MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13e85a56084b5afcf6030fbaee89e2c49b5616eb8f7f5da934f11547b2df2d10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13e85a56084b5afcf6030fbaee89e2c49b5616eb8f7f5da934f11547b2df2d10
SHA3-384 hash: 19768f94c6af32ed17fa8b2f0eaf27398c97f676c9155832b115676e66da671c87f7c3f40984a7d5c31da2a73ec1e64e
SHA1 hash: 1406b022ea5a7175af939be9b842886634357124
MD5 hash: 2deecc2f9a20dea7f7c7242f4a8f2309
humanhash: batman-alabama-don-sink
File name:z20CART__OCNPJCESBE_pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:392'704 bytes
First seen:2023-03-07 12:04:19 UTC
Last seen:2023-03-07 13:46:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:Nc+5yStpENUqhs4bqIcKd3F6gd0G2aYZubGExK4FP/pGehQUjl26SOmB5KXpL1Tt:N9z3EN+Yoq3FDdOaYEzxDnpGesmVXpLb
Threatray 1'156 similar samples on MalwareBazaar
TLSH T1F284DF64621B6B5DF96C25F5BBD0CCD38690FE86C68A8C726CEB16B8F03778440A1D35
TrID 40.8% (.EXE) Win64 Executable (generic) (10523/12/4)
19.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.0% (.ICL) Windows Icons Library (generic) (2059/9)
7.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter FXOLabs
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
z20CART__OCNPJCESBE_pdf.exe
Verdict:
No threats detected
Analysis date:
2023-03-07 12:06:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/565c8054-dea2-4462-b9aa-6bb965a6224f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372198/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.16013.12238.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Forced shutdown of a system process
Stealing user critical data
Query of malicious DNS domain
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed virus
Link:
https://www.filescan.io/uploads/6407286f67ca02bce170abdc/reports/6caa5c17-0482-442d-a9c6-e6b54fa54db1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/13e85a56084b5afcf6030fbaee89e2c49b5616eb8f7f5da934f11547b2df2d10
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e414abab-e28f-4259-99bc-0174aaf06483
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1188509
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13e85a56084b5afcf6030fbaee89e2c49b5616eb8f7f5da934f11547b2df2d10/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2023-03-07 08:49:49 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
21 of 25 (84.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cpufuvqijnnpz5qdb65o5cpcysnvmfxlr57v3kju6ekupmw7fuia._file
Verdict:
unknown
Similar samples:
0dfc6c7df7c32bb5212def47800d68f6f3168f284489fffb02b723da2d284c39
Loki
446abdfdd249bca6964b7dc14013be5d833360b0eba026a6303c3132fc797bc0
Loki
577a6f8ac673a1b176fd32c9b8fe01178fee10a2602e3ccbc02b3fdebfa9bf0b
Loki
67388fca813133367167001c4114d6cd97b4bed24d0acdfda8b5784723a698ea
Loki
88d0963292143c5ba31261b14fa12f59edcd78df1bea35281e8cf080aa1460c0
Loki
91ac5e95c271f56efcf7f8c2f1ce27579242a2cdca317fd11bf7ff380c9750ed
Loki
a808b2dec6bb188edaa16a54f10660276056567b3b5f83264ec98aeca4f2fd3b
Loki
b0500e38803ac3ca6b3fde965b1c03bfcae5cbe3a4a01a199d161e1371ced34d
Loki
bcba671f1e3e1f7ab80f59d5c1cb280bfec3ca519b37820af0bb720fb5d7a8b9
Loki
d46b71aebfacfb2ca951e24d2fd60487c2ef99958909fb8aabefc4c1172b8f7c
Loki
+ 1'146 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230307-n86b9shc5s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Lokibot
Malware Config
C2 Extraction:
https://sempersim.su/ha20/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
13e85a56084b5afcf6030fbaee89e2c49b5616eb8f7f5da934f11547b2df2d10
MD5 hash:
2deecc2f9a20dea7f7c7242f4a8f2309
SHA1 hash:
1406b022ea5a7175af939be9b842886634357124
Link:
https://www.unpac.me/results/4662c718-a6cf-4cbf-93cb-cd93a5f8f41e/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/13e85a56084b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13e85a56084b5afcf6030fbaee89e2c49b5616eb8f7f5da934f11547b2df2d10

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 13e85a56084b5afcf6030fbaee89e2c49b5616eb8f7f5da934f11547b2df2d10

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/372198/

Comments