MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecc61fe635e2cdb0859441ef90e330230094e7514cf00cb48829e136d713b63b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ecc61fe635e2cdb0859441ef90e330230094e7514cf00cb48829e136d713b63b
SHA3-384 hash: 892081129e193685555ec59d6e88a2296abf254b613d3be3c898d337c350b1902ae2fe1aee65e080efa90018494c47ba
SHA1 hash: 03f88667ac44a41a2b5e4b2cf48f23302ae79b6c
MD5 hash: f4a43c4e63d1bc8908819fc2b3b6a83b
humanhash: lima-three-chicken-enemy
File name:FACTURA09876567000.bat.exe
Download: download sample
Signature Loki
Create hunting rule
File size:518'144 bytes
First seen:2024-11-20 13:35:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ef471c0edf1877cd5a881a6a8bf647b9 (74 x Formbook, 33 x Loki, 29 x Loda)
ssdeep 12288:FOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPi0Q/mXWb0zjnfxNNZjXO:Fq5TfcdHj4fmbjQOXQ0xNNZjXO
Threatray 2'015 similar samples on MalwareBazaar
TLSH T173B41290A0D8CC53EAA13331D17B8ED01978BA32CDC4271D6785F549BC71383A9DA67D
TrID 39.1% (.EXE) UPX compressed Win32 Executable (27066/9/6)
38.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://87.120.113.235/18/pin.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://87.120.113.235/18/pin.php https://threatfox.abuse.ch/ioc/1346057/

Intelligence

File Origin
# of uploads :
1
# of downloads :
472
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FACTURA09876567000.bat.exe
Verdict:
Suspicious activity
Analysis date:
2024-11-20 13:37:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0ec17029-f77f-48ef-8c85-39d5db56e657

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.Trojan.VORE-2106.1542.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673de64fe293c03416fb96bc
Tags:
infosteal autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Launching a process
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Forced shutdown of a system process
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit compiled-script masquerade microsoft_visual_cc monero overlay packed packed packed packer_detected upx
Link:
https://www.filescan.io/uploads/673de5cd4da26c34f4e61c7f/reports/7157b3bb-1b22-467c-b41a-81d22c4e347a/overview
Verdict:
Malicious
Labled as:
Confidence_97
Link:
https://www.hybrid-analysis.com/sample/ecc61fe635e2cdb0859441ef90e330230094e7514cf00cb48829e136d713b63b
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0902f2a2-bb79-4975-bf2d-edc4cccda6d7
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1559423
Signature
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Drops VBS files to the startup folder
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1559423 Sample: FACTURA09876567000.bat.exe Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Yara detected Lokibot 2->36 38 7 other signatures 2->38 8 FACTURA09876567000.bat.exe 4 2->8         started        12 wscript.exe 1 2->12         started        process3 file4 28 C:\Users\user\AppData\...\translucently.exe, PE32 8->28 dropped 40 Binary is likely a compiled AutoIt script file 8->40 42 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->42 14 translucently.exe 2 8->14         started        44 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->44 18 translucently.exe 1 12->18         started        signatures5 process6 file7 30 C:\Users\user\AppData\...\translucently.vbs, data 14->30 dropped 46 Multi AV Scanner detection for dropped file 14->46 48 Binary is likely a compiled AutoIt script file 14->48 50 Machine Learning detection for dropped file 14->50 58 3 other signatures 14->58 20 svchost.exe 14->20         started        52 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->52 54 Writes to foreign memory regions 18->54 56 Maps a DLL or memory area into another process 18->56 22 svchost.exe 18->22         started        signatures8 process9 process10 24 WerFault.exe 23 18 20->24         started        26 WerFault.exe 23 22->26         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ecc61fe635e2cdb0859441ef90e330230094e7514cf00cb48829e136d713b63b
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ecc61fe635e2cdb0859441ef90e330230094e7514cf00cb48829e136d713b63b/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2024-11-20 13:36:05 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5tdb7zrv4lg3bbmuihxzbyzqemajjz2rjtyazneifhqtnvytwy5q._file
Verdict:
malicious
Label(s):
unknown_loader_036
Create hunting rule
lokibot
Create hunting rule
lokipasswordstealer(pws)
Create hunting rule
autoit
Create hunting rule
Similar samples:
041c73bd4c470d02db20ef282a1a8550f8987e362cbd07fc3828c14873a7f772
Loki
310cb005c21c57556ce727e947b156d61715adea6d73c342902c8620f287643d
Loki
418e0add4eb6fb3db62e0fdae4dfe7b738e8348babc29a09f5cf9a0cac0a29db
Loki
6e3322a3a24b94c3b8355d8ebc8afb9ea0ea3eb309736181f9d72728199d9794
Loki
error
Loki
fbed0af892e58c844c0d37e6c68e979b8dbb94b5d6a95876a7cd38e0f0172478
Loki
+ 2'005 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection discovery spyware stealer trojan upx
Link:
https://tria.ge/reports/241120-qv8lkssjgq/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
UPX packed file
Accesses Microsoft Outlook profiles
Drops startup file
Executes dropped EXE
Loads dropped DLL
Lokibot
Lokibot family
Malware Config
C2 Extraction:
http://87.120.113.235/18/pin.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/645a8aa1-9014-4c5c-b611-f3d46629af7b
Unpacked files
SH256 hash:
c5e2cdc6d65459e14307c120463ce6bcacfbc2405bd6a717f5803d054d087716
MD5 hash:
66abb5324d0a8e3db99820e63a93a3f2
SHA1 hash:
6f1d83d61df2057990ea74f96ff760fdd7aa79d9
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/365507d2-448a-40e3-93a5-a73c1b1ee2b2/
SH256 hash:
4080f041c0d248fea39e9a2649cb9ef7748764755e022ae3d79b0bce2d20326e
MD5 hash:
ac347d3b3a710682340d9de47cdfd624
SHA1 hash:
c9bac003e88498b6b08fd8243eefce42cb889820
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Lokibot
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
STEALER_Lokibot
Create hunting rule
Link:
https://www.unpac.me/results/365507d2-448a-40e3-93a5-a73c1b1ee2b2/
Parent samples :
a4e13d5ddfed2748925ccf8cb2a08cf03f992de943e195aa73411e1fd2efab80
041c73bd4c470d02db20ef282a1a8550f8987e362cbd07fc3828c14873a7f772
c324fe32df959176f968d80a6ff1914f2b195c1796376f2511cb97f763f1d905
234c88ce76cde3cb4510ae1532863bb3c29efa0e94889d5dd30818f084c3b958
ecc61fe635e2cdb0859441ef90e330230094e7514cf00cb48829e136d713b63b
be789d9c5185f7f04ddb78f2b39f9dd7415080c4d975139fc612158b0b3a5bad
afd5885712157bf7e51471f21b977788084aa78bf58d45287b4043edb2ee3495
SH256 hash:
ecc61fe635e2cdb0859441ef90e330230094e7514cf00cb48829e136d713b63b
MD5 hash:
f4a43c4e63d1bc8908819fc2b3b6a83b
SHA1 hash:
03f88667ac44a41a2b5e4b2cf48f23302ae79b6c
Link:
https://www.unpac.me/results/365507d2-448a-40e3-93a5-a73c1b1ee2b2/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe ecc61fe635e2cdb0859441ef90e330230094e7514cf00cb48829e136d713b63b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3297312/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetUseConnectionW

Comments