MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1235559275e785007232e4aee35bd0609d1e52da4900ac8526ff54b592d63c6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1235559275e785007232e4aee35bd0609d1e52da4900ac8526ff54b592d63c6b
SHA3-384 hash: 874408958b3d2e5efcb39aecf2a7ce1a337126b4583bf98bad2857a8df7bc4a8287d8bcb2be4bb06d0d39a58f6a01af1
SHA1 hash: 6fa6b764923c0ad19d398e650092935839a21a75
MD5 hash: bd6795cd5146d8e48817d5e0794edbd3
humanhash: winter-alanine-johnny-comet
File name:Solicitud de Cotización 01-03-2022·pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:470'432 bytes
First seen:2022-03-02 07:51:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 12288:5bDAMwnmD/ZHA9Tr0T6d+IsBUyrABA7w1Ag2s6z0LEE:5bDAMwn4hgV7+lBUbB4w1FLiS
TLSH T1DBA422149340C417EE954A36ECB292F6AB7AAE50DE215F0F17307F5C3EB53A39A2C158
File icon (PE):PE icon
dhash icon 10c660f0dcf039c2 (1 x Loki, 1 x GuLoader)
Reporter abuse_ch
Tags:exe Loki signed

Code Signing Certificate

Organisation:Banjerdks
Issuer:Banjerdks
Algorithm:sha256WithRSAEncryption
Valid from:2022-03-01T16:51:00Z
Valid to:2023-03-01T16:51:00Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 0e661d4a2856df1866300c6319193af884bb7c4855b2fed16227dbe37ebcc64a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Loki C2:
http://164.90.194.235/?id=20300464226184894

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://164.90.194.235/?id=20300464226184894 https://threatfox.abuse.ch/ioc/387403/

Intelligence

File Origin
# of uploads :
1
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/246153/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Creating a file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7839/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/621f22270cd58dbd9260fecd/reports/6198d7f2-7bad-4796-abfc-c88089f9c6b4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6804d1ef-174c-42d8-882c-0b2fc59d2b61
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/948903
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 581381 Sample: Solicitud de Cotizaci#U00f3... Startdate: 02/03/2022 Architecture: WINDOWS Score: 100 26 googlehosted.l.googleusercontent.com 2->26 28 drive.google.com 2->28 30 doc-0o-30-docs.googleusercontent.com 2->30 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Antivirus detection for URL or domain 2->42 44 5 other signatures 2->44 8 Solicitud de Cotizaci#U00f3n 01-03-2022#U00b7pdf.exe 22 2->8         started        signatures3 process4 file5 18 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 8->18 dropped 20 C:\Users\user\AppData\Local\...\System.dll, PE32 8->20 dropped 22 C:\Users\user\AppData\Local\...\BConv32.exe, PE32 8->22 dropped 24 C:\Users\user\...\AlternateStreamView.exe, PE32 8->24 dropped 46 Tries to detect Any.run 8->46 48 Hides threads from debuggers 8->48 12 Solicitud de Cotizaci#U00f3n 01-03-2022#U00b7pdf.exe 21 8->12         started        signatures6 process7 dnsIp8 32 164.90.194.235, 49786, 80 DIGITALOCEAN-ASNUS United States 12->32 34 googlehosted.l.googleusercontent.com 142.250.181.225, 443, 49785 GOOGLEUS United States 12->34 36 drive.google.com 142.250.184.238, 443, 49782 GOOGLEUS United States 12->36 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->50 52 Tries to steal Mail credentials (via file / registry access) 12->52 54 Tries to harvest and steal ftp login credentials 12->54 56 3 other signatures 12->56 16 WerFault.exe 2 12->16         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1235559275e785007232e4aee35bd0609d1e52da4900ac8526ff54b592d63c6b/
Threat name:
Win32.Downloader.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2022-03-02 02:13:05 UTC
File Type:
PE (Exe)
Extracted files:
37
AV detection:
19 of 27 (70.37%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ci2vletv46cqa4rs4sxogw6qmcor4uw2jeakzbjg75kllewwhrvq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:lokibot collection downloader spyware stealer suricata trojan
Link:
https://tria.ge/reports/220302-jqez5sfehj/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
Reads user/profile data of web browsers
Guloader,Cloudeye
Lokibot
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://164.90.194.235/?id=20300464226184894
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
1235559275e785007232e4aee35bd0609d1e52da4900ac8526ff54b592d63c6b
MD5 hash:
bd6795cd5146d8e48817d5e0794edbd3
SHA1 hash:
6fa6b764923c0ad19d398e650092935839a21a75
Link:
https://www.unpac.me/results/3ac452ff-6cfb-4697-b2f7-a971d561b42a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
Link:
https://yomi.yoroi.company/submissions/1235559275e785007232e4aee35bd0609d1e52da4900ac8526ff54b592d63c6b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/246153/

Comments