MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddfae8c9fb7d2c853000483343d60ad284440709ad67a031b83800529aace880. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 17

Intelligence 17 IOCs YARA 19 File information Comments

SHA256 hash:	ddfae8c9fb7d2c853000483343d60ad284440709ad67a031b83800529aace880
SHA3-384 hash:	391782dcf413b136276617069ef72b7063964e4102404bf6f1baf5919742cacbcfcf8794a9f21ec36e32c3e57ed110f7
SHA1 hash:	d6dbef50d3c22d8193709489422e5e3d137136c3
MD5 hash:	e923ec2b220878f6f9f80ce6efbf9166
humanhash:	cold-apart-muppet-mirror
File name:	e923ec2b220878f6f9f80ce6efbf9166.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	302'080 bytes
First seen:	2023-08-08 07:05:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7574067d27f1e097e97a79381564790b (8 x RedLineStealer, 2 x Tofsee, 1 x Amadey)
ssdeep	3072:K29CE3ixEk8ssNjBitgSetNsU9G+N/iVqxT4XctIaw:9fWEss5ITq5MuTZG
Threatray	4'244 similar samples on MalwareBazaar
TLSH	T1D0546D13A6EC6B62E5D28A324E2EF6E4671EFC918F1937DB124C7E2F08711A1D175702
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	70d0ddd0c8c9d2dd (1 x RedLineStealer, 1 x Loki)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://194.55.224.15/mous/five/fre.php

Intelligence

File Origin

# of uploads :

# of downloads :

309

Origin country :

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

RFQ.xls

Verdict:

Malicious activity

Analysis date:

2023-08-08 06:53:01 UTC

Tags:

opendir exploit cve-2017-11882 loader trojan lokibot

Link:

https://app.any.run/tasks/b3fa9010-8cb0-433c-9be5-5b72e0314f6e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/441225/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.20318.6919.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Reading critical registry keys

Changing a file

Sending an HTTP POST request

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for analyzed file

Sending a custom TCP request

Stealing user critical data

Moving of the original file

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ddfae8c9fb7d2c853000483343d60ad284440709ad67a031b83800529aace880

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bb87e7f7-5ede-44a8-8975-6a461d4d81c9

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1287488

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/ddfae8c9fb7d2c853000483343d60ad284440709ad67a031b83800529aace880/

Threat name:

Win32.Trojan.Glupteba

Status:

Malicious

First seen:

2023-08-08 07:06:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3x5orsp3puwikmaajazuhvqk2kceibyjvvt2amnyhaaffgvm5caa._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

19d6c86ef7a1f836a836dfe615377d427d6b32ff4898f417b6c728ec9f7b929c

Loki

5dacd585b978969d845f1550448187b4d2702da0e63fc3676674404cf87b6bc9

Loki

787cc52fcb94334b237932627fa7a1a843c5a9f79b3827b1bc899773601e1d4e

Loki

b3d81043a45b2c155f866d7710200892b12a9f31472c594e664e0a83ea959f85

Loki

caaf2ad88abd9d91104a3b0254448dcab24a59dd0459ef5cf170aabdf2d29b1f

Loki

dbfb7fe4882a662e88d24b69b6e2fe33bafc95124d20b1db754ce05698527eff

Loki

fb104405d5f6a628687964d86dc7c6b4d456aa8645d0d618bd91f2102c9c3760

Loki

+ 4'234 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot spyware stealer trojan

Link:

https://tria.ge/reports/230808-hw3sqacf6w/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://194.55.224.15/mous/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

ad8a9f618afc8ee38e9d1b8d72c30b508fdfa080b44227023d330f2ea61a49ac

MD5 hash:

8e1aff6de5fbbc967615383567449283

SHA1 hash:

7493fc867374e3e15e8884ed48ba08407aca7ed3

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/e34b4e27-1987-4fa0-9bff-5cbb764333a4/

Parent samples :

ddfae8c9fb7d2c853000483343d60ad284440709ad67a031b83800529aace880
ae55a1b292a959babb2e1c6e1b1c72cb4723d9cc9a1d5569d86b337d7722b656

SH256 hash:

ddfae8c9fb7d2c853000483343d60ad284440709ad67a031b83800529aace880

MD5 hash:

e923ec2b220878f6f9f80ce6efbf9166

SHA1 hash:

d6dbef50d3c22d8193709489422e5e3d137136c3

Link:

https://www.unpac.me/results/e34b4e27-1987-4fa0-9bff-5cbb764333a4/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ddfae8c9fb7d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ddfae8c9fb7d2c853000483343d60ad284440709ad67a031b83800529aace880

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__ConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_GENInfoStealer Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing common artifcats observed in infostealers

Rule name:	infostealer_loki Create hunting rule

Rule name:	infostealer_xor_patterns Create hunting rule
Author:	jeFF0Falltrades
Description:	The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.

Rule name:	Loki Create hunting rule
Author:	kevoreilly
Description:	Loki Payload

Rule name:	LokiBot Create hunting rule
Author:	kevoreilly
Description:	LokiBot Payload

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	malware_Lokibot_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	Windows_Trojan_Lokibot_0f421617 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Lokibot_1f885282 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

exe ddfae8c9fb7d2c853000483343d60ad284440709ad67a031b83800529aace880

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2702437/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/441225/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample