MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ba98686446412473dd5b0f72c5e9f7f9f278ffa3ad09879024df8b202992403. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ba98686446412473dd5b0f72c5e9f7f9f278ffa3ad09879024df8b202992403
SHA3-384 hash: 3daeffb7b980a305ff31c1940f73a3da443a15e5a6fc4a70df8b15d121df48304c8659125cb4c42d7734c8a8416d9259
SHA1 hash: 5dc3bbb251b7bd073df0d91bf74b90a43b35f197
MD5 hash: 23269d7a2e877e17d741f36b3c835dbd
humanhash: sink-eleven-single-river
File name:[FedEx] AWB# 397911942611.exe
Download: download sample
Signature Loki
Create hunting rule
File size:536'576 bytes
First seen:2022-04-27 09:20:20 UTC
Last seen:2022-04-27 10:00:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:i2wgNdLWJeroRvyFCTkImM/Of2v+XARD9Yo8h:mgNxQlvyFCTdoC+ID9Yo8h
Threatray 8'273 similar samples on MalwareBazaar
TLSH T120B4D018FBAACB16E29A8737C4E4551447B1EA02E096EF4FBDC192D50D03367C943B9E
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 69dca0e8e8e0c448 (22 x AgentTesla, 8 x SnakeKeylogger, 6 x Loki)
Reporter abuse_ch
Tags:exe FedEx Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
337
Origin country :
n/a
Vendor Threat Intelligence
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/267191/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.27370.15338.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe msbuild.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/62690ae30d3e2bd52d0b0d9b/reports/5d14da45-ee9e-4848-b529-ed0de2b7d4cb/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/653ddd44-c7de-47d7-99c4-9b921310daa1
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/983943
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 616439 Sample: [FedEx] AWB# 397911942611.exe Startdate: 27/04/2022 Architecture: WINDOWS Score: 100 31 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->31 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 11 other signatures 2->37 7 [FedEx] AWB# 397911942611.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\ZVFsWbZwP.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmp90DA.tmp, XML 7->25 dropped 27 C:\...\[FedEx] AWB# 397911942611.exe.log, ASCII 7->27 dropped 39 Adds a directory exclusion to Windows Defender 7->39 41 Injects a PE file into a foreign processes 7->41 11 [FedEx] AWB# 397911942611.exe 13 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 29 198.187.30.47, 49746, 80 NAMECHEAP-NETUS United States 11->29 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->43 45 Tries to steal Mail credentials (via file / registry access) 11->45 47 Tries to harvest and steal ftp login credentials 11->47 49 Tries to harvest and steal browser information (history, passwords, etc) 11->49 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1ba98686446412473dd5b0f72c5e9f7f9f278ffa3ad09879024df8b202992403/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-27 09:21:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=douynbsemqjeopovwd3syxu7p6pspd72hlijq6icjx4leauzeqbq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
32f4ed2758d54d89b86ead83702e718d654e1fa6c78b4b46c4ca6fb25077d699
Loki
36292b95e0ed9f03e572e60d83801bf7818d85f9e607bd6d396bda9e82d6e803
Loki
702966eb365937eb195010449eb592a3817d74d0f7e4da14a0e9fbb13b5303b6
Loki
7c60096d1d69544edaba264f456916ee1fc30f0b2a296b12574d7149aff0f73f
Loki
900fd05c173389415366e0b8eab3f9eb60deb3a559ae87047e5c4407712ff90f
Loki
+ 8'263 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220427-lbbqaaach5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads user/profile data of web browsers
Lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://198.187.30.47/p.php?id=21232783593130885
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
a5fa5d3e31bd470129b4c71b928b9661c1c704632ecf5b68d2fc648dfb657389
MD5 hash:
6b40898baaa1c06a9eacaf397da5cabe
SHA1 hash:
ced1cede92d16da6b585d9ee56ee2f1bdbf0eb98
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/c34a9303-b752-4e78-883b-78912f69784d/
Parent samples :
1ba98686446412473dd5b0f72c5e9f7f9f278ffa3ad09879024df8b202992403
747618305eae7ecbbdb2aad77d366405ad59770dc5cb5393857b112f3ea71f69
SH256 hash:
6052c53e74b73d0f4dc00a9e1d3c31fff904886284fc161bdf1b40ae539828d4
MD5 hash:
1e9cc1309039f1e26bd2045c3e4a991e
SHA1 hash:
56a8cdf830162f2722899859fe04112d860536fc
Link:
https://www.unpac.me/results/c34a9303-b752-4e78-883b-78912f69784d/
SH256 hash:
92fc621e886ad486195efe1b074a5186c27599e3dd4d71c72cae3078b8660ae2
MD5 hash:
e80503550a2aa077f62f09c7dc6be7e4
SHA1 hash:
f93e86c149eac50b611a1f9a7b59f5d81026262c
Link:
https://www.unpac.me/results/c34a9303-b752-4e78-883b-78912f69784d/
SH256 hash:
4eb2aac29714cded50e3a7bdd5cf7e7f2642052f04260ac71e59d6a5b7afdb4a
MD5 hash:
e909dae88515a0b423370aee38b56d76
SHA1 hash:
d7c2135e2357a6e794930775fe720c49d116c3ae
Link:
https://www.unpac.me/results/c34a9303-b752-4e78-883b-78912f69784d/
SH256 hash:
1ba98686446412473dd5b0f72c5e9f7f9f278ffa3ad09879024df8b202992403
MD5 hash:
23269d7a2e877e17d741f36b3c835dbd
SHA1 hash:
5dc3bbb251b7bd073df0d91bf74b90a43b35f197
Link:
https://www.unpac.me/results/c34a9303-b752-4e78-883b-78912f69784d/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1ba986864464/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ba98686446412473dd5b0f72c5e9f7f9f278ffa3ad09879024df8b202992403

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/267191/

Comments