MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef1448decefb015f11301f421e12c1720da209931757761a31c89e969fbc9885. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	ef1448decefb015f11301f421e12c1720da209931757761a31c89e969fbc9885
SHA3-384 hash:	b8229f1854f1b5bda164d7786b6f56c9203da49f60d7e7e80efcfc94de45d39aac651dd9c0702ebfd1d4df741f0ce7f2
SHA1 hash:	b9f8b8faf0649216e198c97d0cfcb9275e57b8e7
MD5 hash:	ebfecf3757e1609c36bc2b9799bdb9a3
humanhash:	apart-seventeen-bluebird-south
File name:	SecuriteInfo.com.Win32.PWSX-gen.31845.11524
Download:	download sample
Signature	Loki Create hunting rule
File size:	644'096 bytes
First seen:	2022-11-28 03:30:47 UTC
Last seen:	2022-11-28 04:27:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:PrVnTrJ7jOww0aTnHh+vbCFUwncBnx4yci7HUsal:Prlncww0sHhJF9ns4jQ0X
Threatray	13'086 similar samples on MalwareBazaar
TLSH	T15BD4CF0827FFAF0BD6A957B04975991413F6B49A2637E34B1FC360DA0F62BC88454B27
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	SecuriteInfoCom
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

215

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.31845.11524

Verdict:

Malicious activity

Analysis date:

2022-11-28 03:33:12 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/3b5308d7-8ae9-4b2c-aa3d-fda4be884288

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/339231/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.31845.11524.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/63842b77536377388865e6f1/reports/05e85f0a-728c-4144-9ef5-547311c109fa/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bb9d0a4e-8a96-4527-bbd6-39fdde609d12

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1122197

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ef1448decefb015f11301f421e12c1720da209931757761a31c89e969fbc9885/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2022-11-28 02:25:04 UTC

File Type:

PE (.Net Exe)

AV detection:

26 of 41 (63.41%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=54kerxwo7mav6ejqd5bb4ewboig2ecmtc5lxmgrrzcpjnh54tccq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

4e12ca0674f72503e00f35b8b27aa98da0855baa9e25264b357bb934e31a2217

Loki

7f0fcb4f3651ec6a3b273322857afe8aa8373f77964afd0bb592378a4a97fe1a

Loki

def88fc364ed03678d528bfd6bc39f19ff1831b098aaf0705fa13063c4044a2a

Loki

ec2a93f1858ba7e0de894944d57fb4b2f3021e5574d1b3594bfd8ffe32f7b029

Loki

f998a60cb95f390ca201950cf41b1764646f2f8ca91f13c05fbf78282518e741

Loki

fa4058c30f37d1cdb72e5bbcc467ff8f9b584b090bfdf723ac1f04817980096a

Loki

+ 13'076 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/221128-d22qdsbg26/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://sempersim.su/gm11/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

ae6bd501e332f8471edf3d2615a9ca94b59182388e953a97b2dac0b1d00d55f4

MD5 hash:

c9df2a39cf96869fe872cbe4b31019d7

SHA1 hash:

c8ae8d25e6fd7a77ba2cf47174c98a74204b4eec

Link:

https://www.unpac.me/results/d59bedc8-e6e3-4f73-be6a-24e9615c9eea/

SH256 hash:

3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03

MD5 hash:

1619753b625e58c25b73fbf1f0bff482

SHA1 hash:

c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4

Link:

https://www.unpac.me/results/d59bedc8-e6e3-4f73-be6a-24e9615c9eea/

SH256 hash:

4a89b284146a7af694f172a03a223b8cbdc30f685ae2b56f8184e9cbd04c6e88

MD5 hash:

efd7356509a586c91428721ce4bdbc1b

SHA1 hash:

b512c88ce8b890e2791778e505f353e2d99a38ff

Link:

https://www.unpac.me/results/d59bedc8-e6e3-4f73-be6a-24e9615c9eea/

SH256 hash:

4ee60523f3c5539d03eddfc2e17cbd4dbf19a18e8909d0d588ad103d6edf035b

MD5 hash:

bff6f69f0462353c9d308ccb4177a957

SHA1 hash:

7cd553cb3f39bd241ac315627c486759299fc218

Link:

https://www.unpac.me/results/d59bedc8-e6e3-4f73-be6a-24e9615c9eea/

SH256 hash:

0c9ea4c7cfcfd1c7ea100f4a4cf23e69c796b7e2b78c35eb6a81eb5333d1d3be

MD5 hash:

adf3807dfa1d3ff4b8f8b3bc7bc27eba

SHA1 hash:

752ce34fff22c7382bf739fec12ac1dca448c979

Link:

https://www.unpac.me/results/d59bedc8-e6e3-4f73-be6a-24e9615c9eea/

SH256 hash:

88f1607f10158969999f758a64a9c7543f267c4f90517c355e7e9aeaa8dd6983

MD5 hash:

b701cd2432dda77c8ab19dc20a640f81

SHA1 hash:

3998a4cc10e9a4c876300fb0f41c656d3eaeb878

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/d59bedc8-e6e3-4f73-be6a-24e9615c9eea/

Parent samples :

20d3073814656292b0e0604dcc4ff918ec607af69c41a0d8400376cdeea6c236
95a1460cc5234be6e73249c8300e11caed618795efde6a39064990ab44c6df74
bfd4c6e93569ce5fb18f0196d8d9a15dba7d080d7881f1faf71e43f4fc543941
ef1448decefb015f11301f421e12c1720da209931757761a31c89e969fbc9885
57520e51bb0820741b7883926800223886c491a8a5ddd517a49b0e2cc752fb18
0ca92ca94e8cee6d8867a9013fbb90ec9a322b39300b189e49cacbec15307b38

SH256 hash:

ef1448decefb015f11301f421e12c1720da209931757761a31c89e969fbc9885

MD5 hash:

ebfecf3757e1609c36bc2b9799bdb9a3

SHA1 hash:

b9f8b8faf0649216e198c97d0cfcb9275e57b8e7

Link:

https://www.unpac.me/results/d59bedc8-e6e3-4f73-be6a-24e9615c9eea/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ef1448decefb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/ef1448decefb015f11301f421e12c1720da209931757761a31c89e969fbc9885

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/339231/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample