MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20658384b26379f13909fbfd67040a28e381b699f129d96a48a8f24d8ec09424. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 5 File information Comments

SHA256 hash:	20658384b26379f13909fbfd67040a28e381b699f129d96a48a8f24d8ec09424
SHA3-384 hash:	8f979c8d0fa15033755d865dbbe705bc822b7e7e4c1629943f4e82e6d007f10b932b3489a30c7826dcfea4670aea00f2
SHA1 hash:	739b7f7b526f7beb61db65b919e947ac6abac2f7
MD5 hash:	e67f837e2329d7024290b85a5138e98e
humanhash:	bulldog-lemon-chicken-october
File name:	Payment Notificationxls.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	378'368 bytes
First seen:	2022-02-21 13:40:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	3072:GoRNyHXIQenAKo7MMye9zurKCy5bl0EBUUffNtWEivOOOJZoeVzYN2+0cIWsIoL5:1fAb7nC0WEG05iT
Threatray	6'810 similar samples on MalwareBazaar
TLSH	T12D8407C5A4289081CEFCB5F2B866E92220F93CAD8DC7494D76F972361472997DD0B81F
File icon (PE):
dhash icon	090d141563496d3f (19 x RedLineStealer, 2 x RaccoonStealer, 2 x CoinMiner)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://164.90.194.235/?id=5332157718358247

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://164.90.194.235/?id=5332157718358247	https://threatfox.abuse.ch/ioc/389722/

Intelligence

File Origin

# of uploads :

# of downloads :

215

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/242966/

Detection(s):

SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6213967aa2660f3bb91b571f/reports/786020f5-4634-43eb-aeb2-35b89c4dee48/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2c7603e2-1e5b-4c93-93bf-b0586f916c74

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/943255

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Silenttrinity Stager Msbuild Activity

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected aPLib compressed binary

Yara detected Costura Assembly Loader

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/20658384b26379f13909fbfd67040a28e381b699f129d96a48a8f24d8ec09424/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-02-21 13:41:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ebsyhbfsmn47coij7p6wobakfdrydnuz6eu5s2sivdze3dwasqsa._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

274422d8fb0a807ee41552012c99ca2573555c43a3314968554836c1646f4c15

Loki

2fd574e3e15ee251f7d97e87d9824b2db0a5c150d1e7be37e7814a16796f4b18

Loki

47c07c2a2aacac0a441cc2547a816f2e471d581d9d04d34a4f72ef95bef309e7

Loki

4f4d0fe769bd9d316323e290ab9116b5dd95eb7ff5842371f4ff54b2bcc1ae66

Loki

6a7eed9276568817d7aafb96a4bc1707ffdfd0660682e4e771937dc19675c07e

Loki

9073b386f1f565170aec8f8f021363f72d4230f35c130ccebb9d72ba82550d50

Loki

9522dbec3af60a6ad1e0839afd4f7b5206bd46c304e5201bb6e5262cc67c5433

Loki

dbd907b09dd3b29a2482cfd460af698cb64465cd8526607939b05cdf96abfe6f

Loki

+ 6'800 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/220221-qy5n4aadc2/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Lokibot

Suspicious use of NtCreateProcessExOtherParentProcess

Malware Config

C2 Extraction:

http://164.90.194.235/?id=5332157718358247
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

20658384b26379f13909fbfd67040a28e381b699f129d96a48a8f24d8ec09424

MD5 hash:

e67f837e2329d7024290b85a5138e98e

SHA1 hash:

739b7f7b526f7beb61db65b919e947ac6abac2f7

Link:

https://www.unpac.me/results/0b9df00e-0eb0-4784-818d-0730d2a1e7c6/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/20658384b263/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/20658384b26379f13909fbfd67040a28e381b699f129d96a48a8f24d8ec09424

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	adonunix2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	AD on UNIX

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_PE_Discord_Attachment_Oct21_1 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/242966/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample