MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1aadfc0d778b0d7bb238840a64991ea77998ca45c480280ed3945ecd2d29649f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	1aadfc0d778b0d7bb238840a64991ea77998ca45c480280ed3945ecd2d29649f
SHA3-384 hash:	3f8b1746fe88bc8689073303ea7e30522a16b0f03bda80ee1e046954ccbeaf820e46521e85b04c4269567a81014b88b4
SHA1 hash:	9b407c23a5824cf8391a633f83cf7f31c1962d55
MD5 hash:	eda9b73de6a05c0f227ca888ecdb7e9d
humanhash:	social-equal-aspen-comet
File name:	TNT Consignment number#AWB811470484778.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	458'752 bytes
First seen:	2022-05-12 07:21:38 UTC
Last seen:	2022-05-12 11:28:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	6144:Ian5IS6S9PXjoZ12u0knJpvrf164J21tX4IcapVfe69kriliea9k8qUe:ZIeXjo7PFnJpvrfE4JMwapVErDCRUe
Threatray	9'310 similar samples on MalwareBazaar
TLSH	T1FEA41224222893B2C9BE1B71CF7E50DC63B42F625EA1D70FAC8279DE817174505A25BB
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter	abuse_ch
Tags:	exe Loki TNT

Intelligence

File Origin

# of uploads :

# of downloads :

228

Origin country :

n/a

Vendor Threat Intelligence

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/269911/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/627cb5bcae83652f0e9ab25b/reports/96026b40-262b-4d87-a492-b2b43a5d8a22/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/728fb5ee-2a00-43db-979e-77b9c972900c

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/992449

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/1aadfc0d778b0d7bb238840a64991ea77998ca45c480280ed3945ecd2d29649f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-05-12 01:33:49 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dkw7ydlxrmgxxmryqqfgjgi6u54zrssfysacqdwtsrpm2ljjmspq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

348c4a66d4844d4636c90862d8b9c481e58fd38df59ba25a4b46744868e46800

Loki

61193fe0f1c3304394123d448eb42efca1c2d7481c93c0b0633a6a85596e5d9d

Loki

b2fb5fa4aab3329297f4f06a3596a9f640826252f473cc0f62b21c8f1a8b0cfa

Loki

dd3d5e3e01b86223fd3a517b9d153fa85a842d4b816b18f747d85df181e1a38b

Loki

f6d0dff73d9ce1016095bd9f8ab244b8a651e96ef43dfc4581d0e9c7b442ed56

Loki

+ 9'300 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer suricata trojan

Link:

https://tria.ge/reports/220512-h68fysdgdq/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://198.187.30.47/p.php?id=21645050038542306
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

c206122a7336385be557580c114ac0923192f61bc8f77aa58c898135438399f9

MD5 hash:

6c9e813248a01432890c476813d210b8

SHA1 hash:

fd54aa3af58fc3a88cb3fd6753d773cd6c51b7f8

Link:

https://www.unpac.me/results/bec5950f-f7d0-43ea-b272-d7c6153d10a3/

SH256 hash:

8f4fe4a5676e70b5a761f01b74c715db8916f5d7987a8a7dcbcffe7a7172f5a6

MD5 hash:

d2014a2d7c7e2b2c2568ab990f823b00

SHA1 hash:

ca33def0accbfeed48f51ef872dd16e0e5e3c1e5

Link:

https://www.unpac.me/results/bec5950f-f7d0-43ea-b272-d7c6153d10a3/

SH256 hash:

01d39c02b409c5e82b5bace1ce53a7ab9b017a696396e62bc8310aa24b2cc8a7

MD5 hash:

85c79833cf8a38401505ad429860db7d

SHA1 hash:

487f0c9c5c1d56aac2e6884d13d045ff63289249

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/bec5950f-f7d0-43ea-b272-d7c6153d10a3/

Parent samples :

c77a86c2fd4917b172c2713bc886d1c19d1aedf1473e4076b3dca19504ac2e9b
702966eb365937eb195010449eb592a3817d74d0f7e4da14a0e9fbb13b5303b6
08106cb69541207153d2bf8e3d7719d43ad861d79bdd70558941582144ad2b91
9c408d483d491c30a70941cdfcaf4ff0b05a0ee3d2c2d2fb95cf4ac4964e6c42
b2110a378d750fec1151e3cda11fcd9633f2aac8a8899366714b420b44201acc
b93f0ee6a6465bd298f52ee913fc7bc56693cfa6e31dc1c13a3eb6c35c53b960
1aadfc0d778b0d7bb238840a64991ea77998ca45c480280ed3945ecd2d29649f
f000361a38df0b0599f682e97126ca3120f0261a8555e7bb03595152fdb7d4e1
7af4925ef23c08cc12eb4aa6822f8d46c01d829cc32462a55d23ffec0c7c6e11

SH256 hash:

7162c94f8367b52c7501cdc9a33e444e68596df88bf1c7d7a042e1671f48d1b9

MD5 hash:

7b05f01269dfa4b465eef7430ee43eaf

SHA1 hash:

12847f090c92769743ab4f2090fb6bc90be308ab

Link:

https://www.unpac.me/results/bec5950f-f7d0-43ea-b272-d7c6153d10a3/

SH256 hash:

1aadfc0d778b0d7bb238840a64991ea77998ca45c480280ed3945ecd2d29649f

MD5 hash:

eda9b73de6a05c0f227ca888ecdb7e9d

SHA1 hash:

9b407c23a5824cf8391a633f83cf7f31c1962d55

Link:

https://www.unpac.me/results/bec5950f-f7d0-43ea-b272-d7c6153d10a3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1aadfc0d778b0d7bb238840a64991ea77998ca45c480280ed3945ecd2d29649f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/269911/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample