MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0a60115eec641816250a23f1102e0a5038c1380a0602003dbe24b422b716f7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 15

Intelligence 15 IOCs 1 YARA File information Comments

SHA256 hash:	f0a60115eec641816250a23f1102e0a5038c1380a0602003dbe24b422b716f7a
SHA3-384 hash:	5b403ad17acfbf442baac2d9470c294895c37ed84787db92fdc0f3b8311e121b3f3c82d22048176bc8e2a6c32095d5ec
SHA1 hash:	e23ef182bd48c28b95e302e9042a2add4278caaa
MD5 hash:	6fcedb4c6e13790f51ea48f7de6c03b2
humanhash:	oxygen-wolfram-zulu-magazine
File name:	F0A60115EEC641816250A23F1102E0A5038C1380A0602.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	1'069'352 bytes
First seen:	2022-06-26 21:31:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0cb1b8c8c521f0cb93808f75e87e3b04 (1 x Loki)
ssdeep	3072:LoA1F/9yInXLU90aM5jPhPFIZlKHJiTjqFnt5V1yqFnt5V1X3kl6GgV1Xlnwqd:Lr1eI7UWaM9PhPFIsJasysZLWu
TLSH	T191358FE1BFB0E183C791583CA14C8B6D05F02E30AD464666E826BE2D55791F01BFD7AE
TrID	75.8% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1) 1.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	30f0f0e8ece8f030 (1 x Loki)
Reporter	abuse_ch
Tags:	exe Loki signed

Code Signing Certificate

Organisation:	Organization nation 2017 (r)
Issuer:	Organization nation 2017 (r)
Algorithm:	sha256WithRSAEncryption
Valid from:	2019-04-05T07:12:33Z
Valid to:	2022-04-04T07:12:33Z
Serial number:	01
Intelligence:	371 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:	This certificate is on the Cert Central blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	a1199d09432f131d5c0655e73339b9ec5ef3066cdd630603825979e17a7a268e
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

abuse_ch

Loki C2:
http://blacklifestyle.net/sitdown/workhard/prayhard/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://blacklifestyle.net/sitdown/workhard/prayhard/fre.php	https://threatfox.abuse.ch/ioc/729215/

Intelligence

File Origin

# of uploads :

# of downloads :

347

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

New Machine Enquiry050419#21.doc

Verdict:

Malicious activity

Analysis date:

2019-04-05 10:52:37 UTC

Tags:

exploit CVE-2017-11882 loader trojan lokibot

Link:

https://app.any.run/tasks/75604053-1db2-4de9-b867-dd8cec5c37e1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/283368/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Unauthorized injection to a recently created process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed razy zbot

Link:

https://www.filescan.io/uploads/62b8d08f1fcdba4e1a5cdaf1/reports/77029da5-53aa-489e-949f-046e3b3ae755/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/52314f2c-fab6-47cd-b5ad-6e431d2d1bd0

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1020034

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Generic Dropper

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f0a60115eec641816250a23f1102e0a5038c1380a0602003dbe24b422b716f7a/

Threat name:

Win32.Infostealer.PonyStealer

Status:

Malicious

First seen:

2019-04-05 11:07:35 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6ctacfpoyzaycysqui7rcaxauubyye4aubqcaa634jfuek3rn55a._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

cloudeye

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer suricata trojan

Link:

https://tria.ge/reports/220626-1dk43acdel/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://blacklifestyle.net/sitdown/workhard/prayhard/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

006fbbce2f360230c85f1d5743c0c0d088d443199f377e77298380ca8f7e56f0

MD5 hash:

60bdf6b60f63ad9bfcf847dc0b71e74b

SHA1 hash:

436be1a86eff05584157e5658ab7f78c2c95ce9e

Detections:

win_lokipws_g0

win_lokipws_auto

lokibot

Link:

https://www.unpac.me/results/3c9c67c7-7e43-403e-8655-ea862c843224/

SH256 hash:

f0a60115eec641816250a23f1102e0a5038c1380a0602003dbe24b422b716f7a

MD5 hash:

6fcedb4c6e13790f51ea48f7de6c03b2

SHA1 hash:

e23ef182bd48c28b95e302e9042a2add4278caaa

Link:

https://www.unpac.me/results/3c9c67c7-7e43-403e-8655-ea862c843224/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f0a60115eec6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/f0a60115eec641816250a23f1102e0a5038c1380a0602003dbe24b422b716f7a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/283368/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample