MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdec06df5406c4ce7396704a8160927a2bdceeac0bb111b702ec310498e9a5ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fdec06df5406c4ce7396704a8160927a2bdceeac0bb111b702ec310498e9a5ba
SHA3-384 hash: e738459c6bd728a64d4ca7aed6ad1326eb7062bdda70f3be8eeba7528eb98248b36f82ce055ab9313716296b76f7d939
SHA1 hash: 7241b889fd834b483aa1f597213eb53632b2d94d
MD5 hash: fbbefa2bf51016a540da3b67d0da5120
humanhash: mockingbird-summer-oven-quebec
File name:fbbefa2bf51016a540da3b67d0da5120
Download: download sample
Signature Loki
Create hunting rule
File size:169'150 bytes
First seen:2021-07-22 14:34:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (250 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 3072:sr85Cl1UVu2viHUjyrrMiIdFcpALdqaaA0jRGxmBkfJpRXATwMdFCcGbY+i:k9lWu2viHIy/QFcpfaaJtGMqjIKY+i
Threatray 3'828 similar samples on MalwareBazaar
TLSH T1DCF3E155BAB0C8B3C2300A74DD39D7B58ABA7A226C61069377F55F8EFCBA7C1190D142
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe Loki Neshta

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fbbefa2bf51016a540da3b67d0da5120
Verdict:
Malicious activity
Analysis date:
2021-07-22 14:36:50 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/484fd104-8a11-40ad-bab0-ca5c9e3845f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173348/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/51d9a6ab-8322-4426-b60b-0d8541d3a953
Result
Threat name:
Lokibot Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820195
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executable to a common third party application directory
Drops PE files with a suspicious file extension
Found malware configuration
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452606 Sample: PH3Q7aISZ6 Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 34 dyjcgvdfgdzgzdzzf.gq 2->34 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for dropped file 2->48 50 9 other signatures 2->50 8 PH3Q7aISZ6.exe 4 2->8         started        signatures3 process4 file5 20 C:\Windows\svchost.com, PE32 8->20 dropped 22 C:\Users\user\AppData\Local\...\setup.exe, PE32 8->22 dropped 24 C:\Users\user\AppData\...\PH3Q7aISZ6.exe, PE32 8->24 dropped 26 110 other malicious files 8->26 dropped 52 Creates an undocumented autostart registry key 8->52 54 Drops PE files with a suspicious file extension 8->54 56 Drops executable to a common third party application directory 8->56 58 Infects executable files (exe, dll, sys, html) 8->58 12 PH3Q7aISZ6.exe 17 8->12         started        signatures6 process7 file8 28 C:\Users\user\AppData\Local\Temp\fmqoie.dll, PE32 12->28 dropped 60 Detected unpacking (changes PE section rights) 12->60 62 Detected unpacking (overwrites its own PE header) 12->62 64 Tries to steal Mail credentials (via file registry) 12->64 66 Maps a DLL or memory area into another process 12->66 16 PH3Q7aISZ6.exe 57 12->16         started        signatures9 process10 dnsIp11 30 dyjcgvdfgdzgzdzzf.gq 16->30 32 192.168.2.1 unknown unknown 16->32 36 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->36 38 Tries to steal Mail credentials (via file access) 16->38 40 Tries to harvest and steal ftp login credentials 16->40 42 Tries to harvest and steal browser information (history, passwords, etc) 16->42 signatures12
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fdec06df5406c4ce7396704a8160927a2bdceeac0bb111b702ec310498e9a5ba/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2021-07-21 19:39:32 UTC
AV detection:
28 of 28 (100.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
6497084e19295b7d1b081fe8d24a6ef204bbd2713e46ae3414de1cacce1f364c
Loki
6ebd45483d2222727a82c70feeb7c19017751b381247c7917462f26678d313d8
Loki
82b4deebf79267e382a6fb39d382a224aa72172e14edb7c52ad190e3dd2909ea
Loki
98ee9eb5449562fdfe5e0a448cec7ef60f315e5f8a7c65c40a5b61290bcbe97d
Loki
d29732d660ad3b3e1f478b179c69afae0274e5e40354e5136e22376371e795b6
Loki
de3292924ba69a7f7dfd5b6687d6c774a7aecf8e2ac1368d30ce81c61a14e73f
Loki
+ 3'818 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot persistence spyware stealer trojan
Link:
https://tria.ge/reports/210722-czh7xkq5an/
Behaviour
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
Modifies system executable filetype association
Malware Config
C2 Extraction:
http://dyjcgvdfgdzgzdzzf.gq/BN1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
fdec06df5406c4ce7396704a8160927a2bdceeac0bb111b702ec310498e9a5ba
MD5 hash:
fbbefa2bf51016a540da3b67d0da5120
SHA1 hash:
7241b889fd834b483aa1f597213eb53632b2d94d
Detections:
win_neshta_auto
Create hunting rule
Link:
https://www.unpac.me/results/8d1a9501-3a30-4875-8817-0724bd315f7d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fdec06df5406c4ce7396704a8160927a2bdceeac0bb111b702ec310498e9a5ba

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe fdec06df5406c4ce7396704a8160927a2bdceeac0bb111b702ec310498e9a5ba

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/173348/
  
URLhaus
https://urlhaus.abuse.ch/url/1458584/

Comments