MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29da83e8eb9f92a0d5b28f2b20a12e1c317022aac908b88e67cbb1f159252f95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29da83e8eb9f92a0d5b28f2b20a12e1c317022aac908b88e67cbb1f159252f95
SHA3-384 hash: a4f24d4e87d0931d9580c45372e8662c756233717cd7ec3285ca89c55cd1003b1c13acd9db4932f5c132ba6703e8f5b8
SHA1 hash: f2ed212ca444e7283b1364b2f737e645b7dd32af
MD5 hash: 10e4069f3af38d1785064729e0bead77
humanhash: thirteen-kentucky-emma-colorado
File name:DHL AIRWAYBILL SHIPPING DOCS.exe
Download: download sample
Signature Loki
Create hunting rule
File size:19'968 bytes
First seen:2022-09-24 07:49:27 UTC
Last seen:2022-09-30 09:18:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 384:1034SLD2fWujvHBmHP5hRTpZvz7n7jWPiWVNLpUp8oCQ5K:5OSvIxJB0ZLmIQ0
Threatray 9'276 similar samples on MalwareBazaar
TLSH T1C192AF00BFEC5236E52F4FF5ED8345440E75F646225BDF985C94229F6D227A10B61B38
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 924d51137349552b (4 x Loki, 1 x SnakeKeylogger)
Reporter abuse_ch
Tags:DHL exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
273
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312805/
Detection(s):
SecuriteInfo.com.Trojan.Downloader.10124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Reading critical registry keys
Changing a file
Sending an HTTP POST request
Enabling the 'hidden' option for analyzed file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Moving of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/632eb6ed26a88abc7d22a0a2/reports/b994f460-909a-4c90-ab3e-96665c67a220/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c4815d69-6326-4c6b-9acd-39536bdfbec8
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1076359
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected aPLib compressed binary
Yara detected Costura Assembly Loader
Yara detected Lokibot
Yara detected MSILDownloaderGeneric
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 708901 Sample: DHL AIRWAYBILL SHIPPING DOCS.exe Startdate: 24/09/2022 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 11 other signatures 2->67 7 Zjztjojb.exe 14 4 2->7         started        11 DHL AIRWAYBILL SHIPPING DOCS.exe 16 7 2->11         started        14 Zjztjojb.exe 3 2->14         started        process3 dnsIp4 69 Multi AV Scanner detection for dropped file 7->69 71 Machine Learning detection for dropped file 7->71 73 Encrypted powershell cmdline option found 7->73 16 Zjztjojb.exe 7->16         started        20 powershell.exe 7->20         started        47 cdn.discordapp.com 162.159.130.233, 443, 49693, 49698 CLOUDFLARENETUS United States 11->47 39 C:\Users\user\AppData\...\Zjztjojb.exe, PE32 11->39 dropped 41 C:\Users\...\Zjztjojb.exe:Zone.Identifier, ASCII 11->41 dropped 43 C:\...\DHL AIRWAYBILL SHIPPING DOCS.exe.log, ASCII 11->43 dropped 75 Injects a PE file into a foreign processes 11->75 22 DHL AIRWAYBILL SHIPPING DOCS.exe 41 11->22         started        25 powershell.exe 14 11->25         started        49 162.159.135.233, 443, 49700 CLOUDFLARENETUS United States 14->49 51 192.168.2.1 unknown unknown 14->51 27 powershell.exe 14->27         started        29 Zjztjojb.exe 14->29         started        file5 signatures6 process7 dnsIp8 37 C:\Users\user\AppData\...\B52B3F.exe (copy), PE32 16->37 dropped 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->53 55 Tries to steal Mail credentials (via file / registry access) 16->55 57 Tries to harvest and steal ftp login credentials 16->57 59 Tries to harvest and steal browser information (history, passwords, etc) 16->59 31 conhost.exe 20->31         started        45 162.0.223.13, 49697, 49699, 49701 ACPCA Canada 22->45 33 conhost.exe 25->33         started        35 conhost.exe 27->35         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29da83e8eb9f92a0d5b28f2b20a12e1c317022aac908b88e67cbb1f159252f95/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-09-23 17:09:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fhnih2hlt6jkbvnsr4vsbijodqyxaivkzeelrdthzoy7cwjff6kq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
18a416fa1d87cabd5af3a10aad02fda1ee491ea8a319185c058edfdc0ad4bf48
Loki
4eb8a84959817bb937cdd20b76b47ad561cf826e5bbcfe52a56d4ea0628e1df3
Loki
aa9233aa16889193c6d866d7dc25f1eba29498b7f6a56820abca133e98a8b7f7
Loki
d5c3c233551f93893a0cd5fdcc2f51bb1fd76c22a92028dbb460071504ef67fb
Loki
d75f3fa994fec99e6ea86198ce856501a41e70f61b668faf58a233f5c7e6806d
Loki
eaad0fe6a049dd65cfe9d8d720b88a706b43e7512391d19e5cb8254f5b814d11
Loki
fe9a83b57884d99860fc683689e7e8db7684e79938bae04455d796441d1e1457
Loki
+ 9'266 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection discovery persistence spyware stealer trojan
Link:
https://tria.ge/reports/220924-jpac9sagc3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Reads user/profile data of web browsers
Creates a large amount of network flows
Lokibot
Malware Config
C2 Extraction:
http://162.0.223.13/?rujsZEinqQuPZBS8kKnSq21shtrtBBS26bv5QNtgEY6EzZMUJaM9cOCuh3YSFQVL2qQSek9TifxRfkMYuy8HmK
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d76a4901-ec8b-4698-92f7-216f471c7fb3
Unpacked files
SH256 hash:
29da83e8eb9f92a0d5b28f2b20a12e1c317022aac908b88e67cbb1f159252f95
MD5 hash:
10e4069f3af38d1785064729e0bead77
SHA1 hash:
f2ed212ca444e7283b1364b2f737e645b7dd32af
Link:
https://www.unpac.me/results/0156e859-d480-464f-b6cc-ee32fe05905b/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/29da83e8eb9f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/29da83e8eb9f92a0d5b28f2b20a12e1c317022aac908b88e67cbb1f159252f95

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Discord_Attachments_URL
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

zip 5afbd3c29707f951394ecb905bff7c59562fe95e712d56663ea8e51fe23d2d04

Loki

Executable exe 29da83e8eb9f92a0d5b28f2b20a12e1c317022aac908b88e67cbb1f159252f95

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/312805/
  
Dropped by
SHA256 5afbd3c29707f951394ecb905bff7c59562fe95e712d56663ea8e51fe23d2d04
  
Dropped by
MD5 27b7d403e8edb9a9b72bbd6aad76d8e7

Comments