MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f29248ba63854390d06d1e2822772e6364baec857d4ea43d2101c72f16052915. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f29248ba63854390d06d1e2822772e6364baec857d4ea43d2101c72f16052915
SHA3-384 hash: e6e6bb086466ade4f69b2a394e62dd243b1c8917118e5d2351c3e081af323bcf8b66793aa406ad672e5ba7f6dde6be4f
SHA1 hash: 6192b8cd4764d2e807b85079881a5f0533001900
MD5 hash: d7cbd62dc8ce500c8a71aa070a1a795a
humanhash: oregon-moon-butter-uniform
File name:PI2 T20103(PO#115561)..exe
Download: download sample
Signature Loki
Create hunting rule
File size:671'232 bytes
First seen:2020-10-22 08:07:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:3GoIYOD13y12lBd2FCqwSUhJ1wAO6vc73Fle39A1GKZHNYPzodkg:2rd134odw3mJ1wALcrFUtA1GUKzod
Threatray 1'750 similar samples on MalwareBazaar
TLSH 09E49E90AD81C652E3DF5A74626CCE6883284CBE8B63C524CEE77DFF617CB595A42403
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: xnx0.529.vexxo.ml
Sending IP: 178.62.56.68
From: yvaine <yvaine@tonkeep.com>
Reply-To: jackli@tonkeep.com
Subject: RE: New PO 115561(PI T20103)
Attachment: PI2 T20103PO115561..cab (contains "PI2 T20103(PO#115561)..exe")

Loki C2:
http://ytho.com.vn/.ythocom/need/work/Panel/five/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74576/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Reading critical registry keys
Changing a file
Replacing files
DNS request
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Moving of the original file
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f29248ba63854390d06d1e2822772e6364baec857d4ea43d2101c72f16052915/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 07:44:47 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6kjerotdqvbzbudndyuce5zomnslv3efpvhkipjbahds6fqffekq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
02e422396eb123142575e0dcee9f629941c42543ae8839a931e2cc8eefecb9c4
Loki
5388c70ef1d9bfc414a92c3aa4ea34db6992ee705813b5b4a2b4c28b435cbf6c
Loki
583e11d3579a63016e568fad73fb9f5ab64e32012ab1a0764f62191ced808078
Loki
6e7a5741c5cb3b394efeefd5cac1c71d023df73e4c19a02b9de64ea1a1ae4241
Loki
6eced51e9e9f798e79627188c69026a06a576021d112c8b94ed517f2576b009f
Loki
6f0c98efd3149c8527cf3f700d123da142275f32c166cf2ca2b186d1acc1286c
Loki
ab73e18e008df040137f633b32284b74ef48e5c603178c41287b5a1196e52943
Loki
b3b1f3479b7d0033e21ef89ccea063a0281604d4472252cf590ec99be5aa2eb4
Loki
dc22665dc14ec019a9f8c421c938db597c2a1b9e439c4a0a0b6dc7b1330e75b8
Loki
f2848bb06faec26cdb7bf8df01c598641d0d73c8b7c58a7aed106e9864942cf6
Loki
+ 1'740 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/201022-6fkratyydn/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
https://ytho.com.vn/.ythocom/need/work/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
f29248ba63854390d06d1e2822772e6364baec857d4ea43d2101c72f16052915
MD5 hash:
d7cbd62dc8ce500c8a71aa070a1a795a
SHA1 hash:
6192b8cd4764d2e807b85079881a5f0533001900
Link:
https://www.unpac.me/results/bfbd9af8-1cb2-46dc-b30f-1acc596bf722/
SH256 hash:
627d74d764d81b2498ff6769743fe93c950a3170f6253c631a0d408cd3b424fb
MD5 hash:
b554e1cc2fc28594b8cea5626661e0a5
SHA1 hash:
0546c99dc737b954b479d6af39e3f0b242eb2323
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/bfbd9af8-1cb2-46dc-b30f-1acc596bf722/
Parent samples :
f29248ba63854390d06d1e2822772e6364baec857d4ea43d2101c72f16052915
9254d3364f3dc1faec6f4f624e1c74f14ddfad19300eca7eb18a4a1a15cf4d98
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/bfbd9af8-1cb2-46dc-b30f-1acc596bf722/
SH256 hash:
f4be8a9cd03df01a3db5ebee67d75c21ea2197dfacf07acbfde3093041e04947
MD5 hash:
1d756926b21af2c083cb70f07669453c
SHA1 hash:
634d81a05ceabd1a2900102a818096dd01e0d220
Link:
https://www.unpac.me/results/bfbd9af8-1cb2-46dc-b30f-1acc596bf722/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

fb77857032a423d98210579c1464d53e

Loki

Executable exe f29248ba63854390d06d1e2822772e6364baec857d4ea43d2101c72f16052915

(this sample)

  
Dropped by
MD5 fb77857032a423d98210579c1464d53e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74576/

Comments