MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb33d7e8b2effd94721dde8b2169c27cec66a2d21832ab296d7c7d82ba0619e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb33d7e8b2effd94721dde8b2169c27cec66a2d21832ab296d7c7d82ba0619e7
SHA3-384 hash: bda02e4918d5b1713119b37d3310fd109f4cb7efb1959dac26a1bb6ceebca8bcedf0ff9e908d4ed535f984464acdd7b5
SHA1 hash: f8c2482c66c3acdb4ab2d9bd82c91dfc36c56898
MD5 hash: 0c4efc70083f61b3312bddcdfaa08496
humanhash: stairway-social-gee-paris
File name:Orden de Servicio + Cotizacion.exe
Download: download sample
Signature Loki
Create hunting rule
File size:72'704 bytes
First seen:2022-05-30 19:20:50 UTC
Last seen:2022-05-31 12:08:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'659 x Formbook, 12'250 x SnakeKeylogger)
ssdeep 1536:SBJlbp3eXlvAPBGLX6cMxkWFUzaR5IyS2eNXeOalU:KJlbQXy5GLX6cELQaIVv0tU
Threatray 9'263 similar samples on MalwareBazaar
TLSH T15063DFC06B80C5B0E5684274D277CBF097229F68E02ACF5F44E47D2F7E61742AE93625
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b168eae46c39d928 (9 x AgentTesla, 8 x SnakeKeylogger, 6 x BitRAT)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://qsbtankers.com/rect/five/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://qsbtankers.com/rect/five/fre.php https://threatfox.abuse.ch/ioc/643455/

Intelligence

File Origin
# of uploads :
2
# of downloads :
426
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
Orden de Servicio + Cotizacion.exe
Verdict:
Malicious activity
Analysis date:
2022-05-30 19:22:02 UTC
Tags:
trojan lokibot stealer opendir
Link:
https://app.any.run/tasks/75149adc-6bf8-4d6e-b8ef-7d8860807b22

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/275544/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Changing a file
DNS request
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6295193a6eb3ff3263413567/reports/316c46fe-118f-4dd5-8165-1ddd3dd88587/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2ca0be92-e39f-4f8e-b206-4c151fbda096
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1003813
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Costura Assembly Loader
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 636309 Sample: Orden de Servicio + Cotizac... Startdate: 30/05/2022 Architecture: WINDOWS Score: 100 31 qsbtankers.com 2->31 39 Snort IDS alert for network traffic 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 9 other signatures 2->45 8 Orden de Servicio + Cotizacion.exe 15 4 2->8         started        signatures3 process4 dnsIp5 33 163.123.142.134, 49746, 80 ILIGHT-NETUS Reserved 8->33 29 C:\...\Orden de Servicio + Cotizacion.exe.log, ASCII 8->29 dropped 47 Writes to foreign memory regions 8->47 49 Injects a PE file into a foreign processes 8->49 13 MSBuild.exe 54 8->13         started        17 cmd.exe 1 8->17         started        19 cmd.exe 1 8->19         started        file6 signatures7 process8 dnsIp9 35 qsbtankers.com 142.4.0.135, 49770, 49771, 49773 UNIFIEDLAYER-AS-1US United States 13->35 37 192.168.2.1 unknown unknown 13->37 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->51 53 Tries to steal Mail credentials (via file registry) 13->53 55 Tries to steal Mail credentials (via file / registry access) 13->55 57 2 other signatures 13->57 21 conhost.exe 17->21         started        23 timeout.exe 1 17->23         started        25 conhost.exe 19->25         started        27 timeout.exe 1 19->27         started        signatures10 process11
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eb33d7e8b2effd94721dde8b2169c27cec66a2d21832ab296d7c7d82ba0619e7/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-05-30 19:21:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5mz5p2fs576zi4q532fsc2ocptwgniwsdazkwklnpr6yfoqgdhtq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
2289816fa967e230968ffe986a76950ba4938c6f0c3b27912ec480bf5c0e62d5
Loki
3851e1c8c896ecae1035576a4b37d1fafa0690df428e255ed709c155cf77279c
Loki
4dd4e59368f5e310bdebc4f7ee60778446873c9b930f16366592b471a86f3718
Loki
50cb7b0b1d15d89428745bd508343b52d5f197b5f57cdf83a077973bae3d1ec1
Loki
7fe467ef6f392039c0ce5edaadf85c19a8406a0b0b7332131e2b2ddc9f074bb6
Loki
9740fa7b19f17e4c6df857ec1240c243a77ad689894ecaa92bd112709c242664
Loki
af8fd10b749ea99db1bb4a6a2d7ee79f6b03726b2866a652f8bade94d83440b8
Loki
bc4e9db6c6cc42bb03d7257abbf2105e1ed6c4fe24ccaabcd3db84fe8a935c1b
Loki
+ 9'253 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220530-x2me9acdgn/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://qsbtankers.com/rect/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
eb33d7e8b2effd94721dde8b2169c27cec66a2d21832ab296d7c7d82ba0619e7
MD5 hash:
0c4efc70083f61b3312bddcdfaa08496
SHA1 hash:
f8c2482c66c3acdb4ab2d9bd82c91dfc36c56898
Link:
https://www.unpac.me/results/8392e8fe-0207-4c41-99f0-22a814559d84/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/eb33d7e8b2effd94721dde8b2169c27cec66a2d21832ab296d7c7d82ba0619e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:LokiBot
Create hunting rule
Author:kevoreilly
Description:LokiBot Payload
Rule name:malware_Lokibot_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/275544/

Comments