MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11f9aa994a349d0b21caacb75e8b7198f1f52828628efd891aa7116b261e2182. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11f9aa994a349d0b21caacb75e8b7198f1f52828628efd891aa7116b261e2182
SHA3-384 hash: beb4f25d41c52cf9a17284230dd1a281ff22d0d9c4697bb8280bf12473929f5383a8ab32c55977c75189b4884616e970
SHA1 hash: 9041ab7b0cf03e4c18f86ff32eac95c3ad06f462
MD5 hash: e80a6dc30c45134e8c433ef07277022f
humanhash: diet-social-nineteen-helium
File name:givemebestwithentiretimegivenmebestthingsalwaysforgetbacknew.hta
Download: download sample
Signature Loki
Create hunting rule
File size:182'360 bytes
First seen:2024-11-18 17:35:45 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 96:4vCl17nlkfktbLVe4I9qWs5cew1WyNk6O5Q:4vCldn+s9he4CqWj26O5Q
Threatray 4'410 similar samples on MalwareBazaar
TLSH T14E04B668CE324DEDFBCC49A7BAFC75C872BC471797DA2E90465B7A02D88134C94C102A
Magika txt
Reporter abuse_ch
Tags:hta Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.JS.Obfus-95.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673b7c375107a56eacc797fc
Tags:
infosteal gumen
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/11f9aa994a349d0b21caacb75e8b7198f1f52828628efd891aa7116b261e2182/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/673b7b0a73d2ce344bca6f32/reports/cc24fa37-89eb-4e0d-8ef1-e2953071d1c4/overview
Verdict:
Malicious
Labled as:
GT:JS.Acsogenixx.855
Link:
https://www.hybrid-analysis.com/sample/11f9aa994a349d0b21caacb75e8b7198f1f52828628efd891aa7116b261e2182
Result
Threat name:
Cobalt Strike, HTMLPhisher, Lokibot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1557928
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Cobalt Strike Beacon
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected HtmlPhish44
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1557928 Sample: givemebestwithentiretimegiv... Startdate: 18/11/2024 Architecture: WINDOWS Score: 100 81 Suricata IDS alerts for network traffic 2->81 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 17 other signatures 2->87 9 mshta.exe 1 2->9         started        12 pYSJOdJUV.exe 2->12         started        14 svchost.exe 1 1 2->14         started        process3 dnsIp4 93 Detected Cobalt Strike Beacon 9->93 95 Suspicious powershell command line found 9->95 97 PowerShell case anomaly found 9->97 17 powershell.exe 36 9->17         started        99 Antivirus detection for dropped file 12->99 101 Multi AV Scanner detection for dropped file 12->101 103 Tries to steal Mail credentials (via file registry) 12->103 105 2 other signatures 12->105 22 schtasks.exe 12->22         started        24 pYSJOdJUV.exe 12->24         started        26 pYSJOdJUV.exe 12->26         started        79 127.0.0.1 unknown unknown 14->79 signatures5 process6 dnsIp7 75 192.3.243.136, 49745, 80 AS-COLOCROSSINGUS United States 17->75 61 C:\Users\user\AppData\Roaming\caspol.exe, PE32 17->61 dropped 63 C:\Users\user\AppData\Local\...\caspol[1].exe, PE32 17->63 dropped 65 C:\Users\user\AppData\...\heg2wnms.cmdline, Unicode 17->65 dropped 89 Detected Cobalt Strike Beacon 17->89 91 Powershell drops PE file 17->91 28 caspol.exe 6 17->28         started        32 powershell.exe 21 17->32         started        34 csc.exe 3 17->34         started        36 conhost.exe 17->36         started        38 conhost.exe 22->38         started        file8 signatures9 process10 file11 69 C:\Users\user\AppData\Roaming\pYSJOdJUV.exe, PE32 28->69 dropped 71 C:\Users\user\AppData\Local\...\tmp5602.tmp, XML 28->71 dropped 117 Antivirus detection for dropped file 28->117 119 Multi AV Scanner detection for dropped file 28->119 121 Detected Cobalt Strike Beacon 28->121 125 4 other signatures 28->125 40 caspol.exe 28->40         started        45 powershell.exe 28->45         started        47 powershell.exe 23 28->47         started        49 schtasks.exe 28->49         started        123 Loading BitLocker PowerShell Module 32->123 73 C:\Users\user\AppData\Local\...\heg2wnms.dll, PE32 34->73 dropped 51 cvtres.exe 1 34->51         started        signatures12 process13 dnsIp14 77 94.156.177.95, 49792, 49847, 49894 NET1-ASBG Bulgaria 40->77 67 C:\Users\user\AppData\...\31437F.exe (copy), PE32 40->67 dropped 107 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->107 109 Tries to steal Mail credentials (via file / registry access) 40->109 111 Tries to harvest and steal ftp login credentials 40->111 113 Tries to harvest and steal browser information (history, passwords, etc) 40->113 115 Loading BitLocker PowerShell Module 45->115 53 conhost.exe 45->53         started        55 WmiPrvSE.exe 45->55         started        57 conhost.exe 47->57         started        59 conhost.exe 49->59         started        file15 signatures16 process17
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/11f9aa994a349d0b21caacb75e8b7198f1f52828628efd891aa7116b261e2182
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/11f9aa994a349d0b21caacb75e8b7198f1f52828628efd891aa7116b261e2182/
Threat name:
Script-JS.Trojan.Acsogenixx
Create hunting rule
Status:
Malicious
First seen:
2024-11-18 13:08:12 UTC
File Type:
Text
AV detection:
9 of 37 (24.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ch42vgkkgsoqwiokvs3v5c3rtdy7kkbimkhp3ci2u4iwwjq6egba._file
Verdict:
malicious
Label(s):
lokibot
Create hunting rule
lokipasswordstealer(pws)
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
619b4e680f74f6c69a48837fd9ee5851be850035c46c12aaf0669139d1061de8
Loki
916bcc13070bdc9e8cd15c2acb8f260b233713bd9b907ca3d027011bd8f6dff0
Loki
c19b70dbb4f6b4c1d33175598d82df4fd0798955a6c26a3d5f787cfc5566734c
Loki
error
Loki
+ 4'400 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection defense_evasion discovery execution spyware stealer trojan
Link:
https://tria.ge/reports/241118-v6j5kssbql/
Behaviour
Modifies Internet Explorer settings
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Evasion via Device Credential Deployment
Lokibot
Lokibot family
Malware Config
C2 Extraction:
http://94.156.177.95/simple/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/11f9aa994a34/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/11f9aa994a349d0b21caacb75e8b7198f1f52828628efd891aa7116b261e2182

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

HTML Application (hta) hta 11f9aa994a349d0b21caacb75e8b7198f1f52828628efd891aa7116b261e2182

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3295144/
  
Delivery method
Distributed via web download

Comments