MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11bfafb62ab5e5c115862409c849f069dc0903abf0f864783bea73472db19932. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11bfafb62ab5e5c115862409c849f069dc0903abf0f864783bea73472db19932
SHA3-384 hash: a4079ac3093e6a037a4618f618fc65f4347c2349521857e23b4cdf3798026d46765e9dd3e8374d3855a8eb52880e1a51
SHA1 hash: 89b9bd60c39a582da440112f12f939c90102d567
MD5 hash: 2f96e6fd36ceec8c32dcc6c7607a87bd
humanhash: aspen-oranges-jersey-spring
File name:RefTechnical Drawing Sheet.exe
Download: download sample
Signature Loki
Create hunting rule
File size:986'680 bytes
First seen:2024-03-21 03:55:46 UTC
Last seen:2024-03-21 18:57:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 12288:wbZfqmfr+7Iz6tuhHr2WX3rLKJQEKKHP9SxG4A1wF7dieRJ14BEtIX2UgGj+Xtah:wbZCmf67FtuZFX3KJQgl4KEoEoePUF3Z
Threatray 67 similar samples on MalwareBazaar
TLSH T12B25F1CBE54043E9C8348A3AE00F953207579D7FA6DD9F42A1A4F5172873183EB2EE59
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon f2e68c989898b494 (4 x GuLoader, 3 x Loki)
Reporter abuse_ch
Tags:exe Loki signed

Code Signing Certificate

Organisation:Bandore
Issuer:Bandore
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-06T01:24:50Z
Valid to:2026-12-05T01:24:50Z
Serial number: 1592b2da50e039fd4d92009a87e0d7dee9f91ab2
Thumbprint Algorithm:SHA256
Thumbprint: 13cd92b70ba286d2cef4616600af45abeb56422be1c022399cef01f87f1a8264
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Loki C2:
http://saldanha.top/project/five/fre.php

Intelligence

File Origin
# of uploads :
3
# of downloads :
495
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
11bfafb62ab5e5c115862409c849f069dc0903abf0f864783bea73472db19932.exe
Verdict:
Malicious activity
Analysis date:
2024-03-21 03:56:17 UTC
Tags:
lokibot stealer trojan
Link:
https://app.any.run/tasks/eafbdce4-f0e7-4f99-bfda-59b3691ed0bb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.30274.29900.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file
Launching a process
Running batch commands
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65fbafd3869de776ad04b352/reports/bb55a15d-256c-4eb4-83dc-a16330940405/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/11bfafb62ab5e5c115862409c849f069dc0903abf0f864783bea73472db19932
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c04275f5-76f9-46e4-ae3c-201667c3d68d
Result
Threat name:
GuLoader, Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1412853
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Obfuscated command line found
Powershell drops PE file
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1412853 Sample: RefTechnical Drawing Sheet.exe Startdate: 21/03/2024 Architecture: WINDOWS Score: 100 36 saldanha.top 2->36 38 drive.usercontent.google.com 2->38 40 drive.google.com 2->40 50 Snort IDS alert for network traffic 2->50 52 Multi AV Scanner detection for domain / URL 2->52 54 Antivirus detection for URL or domain 2->54 56 3 other signatures 2->56 8 RefTechnical Drawing Sheet.exe 20 2->8         started        signatures3 process4 file5 26 C:\Users\user\AppData\Local\...\Bedwarmer.Hom, ASCII 8->26 dropped 58 Suspicious powershell command line found 8->58 12 powershell.exe 18 8->12         started        signatures6 process7 file8 28 C:\Users\...\RefTechnical Drawing Sheet.exe, PE32 12->28 dropped 60 Obfuscated command line found 12->60 62 Writes to foreign memory regions 12->62 64 Powershell drops PE file 12->64 16 wab.exe 109 12->16         started        20 conhost.exe 12->20         started        22 cmd.exe 1 12->22         started        24 wab.exe 12->24         started        signatures9 process10 dnsIp11 30 saldanha.top 172.67.165.208, 49739, 49740, 49741 CLOUDFLARENETUS United States 16->30 32 drive.google.com 142.250.176.206, 443, 49737 GOOGLEUS United States 16->32 34 drive.usercontent.google.com 142.250.81.225, 443, 49738 GOOGLEUS United States 16->34 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->42 44 Tries to steal Mail credentials (via file / registry access) 16->44 46 Tries to harvest and steal ftp login credentials 16->46 48 Tries to harvest and steal browser information (history, passwords, etc) 16->48 signatures12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/11bfafb62ab5e5c115862409c849f069dc0903abf0f864783bea73472db19932
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/11bfafb62ab5e5c115862409c849f069dc0903abf0f864783bea73472db19932/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-03-21 03:46:48 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
11 of 24 (45.83%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cg727nrkwxs4cfmgeqe4qspqnhoasa5l6d4gi6b35jzuolnrteza._file
Verdict:
unknown
Similar samples:
3854783710a249c1b8d553d298623ec63cc957281d703af14cf778bf18c06a34
Loki
496278998f3dbc4bd9cc37ee7e9628cc7a8372f55cb65c5f143b6723bec46096
Loki
4c97b96baa6e3c1ef907482abe84083c8813d45545d138ec5b9cc456f0027e1b
Loki
5fd79e8094fb1ac9dbc167219bc3218cf07a5679edc11f7847c5cd0b2e756309
Loki
6206e88335305e4230178b9e72d7c0619cdddf1d470fad04d7a5af3cc3e76dbd
Loki
9845e47adb818b782750715818bf6e47883961eaaf623db8c9554c03d371903c
Loki
e0516ae8e938052542c7e7a89713f02c0acf64a7ae9fe210ddbcd618d995e70b
Loki
e156c4e8e53c6b93166fea54fb521d9eb8bc74143ad52697a28809f5639205cf
Loki
f27ddc5f225f50a392bfcf9cbd59557d445f5ad47f1ad31f1a899aec1ec92611
Loki
f29f7cf714a8eef6c8509ea9fc3d6adbedf98e14b0f142bd8bec1fb7de78639b
Loki
+ 57 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:lokibot collection downloader persistence spyware stealer trojan
Link:
https://tria.ge/reports/240321-ehcgtsbc98/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Guloader,Cloudeye
Lokibot
Unpacked files
SH256 hash:
11bfafb62ab5e5c115862409c849f069dc0903abf0f864783bea73472db19932
MD5 hash:
2f96e6fd36ceec8c32dcc6c7607a87bd
SHA1 hash:
89b9bd60c39a582da440112f12f939c90102d567
Link:
https://www.unpac.me/results/173a31f1-24ee-4301-8246-aaf2d40588e5/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/11bfafb62ab5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/11bfafb62ab5e5c115862409c849f069dc0903abf0f864783bea73472db19932

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments