MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f254f002d3465852e6c63f331e1688fa8ec089ce6f7e0d8d37f75bf039ead9de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 8

Intelligence 8 IOCs YARA 5 File information Comments

SHA256 hash:	f254f002d3465852e6c63f331e1688fa8ec089ce6f7e0d8d37f75bf039ead9de
SHA3-384 hash:	534f552e2acf683c2c92829d042ca411d8f8037954784d5ed758beb68e245abd6d8a99d3882f19dc68b9b470eae62b79
SHA1 hash:	a6669d96724ab23977f78fa39050ff652393d488
MD5 hash:	00561c6b829578f9ed894ab0be61a7dc
humanhash:	snake-green-neptune-salami
File name:	PURCHASE ORDER N 02273 .exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	735'232 bytes
First seen:	2020-10-23 06:45:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:+kO8zy3OPCdku76RHdudff9BBmg84iAjmN7LlyczqcikS8L0W2LRgipmIOkpz4gk:V2S6ku7f9frBJVutzGciceHmUGd
Threatray	1'736 similar samples on MalwareBazaar
TLSH	D7F45ADD766072EFC857C5728EA82C78EA5079BB430F4253A42755ADDA0C887CF650F2
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Malspam distributing Loki:

From: Maria <opr.store@gourmetgarage.online>
Subject: Fwd: NEW ORDER
Attachment: PURCHASE ORDER N 02273 .gz (contains "PURCHASE ORDER N 02273 .exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/74927/

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Generic.bc.17220.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Reading critical registry keys

Creating a file

Changing a file

Replacing files

DNS request

Connection attempt

Sending an HTTP POST request

Creating a file in the %AppData% subdirectories

Deleting a recently created file

Stealing user critical data

Moving of the original file

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/507798

Signature

Antivirus detection for URL or domain

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Detected unpacking (changes PE section rights)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has nameless sections

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM_3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f254f002d3465852e6c63f331e1688fa8ec089ce6f7e0d8d37f75bf039ead9de/

Threat name:

ByteCode-MSIL.Ransomware.TeslaCrypt

Status:

Malicious

First seen:

2020-10-23 00:34:04 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6jkpaawtizmffzwgh4zr4fui7khmbcoon57a3djx65n7aopk3hpa._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

spyware trojan stealer family:lokibot

Link:

https://tria.ge/reports/201023-swfnv9hz96/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://ad4teg.com/ccu/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

f254f002d3465852e6c63f331e1688fa8ec089ce6f7e0d8d37f75bf039ead9de

MD5 hash:

00561c6b829578f9ed894ab0be61a7dc

SHA1 hash:

a6669d96724ab23977f78fa39050ff652393d488

Link:

https://www.unpac.me/results/70ce0d3c-87e9-4054-996f-d64e79382e8f/

SH256 hash:

31de5d304c6e2019b83d3d643e7d81a80ac6b3a680098b2de4a73489fb2676b7

MD5 hash:

a0da9a07caacd3ec164bbe7a87d81627

SHA1 hash:

6da48f7ff297647088ac16a794fa82c19b3aa4ea

Link:

https://www.unpac.me/results/70ce0d3c-87e9-4054-996f-d64e79382e8f/

SH256 hash:

7757425e678ae778f2d1ec909f88012fe19d53e9de6bfd06421688b3abc8f8a9

MD5 hash:

5964eb5c6cd770db9aa51c930b90f45f

SHA1 hash:

dd0e730403d21fe68c7c74c4f28cbc7b72021503

Link:

https://www.unpac.me/results/70ce0d3c-87e9-4054-996f-d64e79382e8f/

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/70ce0d3c-87e9-4054-996f-d64e79382e8f/

SH256 hash:

0499d0f733a15ec307f3532f25e319df59339342bea3cc003a3c882bac499068

MD5 hash:

ef946c6d0f2c532b09a4b587313c01b2

SHA1 hash:

eb08f3c51d2afaa75f048314afca735d7223d309

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/70ce0d3c-87e9-4054-996f-d64e79382e8f/

Parent samples :

eb140984e61c9b9860794656d3f978896944a0f7258c5abe25391b8c71f56853
0a58f60e4266e0d801a185d06903c24271d73314711f95ab0ed4eab349f6b938
f254f002d3465852e6c63f331e1688fa8ec089ce6f7e0d8d37f75bf039ead9de

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	Lokibot Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com