MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1d8eab874be46593faa035567ce4dbe32b61571533b46f115621a8b33b10181. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1d8eab874be46593faa035567ce4dbe32b61571533b46f115621a8b33b10181
SHA3-384 hash: 7b79f3feb72290fc8b2c49bd40b13d9eb96e28a25489a913c0425db82080bfd575bd11a46ec4afd9359985938fd85982
SHA1 hash: 28a28958fc6ceefca01a10d1c1d4de6dc902002e
MD5 hash: d894d88b47b90935783e5a87207800e2
humanhash: sad-network-enemy-two
File name:SecuriteInfo.com.W32.AIDetectNet.01.13665.515
Download: download sample
Signature Loki
Create hunting rule
File size:859'648 bytes
First seen:2022-05-26 19:33:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:xG2W0EqcCpWwoCEZbHolnRsTl11D1SFRQBbY82tzSNm9E00pVZkLAK53oIEHvy6y:sJC1oDZbHolnw1Bg+BqzSI9E00p88s
Threatray 8'753 similar samples on MalwareBazaar
TLSH T1CF058D9D3650B1DFC897C976CEA81C20FA6074BB570BC207A05726ADAD0D9ABCF154F2
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon cc8a8accccaaaacc (12 x AgentTesla, 5 x Formbook, 5 x Loki)
Reporter SecuriteInfoCom
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
373
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetectNet.01.13665.515
Verdict:
Malicious activity
Analysis date:
2022-05-26 19:38:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ce95a0ae-7c0f-4e86-9f92-8b0083893ba2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/274825/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.13665.515.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/628fd632945ebb7eb17c9b96/reports/284e9760-0d65-4d6a-b407-e2c19ad0401a/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5a7e7a2a-8597-402b-8aaf-36c595f978e4
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1002331
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 634827 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 26/05/2022 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 10 other signatures 2->43 7 SecuriteInfo.com.W32.AIDetectNet.01.13665.exe 7 2->7         started        process3 file4 27 C:\Users\user\AppData\Roaming\uqJEECfr.exe, PE32 7->27 dropped 29 C:\Users\...\uqJEECfr.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmp1089.tmp, XML 7->31 dropped 33 SecuriteInfo.com.W...et.01.13665.exe.log, ASCII 7->33 dropped 45 Detected unpacking (changes PE section rights) 7->45 47 Detected unpacking (overwrites its own PE header) 7->47 49 Tries to steal Mail credentials (via file registry) 7->49 51 2 other signatures 7->51 11 SecuriteInfo.com.W32.AIDetectNet.01.13665.exe 54 7->11         started        15 powershell.exe 24 7->15         started        17 powershell.exe 25 7->17         started        19 2 other processes 7->19 signatures5 process6 dnsIp7 35 85.202.169.172, 49776, 49777, 49780 GUDAEV-ASRU Netherlands 11->35 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->53 55 Tries to steal Mail credentials (via file / registry access) 11->55 57 Tries to harvest and steal ftp login credentials 11->57 59 Tries to harvest and steal browser information (history, passwords, etc) 11->59 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        signatures8 process9
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e1d8eab874be46593faa035567ce4dbe32b61571533b46f115621a8b33b10181/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-05-26 19:07:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
17 of 40 (42.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4hmovoduxzdfsp5kankwptsnxyzlmflrkm5un4ivminiwm5ragaq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
11bd4ebcb491c120c871767c30f6b614c74bba8bd29b3a01977340442e609a94
Loki
17601e8cd5da7f6b4030546780e2ea2793f104cb978db4aaeb634b8d9be642b8
Loki
4569409e80631fe85b794a736958f686aa04672e73f870e8aeddaad6b7b971c7
Loki
942903b9567851b58d6a7450d27d17e6e6bcd881576b3ca1c11abead76d216d9
Loki
db19f1bef553dda6b33f8e792dc85c8bb8098826ecc41afe9be84ac3d73f7b33
Loki
+ 8'743 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220526-x93r7secd7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads user/profile data of web browsers
Lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://85.202.169.172/kelly/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
3b3bdb56126258553650a9299021d451060020bfa79ad8389dd1d3887f01e7f2
MD5 hash:
0dba2305c5384fd4940a937d286907b5
SHA1 hash:
9b236c7110939be3b8e2ce927fd36c26785b7660
Link:
https://www.unpac.me/results/d696e7df-34a2-46b4-afee-6606ebbeeed3/
SH256 hash:
fd13b602480c31a3f08b1829e70549d1a29f3431c17358a138eb2dfea554e8bd
MD5 hash:
be924af60a6d69a24fcf0370c60183eb
SHA1 hash:
912fea8305cb381050db42133b938e28363fdbc8
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/d696e7df-34a2-46b4-afee-6606ebbeeed3/
Parent samples :
859c4d32d610fa0a47a5afd95c6dc1e1eb550ea8b93d6e2dc56f2db52354e345
212ceab3e02c1dbd8c6c6cca14c1ca6c1920b9c7d23bf3b5a6e208b9ca6447c6
e1d8eab874be46593faa035567ce4dbe32b61571533b46f115621a8b33b10181
b725e73edec2f3fcaca92038ddcaffd70a8209b5e86d503e70053e336975b58c
7776ef4785c6c59cef4ec63fc9ffcc85fd2dd7fb475baba35d1d85e876bc9104
bdbc86c0a5462911cfe1af9466eae05084b0aa1c4619cddc68129b3eb3fd81dc
6224386940968b1bd3bf7b45310af4170d355155e3a4e31719d4ae31a537e272
bfcc207c3754bfcdf3bf882cd8ff018f36d3cfd65f8d40700970d4e7a2d47cec
SH256 hash:
2bf2d02e89f175d0a42d99eac53c11d7eb1eb8332d570cf4e665313a29b0bc87
MD5 hash:
85064edc9ce8d425379a1f4a8e03a3cd
SHA1 hash:
4ea1f2172243609ebddfcbbbacef4a2191b80044
Link:
https://www.unpac.me/results/d696e7df-34a2-46b4-afee-6606ebbeeed3/
SH256 hash:
742bfb49cf3904931ce87b810106611867a6b4b7a8d69f308e21d9d221365b3d
MD5 hash:
81cf021b05eebb622775151dc87f2aa1
SHA1 hash:
480c103ac6e66fe00b488d286832dc89eee088a6
Link:
https://www.unpac.me/results/d696e7df-34a2-46b4-afee-6606ebbeeed3/
SH256 hash:
e1d8eab874be46593faa035567ce4dbe32b61571533b46f115621a8b33b10181
MD5 hash:
d894d88b47b90935783e5a87207800e2
SHA1 hash:
28a28958fc6ceefca01a10d1c1d4de6dc902002e
Link:
https://www.unpac.me/results/d696e7df-34a2-46b4-afee-6606ebbeeed3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e1d8eab874be46593faa035567ce4dbe32b61571533b46f115621a8b33b10181

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/274825/

Comments