb0db17f3e37f65e313ae4110dd5ce5dbca0f51801d12e87cb602d36c34993

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/297225/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample