MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f79cacba0a21dcaf056a47d6bcd4082ed19c4267568ee46f75b16448e1d98945. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f79cacba0a21dcaf056a47d6bcd4082ed19c4267568ee46f75b16448e1d98945
SHA3-384 hash: 16997808961566ce90913cde183049b3ed56d2f6f3a466522fd1ec03d9b173c27c1e243bb2c1cf89a2f8ee340101a39e
SHA1 hash: 6893b3688d7940c4f0d6847e6744dbbcfb8e0a3f
MD5 hash: e7180bec6b19b49a887805e5aa03581f
humanhash: charlie-pizza-eight-burger
File name:Quote.exe
Download: download sample
Signature Loki
Create hunting rule
File size:510'464 bytes
First seen:2020-10-06 06:27:50 UTC
Last seen:2020-10-06 08:12:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:YRQ/GxBj95mF6AffFijZWsFEyRrdgPWqoGYI6L5JccZ:NMj9g4AIguhdgP1oG2Lv
Threatray 1'540 similar samples on MalwareBazaar
TLSH 80B4F10923F8D745D5BD637B6420505033F1A907D626F25CFEAEB06DB873A80CE96B92
Reporter abuse_ch
Tags:exe geo KOR Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: mail-smail-vm43.hanmail.net
Sending IP: 203.133.180.231
From: 신형섭 <lolepys@daum.net>
Subject: 견적 만
Attachment: Quote.cab (contains "Quote.exe")

Loki C2:
http://79.124.8.8/plesk-site-preview/coautomaquinaria.com/http/79.124.8.8/white/Panel/fre.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68474/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Reading critical registry keys
Changing a file
Replacing files
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Connection attempt to an infection source
Moving of the original file
Sending an HTTP POST request to an infection source
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/482448
Signature
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f79cacba0a21dcaf056a47d6bcd4082ed19c4267568ee46f75b16448e1d98945/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 04:15:18 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=66okzoqkehok6blki7llzvaif3izyqthk2hoi33vwfseryozrfcq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
3174c59112b25985b8c1454e28c3e42dce2e6b44e3da96d891bfd25622e586ea
Loki
35ba63b01ddc9f28a887e6286e205db48ae20c6b70f181d9f026abe468e4f32c
Loki
59bbe3f3c9d04d180126b1396dcda25f533a491a92255ffdfca4acb6a6ca7bfa
Loki
8ab355a4e825d4b233ce66f8e5f5b75b4c161cbb25f070f3355b6b15625dc784
Loki
9a09e075c72d1054035ab56fc790933d097a8a3986e0a1eca8b925606d304956
Loki
9d9e3278180f9d8b038c943eaf74a91002f30ff456bc7e8dfef40ef1a4e8fb4a
Loki
aedef2c77ed57c78a04e0744ebd77d6d2dfb743276ca83c39ebb9afd93123704
Loki
eb62fd0141733058ab86e491cd42e645341527cbaa10f339438528071ca17d28
Loki
fa2bcbff57b3c111ea69b6f47cb4f39c4111b124ef97e3ee00347a175f67e93d
Loki
fcfc827205cd38cdf997f72b1d58eba51ac12da6ba5939279b626522b11fd938
Loki
+ 1'530 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/201006-8121a6ck9s/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://79.124.8.8/plesk-site-preview/coautomaquinaria.com/http/79.124.8.8/white/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
f79cacba0a21dcaf056a47d6bcd4082ed19c4267568ee46f75b16448e1d98945
MD5 hash:
e7180bec6b19b49a887805e5aa03581f
SHA1 hash:
6893b3688d7940c4f0d6847e6744dbbcfb8e0a3f
Link:
https://www.unpac.me/results/3239e1f6-c0b0-4bed-b17c-0531a07071cc/
SH256 hash:
0428be7b8e1630a8e9ffcc2c1ec2b0f850830c27f643a37d7cda86fd09bb17fd
MD5 hash:
87ca9d0aba912b247e2d2c6b00058b85
SHA1 hash:
19ce24eb14f2610e2b89d7c6504ed17a5aa4b79b
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/3239e1f6-c0b0-4bed-b17c-0531a07071cc/
Parent samples :
503cec3d1e7545f610736aa3ee4473b3e0f28ee2bd80b682e8d8f687c2410008
f79cacba0a21dcaf056a47d6bcd4082ed19c4267568ee46f75b16448e1d98945
8b153c32e397a1c5a47b67cd4306a8d946607fecba641ac2986b8e330af5193d
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/3239e1f6-c0b0-4bed-b17c-0531a07071cc/
SH256 hash:
8069dd9fbeb2f1d8881c475801042dda3ce097a8a18fdae77caf35e1e532d044
MD5 hash:
358ded2e5005dec3ce41d3743314d97d
SHA1 hash:
623800facf0409f9bfc56377d5de3bf489b811f9
Link:
https://www.unpac.me/results/3239e1f6-c0b0-4bed-b17c-0531a07071cc/
SH256 hash:
8a57802b9ec52f86645b27b4c2c4c649d17fd64a5e24b446ed38ee38546fea65
MD5 hash:
e52fd038f7179b64c25740b15e91f931
SHA1 hash:
6e5f8d025255fadaca17d46da744860184f2de2c
Link:
https://www.unpac.me/results/3239e1f6-c0b0-4bed-b17c-0531a07071cc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f79cacba0a21dcaf056a47d6bcd4082ed19c4267568ee46f75b16448e1d98945

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

cab 9bcf5c3896a93bb8d1500fae363d6809407bd6c78bec5cedea76dcbc4dccb110

Loki

Executable exe f79cacba0a21dcaf056a47d6bcd4082ed19c4267568ee46f75b16448e1d98945

(this sample)

  
Dropped by
MD5 d96ad2ecbe898e9c5f6f6289c73c537c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68474/
  
Dropped by
SHA256 9bcf5c3896a93bb8d1500fae363d6809407bd6c78bec5cedea76dcbc4dccb110

Comments