MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f12f178cdc9b61ea03883a0f9f82b317a2db0ef1afe629704b8738ec7a9bad8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 17

Intelligence 17 IOCs YARA 1 File information Comments 1

SHA256 hash:	f12f178cdc9b61ea03883a0f9f82b317a2db0ef1afe629704b8738ec7a9bad8e
SHA3-384 hash:	24969b103a60c545dd0632ef266305dc6970e6f7a169269f208d9da9986487cce6330b02377a0588de50f18942fce8a7
SHA1 hash:	c3a6ab3be4b29a9a3b60b42fcbf684699d7e6dca
MD5 hash:	fadc26a8613fd4a8a0298e58d4eda870
humanhash:	michigan-april-music-ten
File name:	fadc26a8613fd4a8a0298e58d4eda870
Download:	download sample
Signature	Loki Create hunting rule
File size:	298'496 bytes
First seen:	2023-11-30 10:28:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	52c989b623059b029b98f089e46c54ff (2 x Smoke Loader, 2 x Tofsee, 1 x Stealc)
ssdeep	1536:Rgx8doI6U6WPxkEdaWMPBAcWLI8RYFLNKqkg1nUThULmgN0+UAf50mihem5No5m7:2qBxOG0r93n4600L8E5mPXUXsiM
Threatray	4'334 similar samples on MalwareBazaar
TLSH	T12254E65382F17D45E9268B729F2FE6ECB75EF2508E8A776912199E1F00B11B3C263710
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	08010828410d4523 (1 x Loki)
Reporter	zbetcheckin
Tags:	32 exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

383

Origin country :

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

fadc26a8613fd4a8a0298e58d4eda870

Verdict:

Malicious activity

Analysis date:

2023-11-30 10:31:27 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/c4cc95cb-71ef-4ba4-baf7-c24c70fb5956

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/461382/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Gathering data

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/f12f178cdc9b61ea03883a0f9f82b317a2db0ef1afe629704b8738ec7a9bad8e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/466bc13e-51ed-4d5a-a193-ee1608971a56

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1350477

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f12f178cdc9b61ea03883a0f9f82b317a2db0ef1afe629704b8738ec7a9bad8e

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/f12f178cdc9b61ea03883a0f9f82b317a2db0ef1afe629704b8738ec7a9bad8e/

Threat name:

Win32.Backdoor.Tofsee

Status:

Malicious

First seen:

2023-11-30 07:29:17 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 23 (91.30%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6exrpdg4tnq6ua4ihihz7avtc6rnwdxrv7tcs4clq44oy6u3vwha._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

6be525d464e45656332ec814975fbced53acfc8ff7ba0e165f2c66c85df47e20

Loki

834b73d2202e64d5ad7aca2f5763c5fa77683e7144ba53eb385a381cd99fc4ae

Loki

9a8a979e60fda73cadd6c9e5c879ef8f5987e8447907fee02060b397daf3f0b0

Loki

bab0471833dd6077c5dbf973fec9c438f46761ccac4f613afe3302b3a7f836b2

Loki

bf9544ac2abf7d615418a8e03e8226820c8ba48e049467136b257825ccf730f7

Loki

cd154726027d8a7b2d859462ae41a555e7f457a7a280ce337f006cda68c79292

Loki

fc1cb340205716dfe03bff110a21e0350b23a54f8f62254fc6800d8248c14956

Loki

+ 4'324 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/231130-mh8h9sag47/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

https://sempersim.su/a14/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

601477fd9a5eddcb2edc4c14984d4ab3a8bbc70b6f8d8aeb4d4dcdfbf9a306ec

MD5 hash:

38de09e1e8b3ddb2de5bee69493bdef0

SHA1 hash:

760f70c1b10c59f4fc93c15cb7ee1b4f3fa2b1ea

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

STEALER_Lokibot

SUSP_XORed_URL_In_EXE

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_GENInfoStealer

Lokibot

Link:

https://www.unpac.me/results/b8ac3e1e-85f8-4a96-bcbe-3dbb83acc5fc/

Parent samples :

b8f3640dea3f2e076ea541cc764cef60ac8cdf9f25f01e728ae68dced5d04714
d581e18227b09069cce82bcb38f8bc2706ce37400e23ab173a903c4b01804275
af0b630ad64ed3f1b91f55389e78fe82c2b0dcaee4965b6442ec2c6814a38da5
da5c8721b3c8624f2234309272d145894cbb0242281c5bd7cfa9e804842fc6e2
bf9544ac2abf7d615418a8e03e8226820c8ba48e049467136b257825ccf730f7
ae8131e8c5b55b77c69a8962dcf41b811b0411f1b4c1d9e702d446e639648e97
47828de9e3c3b3bf2955c6cd2a72f2d75cb54c91756eee1b56a42bd1bf09f7f2
a3a3d37f3ca0dc20bb1e4ef9c90925369e9d5713e7ddb797ca2b7c2cea0414c3
da21ece2f4aa50ee504970a2fefed88038ade14bb3f68b0d6e388da6f40628c9
f12f178cdc9b61ea03883a0f9f82b317a2db0ef1afe629704b8738ec7a9bad8e
9b84ca1d7fb41a824ccb4693789fee6b94cea21cbd8645840814dfb650ffdb20
b37c2f6f3a9d1b078d6ca93e073a14baa50bb7496280d3529c87b0e8e2d1a36c

SH256 hash:

f12f178cdc9b61ea03883a0f9f82b317a2db0ef1afe629704b8738ec7a9bad8e

MD5 hash:

fadc26a8613fd4a8a0298e58d4eda870

SHA1 hash:

c3a6ab3be4b29a9a3b60b42fcbf684699d7e6dca

Link:

https://www.unpac.me/results/b8ac3e1e-85f8-4a96-bcbe-3dbb83acc5fc/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f12f178cdc9b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f12f178cdc9b61ea03883a0f9f82b317a2db0ef1afe629704b8738ec7a9bad8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.