MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ebedb652fa27423240c3efa860e7551958811120737ee5d3ea7badf671fbacf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	1ebedb652fa27423240c3efa860e7551958811120737ee5d3ea7badf671fbacf
SHA3-384 hash:	e91bfc6ee35a6f2dec6d20ed9fafb2f69e8bb2feda373c4b6c831b9f9e4f0a633b5e9861735b6b6e9d680bdefc3083eb
SHA1 hash:	cc04ea26c1364b9a058b55c8697a49e1c7e16970
MD5 hash:	370ebdf4ff5036c106793994cc851779
humanhash:	shade-equal-nitrogen-washington
File name:	DHL Express Shipment DOC.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	852'480 bytes
First seen:	2023-03-21 06:10:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:0wRZRbIx8nvRW3NVuf7sBF84DpHCojUzQO7auRJ0CXfmv5gn:02+xuv89V4gc4DVhhuRax
Threatray	82 similar samples on MalwareBazaar
TLSH	T1F00507435EBB5085E8B70F38547A76980B34E953BDD9903B3CC9B61A8FFA68360463D1
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://64.227.48.212/?page_id=215360

Intelligence

File Origin

# of uploads :

# of downloads :

247

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

DHL Express Shipment DOC.exe

Verdict:

Malicious activity

Analysis date:

2023-03-21 06:11:05 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/07a3a44a-d8ee-4fb6-a0ba-353253d6e6d3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/376105/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/64194a78c60b3295f52c4437/reports/8e975311-7df1-4eaf-a242-add497376a93/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/1ebedb652fa27423240c3efa860e7551958811120737ee5d3ea7badf671fbacf

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/21ad240b-ee39-41ac-aedb-11a5c6228641

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1198260

Signature

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/1ebedb652fa27423240c3efa860e7551958811120737ee5d3ea7badf671fbacf/

Threat name:

Win32.Trojan.Pwsx

Status:

Malicious

First seen:

2023-03-21 02:57:44 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 37 (37.84%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=d27nwzjpuj2cgjamh35imdtvkgkyqeisa4364xj6u65n6zy7xlhq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

2fbe8381a484cb4c52055f448ec0934e04230d60fe109b3982008c598714c8ae

Loki

53e04b40ad30d83c66ef729d87e5822f732fbc6804cbe216d68898f583ce7ad3

Loki

66891afe754c3aab6b8fa33af83ed871fc37d7e6668f02b3b0c7ef0e96756b20

Loki

8e8f0ef7fe5176d9ca580c127a9476ca505c4990c317ebd7b18b92129eac4bb2

Loki

93c302b6c6f9186edb01c0192fccec2b77274a243e3eb049ae8c99679f57c9f1

Loki

c7caec412a7c08eaf935fb9a2fab9f96123183b7b7ba428128146bee677a3097

Loki

deb989bfedd869d8ce4f26ff0dec29c8f0c3c2bef1f6b441bb63eb3266fba13b

Loki

fd63f671c5984fd1cd39cf00e35bf5e978b8dedce3e209d29c120325f1984254

Loki

+ 72 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230321-gxlp6aha46/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://64.227.48.212/?page_id=215360
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

c7cd7d4865550208fc5fe8be4190a9cb0b0eb076f58aeba743935f5b71691bc6

MD5 hash:

ffe7b45825e25ad89d851c63ed61406e

SHA1 hash:

cbbbbd2e7ec74a155f6d0fcd9066fbad976d1242

Detections:

lokibot

Link:

https://www.unpac.me/results/20ca6dd5-908f-482a-aeda-3b4b0f94e2e9/

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/20ca6dd5-908f-482a-aeda-3b4b0f94e2e9/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

1d69a988f929de8a3a7418c1d95b99f98837a2eeeee4c78fddf5bb6ea2a5f3a7

MD5 hash:

91e860509944f7ab6a535e601787c217

SHA1 hash:

812cadc7759b4ae8fd15ac755afb2a4e61383b81

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/20ca6dd5-908f-482a-aeda-3b4b0f94e2e9/

Parent samples :

99c37556d4debad09e566c314982ebd1510dd493dbe4bbe9e4ea3857df9ac1e3
1ebedb652fa27423240c3efa860e7551958811120737ee5d3ea7badf671fbacf
bc8a12bfd7a792586d78f4fac22f22ac9d2dfe31452d2e99b7cd47180bd4b295
5224ad26b096f110856cfa5e9713928ba3704c860b3ea022ff4c8b271c2a6997
7589df135ac8e8da5e6e8bef446256bccbdbb92831e8cf89705bb2a19f5317e2

SH256 hash:

000c0889c2d93807781cb5e2c212d07bd38c6fed9b738530f2515640306b5f44

MD5 hash:

8d369299a047f228593293887092e43d

SHA1 hash:

7e38cd87127c3ea59ddba80f7ddf35fb105a7f6c

Link:

https://www.unpac.me/results/20ca6dd5-908f-482a-aeda-3b4b0f94e2e9/

SH256 hash:

71879cdaafdaa635e28faa09d84d63b649c1d3a8ea89fb4d46e3849a1e10cd52

MD5 hash:

bb5296c0d2875e0c655be76778650b05

SHA1 hash:

127b01388ef7e7f34b554ac6215f17e4ae9f8ea3

Link:

https://www.unpac.me/results/20ca6dd5-908f-482a-aeda-3b4b0f94e2e9/

SH256 hash:

1ebedb652fa27423240c3efa860e7551958811120737ee5d3ea7badf671fbacf

MD5 hash:

370ebdf4ff5036c106793994cc851779

SHA1 hash:

cc04ea26c1364b9a058b55c8697a49e1c7e16970

Link:

https://www.unpac.me/results/20ca6dd5-908f-482a-aeda-3b4b0f94e2e9/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1ebedb652fa2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/1ebedb652fa27423240c3efa860e7551958811120737ee5d3ea7badf671fbacf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/376105/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample