MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd43579434ad0575895c12d783158f56396c725639c76f9ce04d00f6026c19a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 15


Intelligence 15 IOCs YARA 12 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd43579434ad0575895c12d783158f56396c725639c76f9ce04d00f6026c19a8
SHA3-384 hash: 1a7031fa376cfa5c1af847227af2481a94e86648919439e83097ed54d3fbc8b0a02e736742aa71cf168740d40f8d6638
SHA1 hash: ce259f97e18903b2658d7521c24ec969ad1950ff
MD5 hash: 15f01ee2811104e1b3751225c7154728
humanhash: mountain-hotel-london-mars
File name:15f01ee2811104e1b3751225c7154728
Download: download sample
Signature Loki
Create hunting rule
File size:234'496 bytes
First seen:2022-03-02 19:46:43 UTC
Last seen:2022-03-02 21:58:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 773c52d0914f529a889bc69eefc3fe56 (2 x ArkeiStealer, 1 x DanaBot, 1 x Smoke Loader)
ssdeep 3072:vACLMGpDyoBs3vbag4FEKCR88k5yKZdrk:1L5Oj/baNF0R9hCd
Threatray 6'646 similar samples on MalwareBazaar
TLSH T1F834CF263A93C4B2CC57E4746424C7A55F3ABC3617518A4F7BA826BF1F302E1277924A
File icon (PE):PE icon
dhash icon 38b078cccacccc53 (62 x Smoke Loader, 25 x Stop, 21 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/246497/
Detection(s):
SecuriteInfo.com.Packed-GEE15F01EE28111.30456.20504.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for analyzed file
DNS request
Stealing user critical data
Moving of the original file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7921/overview
Behaviour
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware lokibot
Link:
https://www.filescan.io/uploads/621fc9ba0cd58dbd9264f64d/reports/0d0a2116-bd9d-46d6-a914-b97f1a990f90/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/170c61a5-73d3-4cf4-9a3d-247b1e655704
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/949490
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fd43579434ad0575895c12d783158f56396c725639c76f9ce04d00f6026c19a8/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-03-02 18:06:31 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
34 of 42 (80.95%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7vbvpfbuvucxlck4cllygfmpky4wy4swhhdw7hhajuapmatmdgua._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
018eb063bdb706558a85175f0be8cd1f6f7fc06c43d322a764b77741f6a0f004
Loki
237f3c37b08f15505c23ade97555e575f446ea31df98999e13917d33f6837c99
Loki
5af35520dd30145e091e7db9d4d9be25ec23cdf5b7d914a402ef880fb35bd558
Loki
6f975378cb65fa40e27b22cd6676e4385b46cdb0df3111cb94530a8615516281
Loki
8736334fb15c7ff407900e746c9a3a0d2db66226d15c28fa3151f09604f84b89
Loki
a4182d8f62fb365856798683af6277ad0c3b3a9d9788fe1e2cef07bb918197d6
Loki
cb59cd4c7a4896aab48aa27530bb65363920e5da091eec1aa2bdb538f9ae1491
Loki
+ 6'636 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/220302-yhjexsgba2/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://164.90.194.235/?id=17007285853618101
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
5ef5622dbc703f03e928b6c5924d5dc84bf5a1b5f9b2f9372afaf5e8dc2323fb
MD5 hash:
1bc58cb103bb1d43219e88ea27651ca8
SHA1 hash:
eebfc51c136c667f9bad76d856de9fedb3705dba
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/96f13cb0-38e1-4a51-976a-9a240445c275/
Parent samples :
96d4f14f8d1be02a21feb4533eca4f270716e7b0feefe6e5a477454f13db99d1
082565f03fa8f59b87354a271edcf92c6559472043e21fef60a47cfc6072f495
fd43579434ad0575895c12d783158f56396c725639c76f9ce04d00f6026c19a8
29e35c799198c6801c422f8d1f014d8c2e024186220fc959de30e222f6be286d
8c6e740b2a9841664d6824708850c48260c34646dae42455a6b9e31863a26bf9
c5fb4d13bb4b34f9670bc238a047b53c4392b299139c3da8b2b70ba9ddd3db2d
d74ebe06d17fc8e347dda04ca17006fa2f24deb7df06617feb13bffdc9bee476
SH256 hash:
fd43579434ad0575895c12d783158f56396c725639c76f9ce04d00f6026c19a8
MD5 hash:
15f01ee2811104e1b3751225c7154728
SHA1 hash:
ce259f97e18903b2658d7521c24ec969ad1950ff
Link:
https://www.unpac.me/results/96f13cb0-38e1-4a51-976a-9a240445c275/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fd43579434ad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd43579434ad0575895c12d783158f56396c725639c76f9ce04d00f6026c19a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:malware_Lokibot_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lokipws.
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe fd43579434ad0575895c12d783158f56396c725639c76f9ce04d00f6026c19a8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2071284/
Cape
Cape
https://www.capesandbox.com/analysis/246497/

Comments


Avatar
zbet commented on 2022-03-02 19:46:48 UTC

url : hxxp://172.245.119.63/80/vbc.exe