MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0df7366bf6c0dcf5e7cf039b751534007dbc547b2cf4a6bfd083b7e4f471cf7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0df7366bf6c0dcf5e7cf039b751534007dbc547b2cf4a6bfd083b7e4f471cf7a
SHA3-384 hash: 86cf09fa79a9b28594b163faa6a65898a39e34516280bf0c5a79658f5332b1e3ade9e4107fab75ab75fa41e5a3f16ebc
SHA1 hash: b766a68f8000fab160719c8ac4f30f5370a19f14
MD5 hash: 903200a57a7532b8859682c78688b2bc
humanhash: red-two-dakota-december
File name:Samples Copy.exe
Download: download sample
Signature Loki
Create hunting rule
File size:711'680 bytes
First seen:2022-02-22 07:49:29 UTC
Last seen:2022-02-22 14:19:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 12288:Mby0chFFQWNwrJnVaZ3o6Pa5LuvcymfFwMmrFh0MAtevBa/2nSxlTmQTpHe55K+N:MbHchFwJnVq46Pa5xyxF+McyOsQTpHe/
Threatray 7'187 similar samples on MalwareBazaar
TLSH T13BE4DFEC287750F9E3368ABE9DDCE4B0CF79E6252105E8BD78D92B064741B848CD1279
Reporter lowmal3
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/243152/
Detection(s):
SecuriteInfo.com.MachineLearning.Anomalous.94.24751.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/621495b3875593a3cc015409/reports/c3790b53-da03-4564-9a4b-f87c24323072/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/64ddcaf1-306a-4cb7-bd37-90052af26d73
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/943858
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 576331 Sample: Samples Copy.exe Startdate: 22/02/2022 Architecture: WINDOWS Score: 84 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected AntiVM3 2->19 21 .NET source code contains potential unpacker 2->21 23 6 other signatures 2->23 7 Samples Copy.exe 4 2->7         started        process3 file4 15 C:\Users\user\...\Samples Copy.exe.log, ASCII 7->15 dropped 25 Adds a directory exclusion to Windows Defender 7->25 11 powershell.exe 23 7->11         started        signatures5 process6 process7 13 conhost.exe 11->13         started       
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0df7366bf6c0dcf5e7cf039b751534007dbc547b2cf4a6bfd083b7e4f471cf7a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-22 07:50:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bx3tm27wydoplz6paonxkfjuab63yvd3ft2knp6qqo36j5drz55a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
172f87bb27c59a83f26061358df1a3407cc46d8ebd5a65dc2a8e24c4f3765f71
Loki
58540b0c7fa89e78f3a5c8f47beda3c43dd1a960ecd732ebc5ec203711d812ce
Loki
ce0a5022e983a49cc2f1a62ea955670379f073ff5ef0e74ada79a8b91a10ee4c
Loki
d26199781a9a145d0a04497a7789e0730f36239c26ff603ee56e678be389e45e
Loki
f92ed4b914d93884de367cf9e7878d68bf45f7ab2b6c46abb425c029e791208f
Loki
+ 7'177 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220222-jpan2afdbq/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Enumerates physical storage devices
Unpacked files
SH256 hash:
af886e9b73c81fcaee9a5edae9b01c79d0087ac42317d55e805c54146afcbd84
MD5 hash:
d251d4c7044b9c6366e278e64879b9cc
SHA1 hash:
bfc7205eabbb93004426614bcfacbe467e8cccc2
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/21f6c862-4dfa-4212-a136-1e046a9af9ef/
Parent samples :
7a03b50a7e61d6b9a6a18b3ffc18bff1f86627062e9cee004638d9acec13bbfb
c8610287a5203fb11083b5911f48b591b573616ebda0ad43b2cabf1ddb98f3e8
557a40a6f2538708cf4daa70de86bf5cf50a460d33925a47e82ed33bb5f6c177
8b2da3a6197bb1a6d978a1470cab471249f1e70f0ec589b6ff1e1d480ab7ffc4
f92ed4b914d93884de367cf9e7878d68bf45f7ab2b6c46abb425c029e791208f
7b4a5e40c0d2a550f9abf4e676b30c69d07d9f95fabcd6275a4aa4594071026f
0df7366bf6c0dcf5e7cf039b751534007dbc547b2cf4a6bfd083b7e4f471cf7a
3f3435544aa72603a00556a6f897b95e7c061ace58227cfc8c464cc1a2cb1c89
SH256 hash:
e33254e2ad4d279914a29450f98d1750a9f513fc8ddb853e0dd8346b805faa43
MD5 hash:
b597cce7bfc65e56fa69ebb7f413a33f
SHA1 hash:
7ee40df5ac783432e7c9f7be4f7ed1f286345d58
Link:
https://www.unpac.me/results/21f6c862-4dfa-4212-a136-1e046a9af9ef/
SH256 hash:
32b74f7d4be11eead2ca5f9bad6025f7a59f49636d1105e62a1d83e143bd958d
MD5 hash:
06c6322a9e3cb44212d2260d9b26766e
SHA1 hash:
2fc3354568332896cb6c3c66a7921ecd0f966f0a
Link:
https://www.unpac.me/results/21f6c862-4dfa-4212-a136-1e046a9af9ef/
SH256 hash:
ddaf4f0b70185f9e45136bd67a37e9e75ecdf136d8dbd1a2a3f578851dd2bab6
MD5 hash:
e9da7414f138689eaa0af6e0cf7fb9cf
SHA1 hash:
07e8b20ddce1f06f5c5f1664e61ff5cc792cd9bc
Link:
https://www.unpac.me/results/21f6c862-4dfa-4212-a136-1e046a9af9ef/
SH256 hash:
0df7366bf6c0dcf5e7cf039b751534007dbc547b2cf4a6bfd083b7e4f471cf7a
MD5 hash:
903200a57a7532b8859682c78688b2bc
SHA1 hash:
b766a68f8000fab160719c8ac4f30f5370a19f14
Link:
https://www.unpac.me/results/21f6c862-4dfa-4212-a136-1e046a9af9ef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0df7366bf6c0dcf5e7cf039b751534007dbc547b2cf4a6bfd083b7e4f471cf7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 0df7366bf6c0dcf5e7cf039b751534007dbc547b2cf4a6bfd083b7e4f471cf7a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/243152/

Comments