MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e40f9ff3dda096f79746566f7a3d596dc596abb064cd639fa5534248884afd7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e40f9ff3dda096f79746566f7a3d596dc596abb064cd639fa5534248884afd7f
SHA3-384 hash: 384ba571ad4b2fa4673cea3576820c162e9e09a27ffb6c0602ab785ef5e76fdf72e8039177fce7555a12a0e52fee8798
SHA1 hash: 7f715501c27a5b3129bff868f7783b48ac241b22
MD5 hash: abe213b4ee4527094194ecfae4a767e8
humanhash: nine-nine-butter-romeo
File name:e40f9ff3dda096f79746566f7a3d596dc596abb064cd639fa5534248884afd7f
Download: download sample
Signature Loki
Create hunting rule
File size:935'848 bytes
First seen:2024-02-06 13:38:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e92b2275a730f59940462780c383a1b0 (26 x CryptOne, 3 x Loki, 2 x Mimic)
ssdeep 24576:XdZKo0YNGSQDlUHSLFD7XX2yyjXdbNxD7E:XTK6ESQmSLFfX5+NhxD7E
Threatray 163 similar samples on MalwareBazaar
TLSH T16B15CE3972F0A371D875053227E4D2385AE86F68CEE1C74BD2B01A99B320DD53E6865F
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 74e4dcccc8ccdcd4 (4 x Formbook, 2 x AsyncRAT, 2 x Loki)
Reporter adrian__luca
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
370
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474875/
Detection(s):
Win.Trojan.Mikey-9839945-0
Create hunting rule

Win.Malware.Fugrafa-9934740-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint lolbin overlay packed setupapi shdocvw shell32
Link:
https://www.filescan.io/uploads/65c2367819fc3809142448dc/reports/aca1b700-c245-4b38-b28a-84e9da628079/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/e40f9ff3dda096f79746566f7a3d596dc596abb064cd639fa5534248884afd7f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb9ffdff-a5e4-4b5f-aa27-bb2c2e49b957
Result
Threat name:
Lokibot, PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1387539
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1387539 Sample: oiDDogdK9A.exe Startdate: 06/02/2024 Architecture: WINDOWS Score: 100 45 xmail.cfd 2->45 57 Snort IDS alert for network traffic 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Found malware configuration 2->61 63 11 other signatures 2->63 10 oiDDogdK9A.exe 3 7 2->10         started        signatures3 process4 file5 39 C:\Users\user\Desktop39W.exe, PE32 10->39 dropped 13 NW.exe 7 10->13         started        17 Acrobat.exe 51 79 10->17         started        process6 file7 41 C:\Users\user\...\(P.O_6203445_2024).exe, PE32 13->41 dropped 77 Multi AV Scanner detection for dropped file 13->77 79 Machine Learning detection for dropped file 13->79 19 (P.O_6203445_2024).exe 7 13->19         started        23 AcroCEF.exe 107 17->23         started        signatures8 process9 file10 37 C:\Users\user\Desktop\P.O_6203445_2024.exe, PE32 19->37 dropped 65 Multi AV Scanner detection for dropped file 19->65 67 Machine Learning detection for dropped file 19->67 25 P.O_6203445_2024.exe 1 19->25         started        28 Acrobat.exe 19->28         started        30 AcroCEF.exe 23->30         started        signatures11 process12 dnsIp13 69 Antivirus detection for dropped file 25->69 71 Multi AV Scanner detection for dropped file 25->71 73 Machine Learning detection for dropped file 25->73 75 3 other signatures 25->75 33 aspnet_compiler.exe 25->33         started        47 184.25.164.138, 443, 49718 BBIL-APBHARTIAirtelLtdIN United States 30->47 signatures14 process15 dnsIp16 43 xmail.cfd 172.67.145.240, 49710, 49713, 49715 CLOUDFLARENETUS United States 33->43 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->49 51 Tries to steal Mail credentials (via file registry) 33->51 53 Tries to steal Mail credentials (via file / registry access) 33->53 55 2 other signatures 33->55 signatures17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e40f9ff3dda096f79746566f7a3d596dc596abb064cd639fa5534248884afd7f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e40f9ff3dda096f79746566f7a3d596dc596abb064cd639fa5534248884afd7f/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-02-06 13:39:05 UTC
File Type:
PE (Exe)
Extracted files:
83
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4qhz7465uclppf2gkzxxupkznxcznk5qmtgwhh5fknbercck7v7q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
1b679b7b07daff5acfafb8d134126a28e748fb29f600219112ddd5f53fb3ebf5
Loki
48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800
Loki
7412f8c14bb009b2db18385d9a6be5795b6a63c675ad241579f41fa56e637982
Loki
9df8f23aa69200b7c85fca51e2a10391854c9ab16949f2100a27b212c811e618
Loki
9ea1f28df176d766fcbf2ccc0071d58d80360039f844d3943b0712b11adbdf55
Loki
c4a3492a81c92f34a641b2d95fc1e656cbc59d33cc2805004c3204f5851ef098
Loki
e40f9ff3dda096f79746566f7a3d596dc596abb064cd639fa5534248884afd7f
Loki
ee010f0b2d9afa2a1def8e1d899c1e0afb44041545af91d227e6997e852f08cd
Loki
+ 153 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:lokibot family:zgrat collection rat spyware stealer trojan
Link:
https://tria.ge/reports/240206-qxyjdsgcc9/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detect ZGRat V1
Lokibot
ZGRat
Malware Config
C2 Extraction:
https://xmail.cfd/PWS/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
e078f4794b60ef33194a37fb42195cc5dec5abc616632349174328129e3155c1
MD5 hash:
7abd1d49bf28ff6751a343ba89ab19e1
SHA1 hash:
b603cb7379869dbf7a1cb4630aecf5a609be2e32
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Lokibot
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
STEALER_Lokibot
Create hunting rule
Link:
https://www.unpac.me/results/b69f7848-2c88-4c2f-9125-f418d7308519/
SH256 hash:
036fce7cc80b515e2e180ad225505798287d68cf9ab06b4623a6aae87d7fafd8
MD5 hash:
281b426f6563ecdf0a9e3a58e1841497
SHA1 hash:
9b547c8ab6878c7bd1d8df3fee5e2945bfc3c0f3
Link:
https://www.unpac.me/results/b69f7848-2c88-4c2f-9125-f418d7308519/
SH256 hash:
e000743b2454be9afb15a76025411e6052bdd6273d33edd8036562dcf93e60c8
MD5 hash:
136a8b642f1195f4eeb15b77d3080270
SHA1 hash:
6c04bdbc01678970a16591247b7980b5d7b6fe6e
Link:
https://www.unpac.me/results/b69f7848-2c88-4c2f-9125-f418d7308519/
SH256 hash:
1da8e01b16035771b65045a44b329ebecf2984aa6191cf26d308c60b844c4417
MD5 hash:
0f82e1bd5c4aeeb424d20b5a798529f8
SHA1 hash:
04ed498454b92efd998082e047d98bea0c70a246
Detections:
MALWARE_Win_zgRAT
Create hunting rule
Link:
https://www.unpac.me/results/b69f7848-2c88-4c2f-9125-f418d7308519/
SH256 hash:
e40f9ff3dda096f79746566f7a3d596dc596abb064cd639fa5534248884afd7f
MD5 hash:
abe213b4ee4527094194ecfae4a767e8
SHA1 hash:
7f715501c27a5b3129bff868f7783b48ac241b22
Link:
https://www.unpac.me/results/b69f7848-2c88-4c2f-9125-f418d7308519/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e40f9ff3dda0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e40f9ff3dda096f79746566f7a3d596dc596abb064cd639fa5534248884afd7f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/474875/

Comments