MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f66e2b6d93b2fe125c0c770926286c63716cb0538bf4e4bf6c47eff67b39b207. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f66e2b6d93b2fe125c0c770926286c63716cb0538bf4e4bf6c47eff67b39b207
SHA3-384 hash: dee9aeeadd0bf0ddc97a5eb92513453fe24c1f1f471b7ae7b5fc319e507ae0460f3491cf9e921f8d378f4015d2d6b1f1
SHA1 hash: 12815966f19753f9fa7035179138b449dc0281b3
MD5 hash: e9d26537e90ed16f25562af4e1f32d67
humanhash: beer-dakota-ten-sierra
File name:e9d26537e90ed16f25562af4e1f32d67.exe
Download: download sample
Signature Loki
Create hunting rule
File size:768'094 bytes
First seen:2024-08-02 12:45:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 12288:UcrNS33L10QdrXPMztnIQ0oZCkv6JkDTziH4nIAdL+tFiZsQTZjWR7Tyr5W4uO3w:vNA3R5drXPUtI0ZCkvTOUN+tFimQq7TR
Threatray 2'796 similar samples on MalwareBazaar
TLSH T156F40242FBD284B2E5331932593AB715A5BCBD301E28CA5FB3D44D6D9E75082B231B63
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon f8d88e0b2b8ee4e0 (1 x Loki)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://94.156.66.169/drhwttsg/Panel/five/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.156.66.169/drhwttsg/Panel/five/fre.php https://threatfox.abuse.ch/ioc/1306287/

Intelligence

File Origin
# of uploads :
1
# of downloads :
491
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
Transferencia.lnk.lnk
Verdict:
Malicious activity
Analysis date:
2024-08-02 12:39:48 UTC
Tags:
stealer lokibot trojan
Link:
https://app.any.run/tasks/4472d26b-2256-4502-b33e-2804d09f584c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66acd50db7a04efc7439a773
Tags:
Banker Encryption Execution Generic Network Other Static Stealth Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Running batch commands
Creating a process from a recently created file
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint installer lolbin microsoft_visual_cc overlay packed setupapi sfx shdocvw shell32
Link:
https://www.filescan.io/uploads/66acd51378d5c73fb1cb3310/reports/7ef1297b-6f76-4a80-916e-526850b0a3a0/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/f66e2b6d93b2fe125c0c770926286c63716cb0538bf4e4bf6c47eff67b39b207
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fff729bb-8309-4e57-a4b3-2f27c548477b
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1486804
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses known network protocols on non-standard ports
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1486804 Sample: lfcpWgKyDK.exe Startdate: 02/08/2024 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for URL or domain 2->42 44 7 other signatures 2->44 9 lfcpWgKyDK.exe 9 2->9         started        process3 file4 32 C:\Users\user\AppData\...\dxhdxtx.sfx.exe, PE32 9->32 dropped 12 cmd.exe 1 9->12         started        process5 process6 14 dxhdxtx.sfx.exe 8 12->14         started        18 conhost.exe 12->18         started        file7 34 C:\Users\user\AppData\Local\...\dxhdxtx.exe, PE32 14->34 dropped 60 Multi AV Scanner detection for dropped file 14->60 20 dxhdxtx.exe 1 14->20         started        signatures8 process9 signatures10 46 Detected unpacking (changes PE section rights) 20->46 48 Tries to steal Mail credentials (via file registry) 20->48 50 Machine Learning detection for dropped file 20->50 23 dxhdxtx.exe 55 20->23         started        28 dxhdxtx.exe 20->28         started        process11 dnsIp12 36 94.156.66.169, 49706, 49707, 49708 TERASYST-ASBG Bulgaria 23->36 30 C:\Users\user\AppData\...\31437F.exe (copy), PE32 23->30 dropped 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->52 54 Tries to steal Mail credentials (via file / registry access) 23->54 56 Tries to harvest and steal ftp login credentials 23->56 58 Tries to harvest and steal browser information (history, passwords, etc) 23->58 file13 signatures14
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f66e2b6d93b2fe125c0c770926286c63716cb0538bf4e4bf6c47eff67b39b207
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f66e2b6d93b2fe125c0c770926286c63716cb0538bf4e4bf6c47eff67b39b207/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2024-08-02 09:44:17 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6zxcw3mtwl7bexamo4esmkdmmnywzmctrp2ojp3mi7x7m6zzwidq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
2407da1627f35dafc162c06c93c95d612ac0349488241d297152e41d0f8af7a0
Loki
38ab1533c224b90043299dc9b2a42bf456d0521de6d89a8eeb44336771943c3f
Loki
3b253bddd8e49b0353b44254fdc82c53c1614f5c2d09e2fde95698ad3a7815a0
Loki
578153b3c97aeb8bee7d4c75e6fadc389575385968df4fd4f39f71871f7ed1f8
Loki
5d99ab24811624ef3c5f5d8c9b71009ebe33acfbb235cb58400c2a4b6e0c30bf
Loki
795af0703ab2ab7cfcfcc38449e7da1a20967be437e5877ee27da317b3991357
Loki
870725e89161945a6c45da72a9930d718850e96995d6e11e2451af1de45ceaf4
Loki
e2716a711f6bb22d2ff77e0da881b24d16b554bc081b6a7d11d23027d4a47670
Loki
f66e2b6d93b2fe125c0c770926286c63716cb0538bf4e4bf6c47eff67b39b207
Loki
+ 2'786 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection credential_access discovery spyware stealer trojan
Link:
https://tria.ge/reports/240802-pzlrya1fpa/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Credentials from Password Stores: Credentials from Web Browsers
Lokibot
Malware Config
C2 Extraction:
http://94.156.66.169:5334/drhwttsg/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b20be693-3323-4f9e-9a71-70c454ce2eee
Unpacked files
SH256 hash:
a5ef413fee24206d8ca92794b64adc76eb85a6481c97117d8c6c64a95edc75d1
MD5 hash:
777eead11117dcd50fc854331b5ee963
SHA1 hash:
bf43049a94d20c95c05744632f211556a561659d
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Lokibot
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
STEALER_Lokibot
Create hunting rule
Link:
https://www.unpac.me/results/714e98eb-747e-40d5-9b2c-d760c82daae7/
SH256 hash:
3595e68e17a71f35ab55b6efec613129e8731eb7502077663f6902182cb453ba
MD5 hash:
4908b1d5a4fe9ff8fdc5478b40a3571c
SHA1 hash:
829f56eb82b3ddb6721c7900c6af4bf3d348ca2e
Link:
https://www.unpac.me/results/714e98eb-747e-40d5-9b2c-d760c82daae7/
SH256 hash:
4f485bca9e3d688de0ec01b99bee838f48a94f3724d66c44a41fde9382f30505
MD5 hash:
78180a11f52f27489c23500feadd0ca0
SHA1 hash:
51d64cf1e46baf7b1318dcc2d7a0871ee9a9a397
Link:
https://www.unpac.me/results/714e98eb-747e-40d5-9b2c-d760c82daae7/
SH256 hash:
5b89a4a0987fa65f2cecdcb1f5384cf660a8b9fa63432adf512ad97e96c88f13
MD5 hash:
267c18de55661cbf20fc1e95a364482a
SHA1 hash:
24245528c1841b86e851f9712ba75e1b898efc2e
Link:
https://www.unpac.me/results/714e98eb-747e-40d5-9b2c-d760c82daae7/
SH256 hash:
dfbfba62cd899b4411fcbcc068c16c1c0fb7ede544cef5273c327ebffb091044
MD5 hash:
0ed499f82053224ffb59dac2f4c063ab
SHA1 hash:
e1695eb00d6604c0e02cada12269bc0b2fb0108f
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/714e98eb-747e-40d5-9b2c-d760c82daae7/
SH256 hash:
f66e2b6d93b2fe125c0c770926286c63716cb0538bf4e4bf6c47eff67b39b207
MD5 hash:
e9d26537e90ed16f25562af4e1f32d67
SHA1 hash:
12815966f19753f9fa7035179138b449dc0281b3
Link:
https://www.unpac.me/results/714e98eb-747e-40d5-9b2c-d760c82daae7/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe f66e2b6d93b2fe125c0c770926286c63716cb0538bf4e4bf6c47eff67b39b207

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3084846/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments