MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39f4fa7ffcf9d992c076261fe06338f72c2436e5903e1acb0bd7e111036fc627. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 1 Comments

SHA256 hash: 39f4fa7ffcf9d992c076261fe06338f72c2436e5903e1acb0bd7e111036fc627
SHA3-384 hash: 3a6cf9ced46610551f85b05952d09cd13a8cbe28f3fe1a3c42d91683cbd38a511523035657394aa54e96ee14aab5efe5
SHA1 hash: a5431ef3c1b09653b9849782baa224a655219b6d
MD5 hash: 7e0becc6c23c266197380a8efd8bbe6b
humanhash: apart-seventeen-one-october
File name:TT USD.xls
Download: download sample
Signature Loki
File size:337'920 bytes
First seen:2020-07-31 09:25:19 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 6144:TxEtjPOtioVjDGUU1qfDlavx+W2QnA7Zc33nRGtUjc6iUcTjyVgMeWeAfm1egr/V:j8BGKjcygMep1egr/yzMIz8L
TLSH 1274E1B4F964C802C55587394CDAA6B1332FFD814EF54A0B3246F76E2B33A454B63A47
Reporter @abuse_ch
Tags:Loki xls


Twitter
@abuse_ch
Malspam distributing Loki:

HELO: mx.minimed.ru
Sending IP: 188.128.7.42
From: Akaun <ctt@treza.com.mx>
Subject: Pembayaran
Attachment: TT USD.xls

Loki payload URL:
https://irregnancised.com/ftiloe/KHFOPL.exe

Loki C2:
http://104.223.143.234/coconut/Panel/Panel/five/fre.php

Intelligence


File Origin
# of uploads :
1
# of downloads :
36
Origin country :
FR FR
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Signature
Binary is likely a compiled AutoIt script file
Contains functionality to register a low level keyboard hook
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with hexadecimal encoded strings
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Installs a global keyboard hook
Machine Learning detection for sample
Modifies the hosts file
Office process drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: MS Office Product Spawning Exe in User Dir
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255256 Sample: TT USD.xls Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Document exploit detected (drops PE files) 2->49 51 Yara detected AgentTesla 2->51 53 8 other signatures 2->53 10 EXCEL.EXE 35 42 2->10         started        process3 dnsIp4 43 irregnancised.com 67.215.233.8, 21, 443, 49726 ASN-QUADRANET-GLOBALUS United States 10->43 35 C:\Users\user\AppData\Roaming\ccsm.exe, PE32 10->35 dropped 37 C:\Users\user\AppData\Local\...\KHFOPL[1].exe, PE32 10->37 dropped 59 Document exploit detected (creates forbidden files) 10->59 61 Document exploit detected (process start blacklist hit) 10->61 63 Document exploit detected (UrlDownloadToFile) 10->63 15 ccsm.exe 9 10->15         started        file5 signatures6 process7 file8 41 C:\Users\user\AppData\...\KHFOPL.sfx.exe, PE32 15->41 dropped 18 cmd.exe 1 15->18         started        process9 process10 20 KHFOPL.sfx.exe 8 18->20         started        23 conhost.exe 18->23         started        file11 33 C:\Users\user\AppData\Roaming\KHFOPL.exe, PE32 20->33 dropped 25 KHFOPL.exe 2 20->25         started        process12 signatures13 55 Binary is likely a compiled AutoIt script file 25->55 57 Sample uses process hollowing technique 25->57 28 vbc.exe 15 2 25->28         started        process14 dnsIp15 45 ftp.irregnancised.com 28->45 39 C:\Windows\System32\drivers\etc\hosts, ASCII 28->39 dropped 65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->65 67 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 28->67 69 Tries to steal Mail credentials (via file access) 28->69 71 6 other signatures 28->71 file16 signatures17
Threat name:
Script-Macro.Trojan.Ymacco
Status:
Malicious
First seen:
2020-07-31 06:21:19 UTC
AV detection:
13 of 31 (41.94%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro
Behaviour
Suspicious Office macro
Office macro that triggers on suspicious action
Threat name:
Detplock
Score:
0.70

Yara Signatures


Rule name:SharedStrings
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Excel file xls 39f4fa7ffcf9d992c076261fe06338f72c2436e5903e1acb0bd7e111036fc627

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments