MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee3f4daeb7c1c9a9aba13bb844a50039eb0986139128b80b0454a6519ac3f92a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	ee3f4daeb7c1c9a9aba13bb844a50039eb0986139128b80b0454a6519ac3f92a
SHA3-384 hash:	dcf217c251d66a70c670d31a95d0a60177e2a12a426a47b70eccd9a9d2764f2851c989235b0f3fb8ea241cb3d9f791d4
SHA1 hash:	10fe9334b476944ed70b9630282271046e1d3c0b
MD5 hash:	b39d32c0467f9cf17ff0d19fbf53cf32
humanhash:	ceiling-fruit-louisiana-crazy
File name:	file_02.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	245'894 bytes
First seen:	2022-02-07 08:58:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep	6144:owjbHNGwdpHiQX2U/AcoTyQ3xn+Z5178nRLnbWJ:Awd1i8u5+pgdI
Threatray	6'135 similar samples on MalwareBazaar
TLSH	T14034125E62C0D8DBC4561B3113B3F5AE93FAA3252150264FCF60BFDB792E153BA16281
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	pr0xylife
Tags:	exe Loki Lokibot

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://128.199.46.58/~hgyf/?search=155d0cf3c0a3a77ef74eec7039f1ccfd	https://threatfox.abuse.ch/ioc/381682/

Intelligence

File Origin

# of uploads :

# of downloads :

361

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/234155/

Detection(s):

SecuriteInfo.com.FakeAV.CXA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file in the %temp% directory

Creating a window

Creating a file

Unauthorized injection to a recently created process

Сreating synchronization primitives

Reading critical registry keys

Changing a file

Sending an HTTP POST request

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for analyzed file

DNS request

Stealing user critical data

Moving of the original file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6200df5931f00fad9db39b60/reports/a2d7c87e-48b1-4db2-82c6-99dc4a557dbb/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/c42eeab0-2916-4ffe-87b1-418a7364e84a

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/934993

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/ee3f4daeb7c1c9a9aba13bb844a50039eb0986139128b80b0454a6519ac3f92a/

Threat name:

Win32.Trojan.Risis

Status:

Malicious

First seen:

2022-02-07 06:52:24 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

14 of 28 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5y7u3lvxyhe2tk5bho4ejjiahhvqtbqtseulqcyekstfdgwd7eva._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

7de23e4a24000890c6c512cd03e134a1e16972f66eca60c6976bce160890bf2b

Loki

7ea95983d20a473cc7e6235f3d5950e564a396cc5ac9b6a1ba6967bb892b682b

Loki

aeff0c4823c37fc2054f80c6bf7dafcf7fce8abb84d7b72a08fa67411d2aa480

Loki

d908d3f8da046ec5afaafe70769fe7c95b21ebc11a196a189697683814aded55

Loki

e1502521ffeee00023e9b6711c48e49e43dc85b111f75f4735e2a78a3245eccd

Loki

f167006496b7896a1e356dab7f75a4f0b68c1b15f99182bfaa0bf7a0e67d9f7f

Loki

+ 6'125 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer suricata trojan

Link:

https://tria.ge/reports/220207-kxqwnaacbn/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Loads dropped DLL

Lokibot

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://128.199.46.58/~hgyf/?search=155d0cf3c0a3a77ef74eec7039f1ccfd
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

f12de7d3ddfe04df4e097515dd3fa742a978d09be0f406b4cc6f654db521d3f4

MD5 hash:

837b0dd1161ec77368730cdfee81875b

SHA1 hash:

28a218bbbc0903a8b6a01772406c8ab285299fcb

Link:

https://www.unpac.me/results/67181f95-480c-475e-9008-c89664422438/

SH256 hash:

ee3f4daeb7c1c9a9aba13bb844a50039eb0986139128b80b0454a6519ac3f92a

MD5 hash:

b39d32c0467f9cf17ff0d19fbf53cf32

SHA1 hash:

10fe9334b476944ed70b9630282271046e1d3c0b

Link:

https://www.unpac.me/results/67181f95-480c-475e-9008-c89664422438/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/ee3f4daeb7c1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

exe ee3f4daeb7c1c9a9aba13bb844a50039eb0986139128b80b0454a6519ac3f92a

(this sample)

Cape

https://www.capesandbox.com/analysis/234155/

URLhaus

https://urlhaus.abuse.ch/url/2033783/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample