MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a6ce3844cb0426fefb02d57bbb8eab576d0f089231c61aa1293cf0028d1db85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a6ce3844cb0426fefb02d57bbb8eab576d0f089231c61aa1293cf0028d1db85
SHA3-384 hash: eb64d929d080534021dde09b84d70652cd0d075e413af8c28815c6228a3d1267f12171313020dcd27cfa1399b82389d3
SHA1 hash: a2199483a89b98e5b5cf4c2ee3e47404f2326bda
MD5 hash: ecee43f804381dd15f02165167e50c16
humanhash: virginia-lima-comet-utah
File name:Quote Request University Of Tras-os-Montes and Alto Douro – UTAD (Portugal) 09-07-2022.exe
Download: download sample
Signature Loki
Create hunting rule
File size:355'912 bytes
First seen:2022-09-07 12:44:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 176ce6397deb91dca8c8158bf86c99a0 (16 x GuLoader, 4 x Formbook, 3 x Loki)
ssdeep 6144:A/c/43AbmhXUQirdrt9ENYoTvGfKPGneuLNurJnQNO+uc4kptMNJOO1TLQrVCN5:AR37XUTrdp9SYYOfKeneucrJONx4CuNz
Threatray 14'127 similar samples on MalwareBazaar
TLSH T1AC7423A59640C0EEECAB17309536DB465AF57F4AD0A57217EF253A83BC23382DE0D163
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0d2ccc8c0f0f4f0 (2 x GuLoader, 1 x Loki)
Reporter lowmal3
Tags:exe Loki signed

Code Signing Certificate

Organisation:Mamillary Nivelleringens
Issuer:Mamillary Nivelleringens
Algorithm:sha256WithRSAEncryption
Valid from:2021-11-02T14:50:10Z
Valid to:2024-11-01T14:50:10Z
Serial number: 3fb00fd6e1b03b0b
Thumbprint Algorithm:SHA256
Thumbprint: ae0199e6c8f178dc21d8d9fdd12aecd1dc8f6889a508567ab84a7c815183e0ad
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
397
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quote Request University Of Tras-os-Montes and Alto Douro – UTAD (Portugal) 09-07-2022.exe
Verdict:
Malicious activity
Analysis date:
2022-09-07 12:45:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b1564318-1730-4fc2-9aef-ba49b0675c03

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308514/
Detection(s):
SecuriteInfo.com.Win32.Trojan-gen.17055.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/36952/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
guloader overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6318925ce73fb79b7afdac1f/reports/52da53da-1288-4033-a38d-c83d227de2c3/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1856731b-172b-4f28-9587-9d478ab192c4
Result
Threat name:
GuLoader, Lokibot
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1066416
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected GuLoader
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 698954 Sample: Quote Request University Of... Startdate: 07/09/2022 Architecture: WINDOWS Score: 100 24 googlehosted.l.googleusercontent.com 2->24 26 drive.google.com 2->26 28 doc-0o-4o-docs.googleusercontent.com 2->28 36 Snort IDS alert for network traffic 2->36 38 Multi AV Scanner detection for domain / URL 2->38 40 Antivirus detection for URL or domain 2->40 42 4 other signatures 2->42 8 Quote Request University Of Tras-os-Montes and Alto Douro #U2013 UTAD (Portugal) 09-07-2022.exe 6 36 2->8         started        signatures3 process4 file5 18 C:\Users\user\Hoddens\...\qipcap.dll, PE32 8->18 dropped 20 C:\Users\user\AppData\Local\...\System.dll, PE32 8->20 dropped 22 C:\Users\user\AppData\Local\Temp\...\Math.dll, PE32 8->22 dropped 44 Tries to detect Any.run 8->44 12 Quote Request University Of Tras-os-Montes and Alto Douro #U2013 UTAD (Portugal) 09-07-2022.exe 21 8->12         started        signatures6 process7 dnsIp8 30 162.213.249.190, 49739, 80 NAMECHEAP-NETUS United States 12->30 32 drive.google.com 142.250.186.142, 443, 49737 GOOGLEUS United States 12->32 34 googlehosted.l.googleusercontent.com 142.251.37.97, 443, 49738 GOOGLEUS United States 12->34 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->46 48 Tries to steal Mail credentials (via file / registry access) 12->48 50 Tries to harvest and steal ftp login credentials 12->50 52 2 other signatures 12->52 16 WerFault.exe 2 12->16         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a6ce3844cb0426fefb02d57bbb8eab576d0f089231c61aa1293cf0028d1db85/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2022-09-07 11:53:25 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
15 of 40 (37.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fjwohbcmwbbg735qfvl3xohkwv3nb4ejemogdkqssphqakgr3ocq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
493c63489f594c10e1f5aace2dd833f3fddaac2800d3603498d2b4abe4bd7e0c
Loki
4c72a5eff108b8b4d7789cd3cf92969a7357c6d5c6ecccfb1aa26f1e8f6ecb42
Loki
69d141096955a35ede46b91e97129df4d8faead0e19c9b0badf180b7b0c8600f
Loki
8f9cf775cd2f30283dac9c8441e6787000ba95706d467b5199a00b3aaa213ea5
Loki
90a23ff30cf40dbf180e2ca98360bbcecaf1a736f7bb118efe7fbff2db7dc82c
Loki
a1a380c16c8b853cc0b4825af9287430debc0ddaafd5f6ac5633ad6341dfb13c
Loki
bc25deacda2e313aef6e1bc19940cbafdc8e881dd00f5b7f9dd1b57c27fd3795
Loki
bc6bb84d6521d6dacbb323108af50cc6534b2ba88c6257f38e06fa4dc0d5d9d0
Loki
daf4c0820c45f6be84cf248504e10bfee063ea6fc8de3b397adaa6682e4bb610
Loki
f404a5d8e7a6622e073a2a596e728cb5be383baa2df71924d116db5ed2fa68ee
Loki
+ 14'117 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:lokibot collection discovery downloader spyware stealer trojan
Link:
https://tria.ge/reports/220908-fwnmpadff7/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
Reads user/profile data of web browsers
Guloader,Cloudeye
Lokibot
Unpacked files
SH256 hash:
6b6c63505ac093672cdc062ea23ea8fbb263204c9591c936dda896cba2c56504
MD5 hash:
499788d1d4b70ea3499b6411ef5aca0c
SHA1 hash:
db7274f0c3beea8a2ed7df7fe3006b1ec965d13c
Link:
https://www.unpac.me/results/0e3374fe-a309-40a2-954d-391e5081802f/
SH256 hash:
1624d9ad8b2e2658af224691263f64388ba3a997efe80011889e3c35237ce4c1
MD5 hash:
6c38da8922cc37b4bbb77de4a63ad843
SHA1 hash:
4e0533fd11df8bddbd543ed58df7b6060d9f4631
Link:
https://www.unpac.me/results/0e3374fe-a309-40a2-954d-391e5081802f/
SH256 hash:
2a6ce3844cb0426fefb02d57bbb8eab576d0f089231c61aa1293cf0028d1db85
MD5 hash:
ecee43f804381dd15f02165167e50c16
SHA1 hash:
a2199483a89b98e5b5cf4c2ee3e47404f2326bda
Link:
https://www.unpac.me/results/0e3374fe-a309-40a2-954d-391e5081802f/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2a6ce3844cb0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.28
Link:
https://yomi.yoroi.company/submissions/2a6ce3844cb0426fefb02d57bbb8eab576d0f089231c61aa1293cf0028d1db85

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 2a6ce3844cb0426fefb02d57bbb8eab576d0f089231c61aa1293cf0028d1db85

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/308514/

Comments