MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eec24916fc0a978ae5cb878efea2c7cd5c0403783e4e7c438a739b6fa8e30703. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 17

Intelligence 17 IOCs 1 YARA 6 File information Comments

SHA256 hash:	eec24916fc0a978ae5cb878efea2c7cd5c0403783e4e7c438a739b6fa8e30703
SHA3-384 hash:	e329abd3781d39321f3bed57e4a2aaa1557b9cdbfa01e40876442e3981ddc4536b10699e538f2eaf0e3ae96a5d06332c
SHA1 hash:	1692639db61f72b4e1bfa80e4a55bc1cfa8bb129
MD5 hash:	3edc8e31efe97c259c8f2eebbbb4da98
humanhash:	neptune-kilo-juliet-fanta
File name:	3edc8e31efe97c259c8f2eebbbb4da98.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	376'320 bytes
First seen:	2024-08-06 22:00:26 UTC
Last seen:	2024-08-06 22:23:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (49'013 x AgentTesla, 19'917 x Formbook, 12'332 x SnakeKeylogger)
ssdeep	6144:lykHWlFEnk3OQdZXq5Brr5JhV/Vz27y1svOwEi4ZABsQCDVlPMimKv6BPBIi+7PM:lpybZXGnbhSGsvOri4ZZdnMim3NB5iw9
Threatray	4'354 similar samples on MalwareBazaar
TLSH	T13984BEAC765172DFC857D4769A681CB8EB6574BB830F0113A02716EEAE0D99BCF140F2
TrID	28.5% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 13.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 12.2% (.EXE) Win32 Executable (generic) (4504/4/1) 5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	e0c0c0e0e0e0f1f0 (4 x Loki, 2 x XenoRAT)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://94.156.66.169/bhvstgd/Panel/five/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://94.156.66.169/bhvstgd/Panel/five/fre.php	https://threatfox.abuse.ch/ioc/1307608/

Intelligence

File Origin

# of uploads :

# of downloads :

407

Origin country :

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

3edc8e31efe97c259c8f2eebbbb4da98.exe

Verdict:

Malicious activity

Analysis date:

2024-08-07 02:03:57 UTC

Tags:

lokibot stealer trojan

Link:

https://app.any.run/tasks/abc11274-e153-4f15-9098-cdf667d07eb8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

PUA.Win.Packed.ConfuserEx-6391397-0

PUA.Win.Packed.ConfuserEx-6582917-0

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66b29d23aa5b40be0a9fb601

Tags:

Banker Exploit Generic Stealth Dexter

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Restart of the analyzed sample

Searching for synchronization primitives

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Launching the default Windows debugger (dwwin.exe)

Changing a file

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for analyzed file

Stealing user critical data

Connection attempt to an infection source

Moving of the original file

Sending an HTTP POST request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

confuser confuserex lokibot net packed packed

Link:

https://www.filescan.io/uploads/66b29d35b67cf38542c43859/reports/b707a54f-df3a-4e8d-8128-ff6a70e1c62e/overview

Verdict:

Malicious

Labled as:

Bulz.Generic

Link:

https://www.hybrid-analysis.com/sample/eec24916fc0a978ae5cb878efea2c7cd5c0403783e4e7c438a739b6fa8e30703

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/4d52419c-e4e1-4422-9ece-0ef764edc5b6

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1489109

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file has nameless sections

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses known network protocols on non-standard ports

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/eec24916fc0a978ae5cb878efea2c7cd5c0403783e4e7c438a739b6fa8e30703

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/eec24916fc0a978ae5cb878efea2c7cd5c0403783e4e7c438a739b6fa8e30703/

Threat name:

Win32.Hacktool.Boilod

Status:

Suspicious

First seen:

2024-08-06 22:01:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=53besfx4bklyvzolq6hp5iwhzvoaia3yhzhhyq4koonw7khda4bq._file

Verdict:

malicious

Loki

0f6a0c8f4c9d3fa419bd22b2687328e7a721ad0b1ef504a64166b1c630997cee

Loki

594a574211cffc47d78817221315092ab978403b71e1ff43922286ec9f60e188

Loki

79866667d5cd578a1c6eda54a748ff9d316fff39064eecd282bc2a9ad8a5ac7d

Loki

a1f8dd874a1d63dfbd2cc504fbe6d5784eb00610b02fef44b606b7a127f41bc4

Loki

f66e2b6d93b2fe125c0c770926286c63716cb0538bf4e4bf6c47eff67b39b207

Loki

+ 4'344 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection credential_access discovery spyware stealer trojan

Link:

https://tria.ge/reports/240806-1w72jswapf/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Credentials from Password Stores: Credentials from Web Browsers

Lokibot

Malware Config

C2 Extraction:

http://94.156.66.169:5788/bhvstgd/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c1568aa5-33da-4dbe-8ba1-b1a51c781b31

Unpacked files

SH256 hash:

b16e42a4fdfd8b4cc003bd0d4ef0b74054e549a53522752fa69e02e455f3de14

MD5 hash:

d1d51291341f74738c6d71d4ab6d5e24

SHA1 hash:

96248ce7cfa3ee970b5a54d1391452de76f13cc1

Link:

https://www.unpac.me/results/f92fffa8-2cc4-439b-afd7-1e6b3c60ed1b/

SH256 hash:

b760b439301b31c0b83f6a1d2cbb95964e7e3fbf899becb836a110e0cd4fe96f

MD5 hash:

9d7ba5113f8f92becf7d97e6b8b55722

SHA1 hash:

8ba06ae3454bf4c819f1c95032df27c766b6ff80

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Lokibot

SUSP_XORed_URL_In_EXE

STEALER_Lokibot

Link:

https://www.unpac.me/results/f92fffa8-2cc4-439b-afd7-1e6b3c60ed1b/

Parent samples :

eec24916fc0a978ae5cb878efea2c7cd5c0403783e4e7c438a739b6fa8e30703
872593063b4fad7b6355ee53d4f4017320851167b18311674e8869d983191d82

SH256 hash:

8715110585d5eccf17651ea1d2aeb79f772bdcced54e563862a579fe32efef84

MD5 hash:

6df782ff3af11780b7a25c24abeabe54

SHA1 hash:

4a09fbd77e9960283c1f5fb17695019587e78be4

Detections:

SUSP_NET_NAME_ConfuserEx

Link:

https://www.unpac.me/results/f92fffa8-2cc4-439b-afd7-1e6b3c60ed1b/

SH256 hash:

eec24916fc0a978ae5cb878efea2c7cd5c0403783e4e7c438a739b6fa8e30703

MD5 hash:

3edc8e31efe97c259c8f2eebbbb4da98

SHA1 hash:

1692639db61f72b4e1bfa80e4a55bc1cfa8bb129

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_NET_NAME_ConfuserEx

Link:

https://www.unpac.me/results/f92fffa8-2cc4-439b-afd7-1e6b3c60ed1b/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/eec24916fc0a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	INDICATOR_EXE_Packed_ConfuserEx_Custom Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Custom; outside of GIT

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

exe eec24916fc0a978ae5cb878efea2c7cd5c0403783e4e7c438a739b6fa8e30703

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3093222/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample