MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 edea3ebe6e3edb0bb20b563e35f76ef09854f36613ad28bd7697d45c74fd7e1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	edea3ebe6e3edb0bb20b563e35f76ef09854f36613ad28bd7697d45c74fd7e1d
SHA3-384 hash:	89d20450712790cee16f703cb6941a0f0b3759228fbcc46b4cf504a5d30764e58fc3e1c35ddbcf174432e68a61c180ca
SHA1 hash:	a1203d3c7256db3319d47ab3e94f90efaa181a35
MD5 hash:	7d2d53881d4aa7f7ffe87e95d07e3c52
humanhash:	april-mississippi-king-march
File name:	J0370600140.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	621'568 bytes
First seen:	2023-07-13 06:15:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:k78PtpJZPFR31YY4w3UiqK/PkTS6Op45RLr02hgjGPHhrx:xz31YYEiqK3kTsp+drtYehN
Threatray	4'218 similar samples on MalwareBazaar
TLSH	T115D4F100BAF84F56E9BF9BF15524613043B2A6D779B2E3164DC2B0DF58B2B400A49F5B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://138.68.56.139/?p=3880241

Intelligence

File Origin

# of uploads :

# of downloads :

301

Origin country :

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

J0370600140.exe

Verdict:

Malicious activity

Analysis date:

2023-07-13 06:19:06 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/6755c296-a5b5-4e39-bce3-a800e7227d4d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/417243/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.17394.4276.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Enabling the 'hidden' option for analyzed file

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Stealing user critical data

Moving of the original file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo jigsaw lokibot packed

Link:

https://www.filescan.io/uploads/64af96a7a15fc7eb4fd1cb25/reports/4ce25858-4b0b-403c-91d7-a4bb772b72fa/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/edea3ebe6e3edb0bb20b563e35f76ef09854f36613ad28bd7697d45c74fd7e1d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/98b8272e-06b2-4c7f-95da-b7a3abd2c5b6

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1272211

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/edea3ebe6e3edb0bb20b563e35f76ef09854f36613ad28bd7697d45c74fd7e1d/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-07-13 06:16:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5xvd5ptoh3nqxmqlky7dl53o6cmfj43gcowsrplws7kfy5h5pyoq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230713-g1fy3sfe66/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

outlook_office_path

outlook_win_path

Drops file in System32 directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://138.68.56.139/?p=3880241
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77

MD5 hash:

37e82d3e2864e27b34f5fbacaea759c3

SHA1 hash:

a87024a466e052bff09a170bb8c6f374f6c84c32

Link:

https://www.unpac.me/results/c35fe67b-4676-4a62-ad1f-49d9a60334f7/

SH256 hash:

1f401e363fa9d9ad2b92df25f96b03515c25589c1e23aed7806c3aae257668be

MD5 hash:

0a8d2d78014e15c81713ddcae659dae1

SHA1 hash:

6020938afc15645e4725292d15a65aa1783c0077

Link:

https://www.unpac.me/results/c35fe67b-4676-4a62-ad1f-49d9a60334f7/

SH256 hash:

563adc44ebbd614d9dc7163e7739a932c476efce5821327a1f1a7189e12f50f1

MD5 hash:

b33997f55d69029fc2c21362dafa979e

SHA1 hash:

2c04e0e05ed889378ad09e034edc775842c39195

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/c35fe67b-4676-4a62-ad1f-49d9a60334f7/

Parent samples :

edea3ebe6e3edb0bb20b563e35f76ef09854f36613ad28bd7697d45c74fd7e1d
027daae0d06ed4c8f21d61d5e5e5470bd3313a6daeef95fe5f10bdc9517886c6
c8ad050630ea954712c67d5c27e8f75542d78e7d43c81554c0a652da9218a880
6ab1469b64fcfb38f3e8f7536a3e4005794b13efc0fad4a3b4735547903dc845

SH256 hash:

3e24c77fe108059f14fe61b8400c5fe023dc2b0ec7c4fe23fa9911681086f7a9

MD5 hash:

a5228b97b33467ac41fac5cac2718252

SHA1 hash:

28bb020c8a53b046fc8e8106f2913e62c5941a0d

Link:

https://www.unpac.me/results/c35fe67b-4676-4a62-ad1f-49d9a60334f7/

SH256 hash:

edea3ebe6e3edb0bb20b563e35f76ef09854f36613ad28bd7697d45c74fd7e1d

MD5 hash:

7d2d53881d4aa7f7ffe87e95d07e3c52

SHA1 hash:

a1203d3c7256db3319d47ab3e94f90efaa181a35

Link:

https://www.unpac.me/results/c35fe67b-4676-4a62-ad1f-49d9a60334f7/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/417243/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample