MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4effdebb79bd1b3d2e3a2510a96f44cbf9ca4961340c7ca1f276bd3c527afb2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4effdebb79bd1b3d2e3a2510a96f44cbf9ca4961340c7ca1f276bd3c527afb2
SHA3-384 hash: e932f1855fda63c53e72e266c58990b01fef440b064728730307709e844e86ef7391857b363a01b9db9a0378963475ef
SHA1 hash: 9ed0987c6a26f61afb6fa772dce9b4a6ddd9090c
MD5 hash: ce51f15d31008c3606729b00036fe841
humanhash: georgia-undress-freddie-magazine
File name:RFQ No3756368.exe
Download: download sample
Signature Loki
Create hunting rule
File size:143'360 bytes
First seen:2021-06-15 11:00:54 UTC
Last seen:2021-06-15 11:51:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646b0badad20ba025cd8fef6f59a6973 (3 x Loki)
ssdeep 1536:hCcQYhjIXnSCSv+0fYB8C0By866sqptPDe9bHE+ksxuBv:YcDgC5fYSCA7De94n
Threatray 4'926 similar samples on MalwareBazaar
TLSH 8AE36C56850896A2F3770136FA2E0B7E25527C622D439E073759BF9F39342D3C9B8326
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://63.141.228.141/32.php/nuldTOn9SBn3G

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://63.141.228.141/32.php/nuldTOn9SBn3G https://threatfox.abuse.ch/ioc/116086/

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ No3756368.exe
Verdict:
Malicious activity
Analysis date:
2021-06-15 11:02:01 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/b127fb42-11c7-4833-9cc0-33920c6d34c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166469/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.23970.27139.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/24fc6b57-35bd-4c32-9b51-b4d7daaa5b37
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/802329
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Potential malicious icon found
Potentially malicious time measurement code found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e4effdebb79bd1b3d2e3a2510a96f44cbf9ca4961340c7ca1f276bd3c527afb2/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-06-15 11:01:11 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4tx7325xtpi3huxdujiqvfxujs7zzjewcnampsq7e5v5hrjhv6za._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
22b13820a6139c7682d5e1108aefde2200dc593e14fe7fca28eb27d5e616bef7
Loki
42b2f84e503000a98a9aa9f476d104389bdd766b74c3899b34a01b73138ea56d
Loki
48aac53ca47241dd233ec894895239d5539c53b5e35310389529724a457555a7
Loki
5e74833e8f9a6e8a92cca35de25fb0d6b68c84d0bc22b9c939b51737acb83494
Loki
6147decc439b9d258f5b19f77dfa47ea441e681c49e0b699533eea18104f4092
Loki
8f1517666a1f5f7f6d0f38814909251d41de92126c2a7df0626de2fa1ae9ba1f
Loki
9e313db794797641d0c55ff15c1f663e13893bb443bb84e0dd212f8a7aeca598
Loki
c3ca97abe1f0584928691bf13d02b25a4e20288a2477e466d67000c0bbe04df3
Loki
ced266ad59923661e84dca65e4412e0b99a11fe4868f4219142ebc49a8308fb2
Loki
daddd42058897ef8a960a504ff3022b9cea4e6ae3c943be987300abff4706385
Loki
+ 4'916 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:lokibot downloader spyware stealer trojan
Link:
https://tria.ge/reports/210615-wpqh96h4r2/
Behaviour
Modifies system certificate store
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Guloader,Cloudeye
Lokibot
Malware Config
C2 Extraction:
https://drive.google.com/uc?export=download&id=178gAB7Kg_oMzCSAzqF9y5fIXkgVf7x0t
http://63.141.228.141/32.php/nuldTOn9SBn3G
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/7be012d5-5d87-4166-af2b-db50b213ddf0/
SH256 hash:
e4effdebb79bd1b3d2e3a2510a96f44cbf9ca4961340c7ca1f276bd3c527afb2
MD5 hash:
ce51f15d31008c3606729b00036fe841
SHA1 hash:
9ed0987c6a26f61afb6fa772dce9b4a6ddd9090c
Link:
https://www.unpac.me/results/7be012d5-5d87-4166-af2b-db50b213ddf0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e4effdebb79bd1b3d2e3a2510a96f44cbf9ca4961340c7ca1f276bd3c527afb2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/166469/

Comments