MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de50750ee78194b412f3089ae953e5851bf3017f23246663d22f05ce3a29d9e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 2 File information Comments

SHA256 hash:	de50750ee78194b412f3089ae953e5851bf3017f23246663d22f05ce3a29d9e7
SHA3-384 hash:	1f0f7dfebae1ece55971fccbccca1d9f947cbf1d14502a0e5ebac8db0f9c2eb5bfb47f24ec0599a17a0c8a24660fddc5
SHA1 hash:	f303fc5a827682417e7748e22c0aa934a34b571c
MD5 hash:	9a1021a8710e70067aaf02eb85f38d2a
humanhash:	princess-oven-mountain-bulldog
File name:	ehAVJaSocCMlMOg.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	579'072 bytes
First seen:	2022-06-08 14:37:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:PNkm2iN/I9qoAK9mG28njvER5qmFULie2M3Telz+JtGXpyZq:F1pIvmanTER5cLie/e4aYZq
Threatray	9'685 similar samples on MalwareBazaar
TLSH	T107C4F0F09FF83965E12921737464613C37E29D1ECC659A3AD68BF19B3067AC210E1E1B
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://filcoco.xyz/cc/tt/fofo.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://filcoco.xyz/cc/tt/fofo.php	https://threatfox.abuse.ch/ioc/671908/

Intelligence

File Origin

# of uploads :

# of downloads :

303

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

ehAVJaSocCMlMOg.exe

Verdict:

Malicious activity

Analysis date:

2022-06-08 18:42:56 UTC

Tags:

trojan lokibot stealer

Link:

https://app.any.run/tasks/0d9bfb3d-e93b-4002-b436-9b5e9c4ed1a2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/277816/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/62a0b4545dc88d35716be780/reports/c76bd0cc-d5a7-4c58-833f-fb2160465532/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3667fd6a-3e76-4204-950b-3b4b49ba1836

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1009119

Signature

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Performs DNS queries to domains with low reputation

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/de50750ee78194b412f3089ae953e5851bf3017f23246663d22f05ce3a29d9e7/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-06-08 14:06:02 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3zihkdxhqgkliextbcnosu7fqun7gal7emsgmy6sf4c44orj3htq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

3851e1c8c896ecae1035576a4b37d1fafa0690df428e255ed709c155cf77279c

Loki

5b5bd50012b9848d1355f91c4f3efa38100c1a9363eef979e8f2b77e0251caaf

Loki

604de352cfc00690d2b3f3ca1dc90665f87f7f8274e30fdc2fb82532a578e84a

Loki

763b9ddb8670835d34e5ecbd031c8077ad8c1e1572e43f558fa664a8d6b0c4d5

Loki

b1cc856c344e865a18fedd4896c63481334b070bbdaaa522bd4e0828021d9263

Loki

d902f942cd74852a9eb94d5261f41b6368114bd1a62f969b8f5def360b3b8b4b

Loki

da2f8b897d09228f81c3019c98676c771b85f0d68471628dfb685201af0422d5

Loki

fb64edef93ff134eaab5bcaa901f240719bfb6874f8f4f4615404e96979b1c56

Loki

+ 9'675 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer suricata trojan

Link:

https://tria.ge/reports/220608-rzpjyafdh5/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot Fake 404 Response

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://filcoco.xyz/cc/tt/fofo.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

9dcedf2db3e3390a75cc397fc4dc10b0ccb46dce0c914d847f5fb48690af95b3

MD5 hash:

e58cb392ef6b6cf55795e3db36782173

SHA1 hash:

eb5d802c43995fb9391625b928ba3b61d2b296ec

Link:

https://www.unpac.me/results/e2f3497e-8f53-42e9-af86-64e4720ae4c7/

SH256 hash:

42d924291847a619990ab95c1d2a3cfdaf4bfaa78f6e05b5bc280b3cafefa8e7

MD5 hash:

268e91a8d681794ec1a25d25958a00ba

SHA1 hash:

cc0a8a25454dbf913a49f4d33ba0f3ccf19f1fa8

Link:

https://www.unpac.me/results/e2f3497e-8f53-42e9-af86-64e4720ae4c7/

SH256 hash:

83f1b00dc7cafd347411add455382b7476326c06ed1fccffbc73ea2f772761c4

MD5 hash:

f72ef717851c377ebd7541df6ceb5bcc

SHA1 hash:

6cf60acd0b6def0ea88b80b6ac10233582bc33d9

Detections:

win_lokipws_g0

win_lokipws_auto

lokibot

Link:

https://www.unpac.me/results/e2f3497e-8f53-42e9-af86-64e4720ae4c7/

Parent samples :

de50750ee78194b412f3089ae953e5851bf3017f23246663d22f05ce3a29d9e7
199e617b005c0f203acad30c0ac8073038ed16daeabc3be093469941939c1bf9
b5e8f1ec2667b40074bf0fa452eca1e0b160aa27e6c5acb524574ccf974bb349
587079ea4735c6cdce8bfd41fbc17e4e99fbc1e99f76da91bfd6d42f51bd1b7a
21c8a7e0febde5e77ba88f37eeb31060b76a66091ed5b532b68cd3e69ee5f3c2
08aa801b629e0a5e123d9193db46479e7e7e5c020d8faebf303e22a1f576afbf
ffd28f3ea7039fb20b36fa5412b8158fe7c287108248fb4d0cc129ab816d3541
9cf8cec716494538cbf00b312c9b4cf3eb24a578e515c5fa3e7ce7ed42c8bb86

SH256 hash:

4b3059a1fcd6c58c7fc4e574766133e89e95cb0fe6631b7f4aee664370c2571d

MD5 hash:

97f6ddc9c7e648e589849d8d6466bc18

SHA1 hash:

1104888244c872d5726728e0cb05ae6edaabf2bf

Link:

https://www.unpac.me/results/e2f3497e-8f53-42e9-af86-64e4720ae4c7/

SH256 hash:

de50750ee78194b412f3089ae953e5851bf3017f23246663d22f05ce3a29d9e7

MD5 hash:

9a1021a8710e70067aaf02eb85f38d2a

SHA1 hash:

f303fc5a827682417e7748e22c0aa934a34b571c

Link:

https://www.unpac.me/results/e2f3497e-8f53-42e9-af86-64e4720ae4c7/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/de50750ee781/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/de50750ee78194b412f3089ae953e5851bf3017f23246663d22f05ce3a29d9e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/277816/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample