MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0de6342a3e6c3da50a23bc72936913ca10acecd5792ada960d6bbfc72469ed23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0de6342a3e6c3da50a23bc72936913ca10acecd5792ada960d6bbfc72469ed23
SHA3-384 hash: b83388892eccc6953c7b9b09f16932bfb7511c27775f9c82603c4dd8c8a6b30603ed04ddf8db82f9cb99ceb201ba1eec
SHA1 hash: b3f5368b43f0840334b28da2b81b7c57249b69c0
MD5 hash: b10cace39f2140d73f7832ee5a84de3f
humanhash: enemy-shade-nevada-nitrogen
File name:Shipping Documents.exe
Download: download sample
Signature Loki
Create hunting rule
File size:498'688 bytes
First seen:2022-05-13 06:08:21 UTC
Last seen:2022-05-13 06:09:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:l0LXvzOe8NzrHffKh5CEHfbeqa1zoeNlPn1UL0xi0/:6zD6fKhoEHKqa5o0l/1UL2i0
Threatray 8'730 similar samples on MalwareBazaar
TLSH T1F5B402267692EA22C5AC0572C8E340DC03B15F4B9D73EB873A8D75960A733E15DC9B4B
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/270295/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/627df605804c0977d3e9b171/reports/4239aab1-8394-46e0-a820-dcdbf6c48c90/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2ee78f7-b5c6-4523-8aa5-4a66b4aca38a
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/993323
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0de6342a3e6c3da50a23bc72936913ca10acecd5792ada960d6bbfc72469ed23/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-13 04:25:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bxtdikr6nq62kcrdxrzjg2itziikz3gvpevnvfqnno74ojdj5urq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
1de2822a0cb24fb21e63f7947634b9599f1301982d5d9cd0db9f51630724924a
Loki
2506b2a02661090a54c83c345336f60cdf5bacbb344b40a9de074b2581b7b442
Loki
348c4a66d4844d4636c90862d8b9c481e58fd38df59ba25a4b46744868e46800
Loki
390796f50289b51ac5df16901e1812d0ff3cc32ec6ac1a78bc0862775e520413
Loki
8f4264a504f18bc7e8e8275284a1c3e91c2ccee846ebefed6a29d24a25d63931
Loki
f865fe68e4b6d8f8eecb7cf3f498c1792d9bad74bbd7fd96448cc928d3f4be07
Loki
+ 8'720 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220513-gwfshsfgej/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://198.187.30.47/p.php?id=17642814389135937
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
c206122a7336385be557580c114ac0923192f61bc8f77aa58c898135438399f9
MD5 hash:
6c9e813248a01432890c476813d210b8
SHA1 hash:
fd54aa3af58fc3a88cb3fd6753d773cd6c51b7f8
Link:
https://www.unpac.me/results/f02174db-1c4e-42ce-8fa3-0fc362f14469/
SH256 hash:
698f985f106fa90ae4c22b6f67bb02a22bac338c97ff3833526f376bf27edd9a
MD5 hash:
d304196096c68d4295f96fe4c47eeb80
SHA1 hash:
4fdff0ccb0160f521961a76259598a1526774334
Link:
https://www.unpac.me/results/f02174db-1c4e-42ce-8fa3-0fc362f14469/
SH256 hash:
3fb7741748497489856aa3ce10c539a888b9d543342f48e3ae2a3b83dbfc66a3
MD5 hash:
1969a3e24539061b3eb23cdbceb39813
SHA1 hash:
292731215806eddfbf96bd64383206ac045a9a7b
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/f02174db-1c4e-42ce-8fa3-0fc362f14469/
Parent samples :
6f497e6870e797642b3e60cd2fe0ce110f84a65ac19ef361ad209691c431b661
60c4d240418f3b3cd11f7fd23ec92f98dd14da4f3e0a9181c8fd4389b952ff5f
3d82bb33c459345d29b25f5085f05b6e5276f6c863db156804c775d024820867
e3da3ef435f9889961ea3b5e801413482936fe620daae2bf3a6fbe94775815e6
348f2b5862c7c23c20796418f8fd234f91ddb5a8dbf88c0115df2937bce6179f
1c42e0a7af953608eace7bfeb0959f1bdd6194f248fd26151b9e4b9918bbce02
45396f2515913a19682e40490b5db745429ad2cd0dcb9068103d8fbac833287c
0de6342a3e6c3da50a23bc72936913ca10acecd5792ada960d6bbfc72469ed23
SH256 hash:
b3ca792a898d58eb6d5533d4fe48e2ba17f7879ebcd2f96c2b45536e0928f589
MD5 hash:
49998ff8d73c79bc84219f7d8714cda9
SHA1 hash:
00863a7ce5cac9a42037fc9b2ef5e6d94e7bb3e3
Link:
https://www.unpac.me/results/f02174db-1c4e-42ce-8fa3-0fc362f14469/
SH256 hash:
0de6342a3e6c3da50a23bc72936913ca10acecd5792ada960d6bbfc72469ed23
MD5 hash:
b10cace39f2140d73f7832ee5a84de3f
SHA1 hash:
b3f5368b43f0840334b28da2b81b7c57249b69c0
Link:
https://www.unpac.me/results/f02174db-1c4e-42ce-8fa3-0fc362f14469/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0de6342a3e6c3da50a23bc72936913ca10acecd5792ada960d6bbfc72469ed23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 0de6342a3e6c3da50a23bc72936913ca10acecd5792ada960d6bbfc72469ed23

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/270295/

Comments