MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23b5df2d469238921bc4292d4ad2f179d57b19eba17a93c37af5d3ccae03f1c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23b5df2d469238921bc4292d4ad2f179d57b19eba17a93c37af5d3ccae03f1c0
SHA3-384 hash: b0dffccc8a69a5f260deeb17503d63a439ad854bd40300492501137144ae907917796f09ddf1c7f8fc89019b10a7eaea
SHA1 hash: 7c3c3e0ba11f0d2b95daa1d5879ce3da33007b36
MD5 hash: 519eb55ce54f181ba3fb3e088e8fcc56
humanhash: bravo-snake-sweet-aspen
File name:Invitation to Quote 14-02-2022·pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:457'480 bytes
First seen:2022-02-14 02:05:36 UTC
Last seen:2022-02-14 03:57:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:RbE/HUsqtSe9KEPCTNX5fjVrH76Brup88h8h+843ggbxfNSXNISJSdIX3khROS:RbwqhUTNJfjVrH7pv1bxfUdIOCx/
Threatray 9'228 similar samples on MalwareBazaar
TLSH T117A4C03D073CC856F0B02DFC5822DBA97EFC5E21626DF9A753206CD718F5292968909B
File icon (PE):PE icon
dhash icon 1998b0b69ee6fc08 (3 x Loki, 1 x GuLoader)
Reporter abuse_ch
Tags:exe Loki SAXONIZATION signed

Code Signing Certificate

Organisation:SAXONIZATION
Issuer:SAXONIZATION
Algorithm:sha256WithRSAEncryption
Valid from:2022-02-14T01:02:30Z
Valid to:2023-02-14T01:02:30Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: a6c10f3062f7056ac7a4b987d02a9cafd67ac7da4e7f0c5241b11b073f743a3d
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Loki C2:
http://164.90.194.235/?id=41690530617928360

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://164.90.194.235/?id=41690530617928360 https://threatfox.abuse.ch/ioc/387393/

Intelligence

File Origin
# of uploads :
2
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
23b5df2d469238921bc4292d4ad2f179d57b19eba17a93c37af5d3ccae03f1c0.exe
Verdict:
Malicious activity
Analysis date:
2022-02-14 04:57:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c6e762ad-6caf-4466-9ca3-e8a2afa89265

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241221/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.7135.2024.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Creating a file
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e2594a05-c8e7-4b07-90bd-5d322672a20c
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
evad
Score:
25 / 100
Link:
https://www.joesandbox.com/analysis/939061
Signature
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23b5df2d469238921bc4292d4ad2f179d57b19eba17a93c37af5d3ccae03f1c0/
Threat name:
Win32.Trojan.GenCBL
Create hunting rule
Status:
Malicious
First seen:
2022-02-14 02:06:10 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eo256lkgsi4jeg6efewuvuxrphkxwgpluf5jhq326xj4zlqd6haa._file
Verdict:
suspicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
10eb78f5a36f8ca290bf100f6f05d7a04489cef0023e86860062d6d03e6fa9ed
Loki
39cd27e2d57db8bfedfc31413679e5c4cb27274a45c0acb98c0ad81905729ca5
Loki
67732ae3efbde55f0ea32af1488f1a430943f4402b1f2ce163058f5ec76146de
Loki
767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255
Loki
819c9d8c88fc1ffbfeae1797646f7b90f930fef4dae513fe8e43fad3bf475bf0
Loki
88a56adfda71155cd315c64ca5ab176120f7d74369cc752cb63ee6a00f90e736
Loki
892ef7a1974f417377e4b50358b42c68248a4f4c1f393328421ad48e73861640
Loki
a319ca95679f9e8a30001a66ec55403a08be8c7398916746baea02c6c6539d02
Loki
ee23fa71bea1f05017e21b38e7592db6334a0fc4e9e44bb48452b40a4ddf0677
Loki
+ 9'218 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:lokibot collection downloader spyware stealer suricata trojan
Link:
https://tria.ge/reports/220214-cjemgafcgp/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
Reads user/profile data of web browsers
Guloader,Cloudeye
Lokibot
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://164.90.194.235/?id=41690530617928360
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
23b5df2d469238921bc4292d4ad2f179d57b19eba17a93c37af5d3ccae03f1c0
MD5 hash:
519eb55ce54f181ba3fb3e088e8fcc56
SHA1 hash:
7c3c3e0ba11f0d2b95daa1d5879ce3da33007b36
Link:
https://www.unpac.me/results/27f01eef-48ed-4795-b0e2-03696f439c5b/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/23b5df2d4692/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/23b5df2d469238921bc4292d4ad2f179d57b19eba17a93c37af5d3ccae03f1c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/241221/

Comments