MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 2958337fa484fb35da54cade65cd95f4eb8af745bc9077042f0652765bf5df7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Loki
Vendor detections: 5
| SHA256 hash: | 2958337fa484fb35da54cade65cd95f4eb8af745bc9077042f0652765bf5df7e |
|---|---|
| SHA3-384 hash: | e035e55123d324f4288e05a290c7ef5b6ce7758b736a5df4ebcee0b4c5faa8bd319616b70e33249cc21f1124feab33d9 |
| SHA1 hash: | e880ad463e364270017861febc69d802cf4dc455 |
| MD5 hash: | 56fde5c763f0477aed99a2d18083be2f |
| humanhash: | stairway-georgia-mirror-alanine |
| File name: | DHL Receipt_AWB811470484778.rar |
| Download: | download sample |
| Signature | Loki |
| File size: | 391'065 bytes |
| First seen: | 2022-06-27 07:02:07 UTC |
| Last seen: | 2022-06-27 08:32:03 UTC |
| File type: | rar |
| MIME type: | application/x-rar |
| ssdeep | 6144:XwDTd8ceUzQjFzyR2fNQVieJT0fKAlxGy9Z/9MxIZ/enyS2m8icb:0TdvNSByRUgiHKnA/9MxIxd55icb |
| TLSH | T19A8423F0542EBF1B3E62B05F9E8AAA45AA0F614003CE887553B31319A43FFC761559E7 |
| TrID | 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1) |
| Reporter |  cocaman |
| Tags: | DHL Loki rar |
cocaman
Malicious email (T1566.001)From: "DHL Express <dhl@mv3.fzhao.cfd>" (likely spoofed)
Received: "from hp0.mv3.fzhao.cfd (unknown [164.92.203.247]) "
Date: "Mon, 27 Jun 2022 00:01:27 -0700"
Subject: "DHL Shipment Notification: AWB811470484778"
Attachment: "DHL Receipt_AWB811470484778.rar"
Intelligence
File Origin
# of uploads :
2
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2022-06-27 02:17:18 UTC
File Type:
Binary (Archive)
Extracted files:
7
AV detection:
20 of 26 (76.92%)
Threat level:
5/5
Detection(s):
Malicious file
Result
Malware family:
lokibot
Score:
10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://198.187.30.47/p.php?id=53483370875096238
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
exe Delivery method
Distributed via e-mail attachment
Dropping
Loki
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.