MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1138eda5d851ed987bd7631c9a12c8b463b577fa42b2602539574a586a5a90a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1138eda5d851ed987bd7631c9a12c8b463b577fa42b2602539574a586a5a90a1
SHA3-384 hash: ccf530e0d7f12826ad7151239545c448e1dfb3191fab68496c60d1af2189c1cc04746907bd5f4fe847c35ec29879894e
SHA1 hash: a218c89d0086523e1411ce36bf52f1f1c37bced3
MD5 hash: f63d3e8c6f35792f8684966711fecb06
humanhash: nitrogen-coffee-video-louisiana
File name:no'lu Siparişiniz 1631807020mvQB5 150adet....pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:765'440 bytes
First seen:2023-09-21 13:51:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf5a4aa99e5b160f8521cadd6bfe73b8 (432 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep 12288:ah1Lk70TnvjcXg7XU+GM6xyivcp/aUBXeWh2RmioCCRtA:ek70TrcXg7X0M6MdaUAWURmRCCRt
TLSH T178F48DE031B9C3E3D0A24DB00FDA867079F5316C98D4564EB0F99B2E97D239114AD6EE
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d4a6a494a48484a4 (65 x AgentTesla, 39 x Formbook, 8 x RemcosRAT)
Reporter abuse_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
341
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
no'lu Siparişiniz 1631807020mvQB5 150adet....pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-09-21 13:52:50 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/45bed1eb-047a-48d8-88e7-ec7cb6e8acf3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61899.6544.29541.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.InjectNET.50.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
Reading critical registry keys
Changing a file
DNS request
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Stealing user critical data
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin net_reactor packed packed
Link:
https://www.filescan.io/uploads/650c4a87f1b40cb0d61ffd8e/reports/fc1ee080-41c9-4dd5-b743-e36c9b7c2473/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/1138eda5d851ed987bd7631c9a12c8b463b577fa42b2602539574a586a5a90a1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/65dbfb28-6b20-4bde-b839-2551a9a7cb5d
Result
Threat name:
Lokibot, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1312324
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1138eda5d851ed987bd7631c9a12c8b463b577fa42b2602539574a586a5a90a1/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Suspicious
First seen:
2023-09-21 13:52:09 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
19 of 23 (82.61%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ce4o3joykhwzq66xmmojuewiwrr3k572ikzgajjzk5ffq2s2scqq._file
Verdict:
malicious
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230921-q6d64sgd4y/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Lokibot
Malware Config
C2 Extraction:
http://ugopounds.caesarsgroup.top/_errorpages/ugopounds/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
ebf35b3659d29869e3f7cd8a141dabe96c84c21df9e4c908e7c0d63b4bb81860
MD5 hash:
ec71d9a3d53af776ba13344f8753bfda
SHA1 hash:
d93963e1db7bd96f6149e46ade6349261176735f
Link:
https://www.unpac.me/results/1d26e858-8255-412e-b72e-1c30a6b0a5b5/
SH256 hash:
33dbb28c4134202a4e2669e640f314262f4b9cf1c8b2d7c2daae6d13bda005fd
MD5 hash:
6d24faba3669a91a7662b6194ca08bee
SHA1 hash:
94c92ef17f5ddd5e5df4f3eacce9ff2a645f4e93
Link:
https://www.unpac.me/results/1d26e858-8255-412e-b72e-1c30a6b0a5b5/
SH256 hash:
9f95ca27e874d387286b35acbc8233b9877dc67d9584e73f3967d7922edf885b
MD5 hash:
4fe26bda03cded2267a25317e3de8aff
SHA1 hash:
62e74bb688aa387af21bf66f91c4fbc853631556
Link:
https://www.unpac.me/results/1d26e858-8255-412e-b72e-1c30a6b0a5b5/
SH256 hash:
0db00dd6f1294a550bf4367c3d36e1b3c6f36253ecf9983dcba052f1ed50e355
MD5 hash:
d9fda807135b4925d69b847f8c9ab849
SHA1 hash:
1cbfb68f9f2d3d50d792e46e03c3015879308501
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/1d26e858-8255-412e-b72e-1c30a6b0a5b5/
Parent samples :
1138eda5d851ed987bd7631c9a12c8b463b577fa42b2602539574a586a5a90a1
6648d6be85d4611f71fb27b7598df56516c433bfe8fd51a1069bfbf1c8be0c29
b06c31ca5664c7f9142039d5a2e4f5201404d08e4d233b594e6e69cb4e1219a5
bdd8bc8cc85047d7ea0a4086a3fcfc1bd9f2f98794d50be234249b1a7e8ee1a6
03541ffcb574dd73c84c4c3b3522225f03862123877b278e97e7a508586382b2
d678f42c6c3a37927a20a466df089d70ea6e97e19888bf75db2a1da1a28710ed
91bff23f123fb307a7baebb69281c6d17f65fc7d3c7891bbbe7df3b486e4d10c
d1c7c7eb0ee2cada6ee4193a967c1c3c3f15a0fb73c9e5d0ff576088553737ae
SH256 hash:
1138eda5d851ed987bd7631c9a12c8b463b577fa42b2602539574a586a5a90a1
MD5 hash:
f63d3e8c6f35792f8684966711fecb06
SHA1 hash:
a218c89d0086523e1411ce36bf52f1f1c37bced3
Link:
https://www.unpac.me/results/1d26e858-8255-412e-b72e-1c30a6b0a5b5/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1138eda5d851/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/1138eda5d851ed987bd7631c9a12c8b463b577fa42b2602539574a586a5a90a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 1138eda5d851ed987bd7631c9a12c8b463b577fa42b2602539574a586a5a90a1

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments