MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9e2b4bbf2bd2f5e267f01e74ed12025fc3fcebfbd534a59f083db8a080e5f32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9e2b4bbf2bd2f5e267f01e74ed12025fc3fcebfbd534a59f083db8a080e5f32
SHA3-384 hash: 847d85fa5fc6fee8e1f52a41b3ed96864fc0ecd1dbca6d481967b5185007ab456fdc4b00689643be2813e43999047326
SHA1 hash: e34469a707b5464cea799400080ae57770856007
MD5 hash: a1634ded3ebadcf1060f89368cf5db71
humanhash: colorado-charlie-freddie-floor
File name:DHL Shipping Invoice 199873547435-pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:169'472 bytes
First seen:2020-07-13 06:37:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:ey707/Pixn4nHUNQqs9/uq3FyfMuJJOSUv+V1n6F7tCgxjS:eo4HNqsF3FiMQ/Uv+VhSAgxj
Threatray 1'720 similar samples on MalwareBazaar
TLSH 8BF3AC4D438A46A7ED219971BCAA3B00C265253D7C53F7BDFE193203B9123D95173A3A
Reporter abuse_ch
Tags:DHL exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: hwsrv-742504.hostwindsdns.com
Sending IP: 192.236.176.130
From: DHL Global Mail Inc © <Deliveryteam1@dhl.com>
Subject: DHL Arrival Notification AWB no #0904202076
Attachment: DHL Shipping Invoice 199873547435-pdf.gz (contains "DHL Shipping Invoice 199873547435-pdf.exe")

Loki C2:
http://niskioglasi.rs/test2/Panel/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/25018/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f9e2b4bbf2bd2f5e267f01e74ed12025fc3fcebfbd534a59f083db8a080e5f32/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-13 06:39:06 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7hrljo7sxuxv4jt7ahtu5ujaex6d7tv7xvjuuwpqqpnyucaol4za._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
070df000e80ccf39e53f4aa7eab00126fee74516937d795f1cef25f6321acc12
Loki
24525c617a94df99025ac3d748b7ab13aba5ed37aea5100cd424e684760a43da
Loki
2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee
Loki
34f5833d282f7d896be6f560a66acfe0386ae8aea8a4724debe0b57ec7b74520
Loki
5056afb57576d4fc72369a0c11d434406085f7e62f773f3db7e297061cba717a
Loki
57e052aa747095c82cdc7e459d734e98bf1dde6853d94f2b1179f47b30ddcdad
Loki
6af0d9e7f7aaaa03a685b4fa6e003b55ded357d4d35874f98b8deaafbae7f2b1
Loki
aa5bb63c10ba7512a7f1612ca4b89768023be9fe17bcdf07665ec06640ca242d
Loki
aff8e79eb627e87ebf95d5f77df5a0ca063004b733df90cd1caad8350eca88b3
Loki
edc773741982183fbbca2bc01649bdd6904f8aac5392cec6cfcfeab881c1e727
Loki
+ 1'710 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
trojan spyware stealer family:lokibot
Link:
https://tria.ge/reports/200713-wwxrhccc5a/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
niskioglasi.rs/test2/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

gz 242b2febb2940dc62db71d78a5475bbb7eedf748ae4bb37f4869cfb38a6e2137

Loki

Executable exe f9e2b4bbf2bd2f5e267f01e74ed12025fc3fcebfbd534a59f083db8a080e5f32

(this sample)

  
Dropped by
MD5 8db20ce44bbdf2040693a1ae068990d0
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/25018/
  
Dropped by
SHA256 242b2febb2940dc62db71d78a5475bbb7eedf748ae4bb37f4869cfb38a6e2137

Comments