MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2af4c514474e77feb774b9c0faf1b17a41f92dbbef37c9d3f2d5778223f9a733. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2af4c514474e77feb774b9c0faf1b17a41f92dbbef37c9d3f2d5778223f9a733
SHA3-384 hash: 52b739e753fb64ab229d83f32b6fa43ff4d0d00cee3fe7f588d72ba3c1d9520bcaaf4b506b7f9fdb9e7eb46bebd4e3f7
SHA1 hash: 5cfe30be0675a2aa50c460840fb4ebc6f8e7c1e4
MD5 hash: 0eebe460ee90755b159e1ecec0092b61
humanhash: mobile-lion-vermont-nineteen
File name:DHL Receipt_AWB#2045829822.exe
Download: download sample
Signature Loki
Create hunting rule
File size:710'656 bytes
First seen:2022-07-18 07:08:11 UTC
Last seen:2022-07-18 07:47:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:EekpNzB0WhNCWb2gb3IU35oQw28QnS0gWlnX+M4nCzcaFlSNS:EekpNl0esO9pa2TQsnX+JaQS
Threatray 8'449 similar samples on MalwareBazaar
TLSH T146E4120637EC1B06D8B5CBFD6436884057B9AA263271E39D8ED5A0DF55B2B818B40F1F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:DHL exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/291488/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.20126.28704.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62d50752ee649612ac58ab9d/reports/a64bc479-1238-4f33-b55b-3e6effd9ee96/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f704933-f179-438b-8a52-e61ad17528cc
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1035540
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Generic Downloader
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2af4c514474e77feb774b9c0faf1b17a41f92dbbef37c9d3f2d5778223f9a733/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-07-18 01:17:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
51
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fl2mkfchjz375n3uxhapv4nrpja7sln35434tu7s2v3yei7zu4zq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
108d0bc28290e30eab015fae52f14ea16fa645395df0c89c95ff637c209f5314
Loki
a321efcbd0394eade04263fd6498396c3e831ed65aa349c00dbf2b131994e19a
Loki
ae47ea9b41f852d4af9458ff928b86451877debe9dc09e1adc4c7175a1252748
Loki
cf318f94ad9a7827d2cf4415549c9d3ceb92c0bae85c46e50420fbbe3fa8f3a4
Loki
e3bd0660f61bc671f91a00cac1734dd1854d7c7a2ae4293ddc960d274fdfbe6e
Loki
e4d563a7b3baefa52a1b44d290da157fd94f6d27bfb21be7ae40b36cff1d307e
Loki
f0dfa57c34ed5491fb7d8cfa7958174454e663effd17b9d5c0e981105bbea9cb
Loki
+ 8'439 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220718-hysersaca9/
Behaviour
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://198.187.30.47/p.php?id=10316882234268616
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
39c2d879c57f07305ce60412dc8a88f02e51f1a14a06cc605768d1d7f5313807
MD5 hash:
db51fe170a9e5d6ec5429a2fbd9d0353
SHA1 hash:
e30a58125fc41322db6cf2ccb6a6d414ed379016
Link:
https://www.unpac.me/results/77ce245c-c28a-4c44-bd97-d212d8fd5c0e/
SH256 hash:
6593aa4078cab8936a7c689d95fbb5b526ec05cf96fcf8914827d93643c14ff9
MD5 hash:
33623feac5b14b0917bd9db7e3180c75
SHA1 hash:
6e5bab840a1873c00bc39c7909045fc75fffb47d
Link:
https://www.unpac.me/results/77ce245c-c28a-4c44-bd97-d212d8fd5c0e/
SH256 hash:
1bced31aaeda54366fcea3f04bdf8a1aa89f54c48660a8919c7b6fdfd23ed0a9
MD5 hash:
2e3d8682972eda68494caee2f811b692
SHA1 hash:
55d5852a851f14796027574e0713ddc59fe24369
Link:
https://www.unpac.me/results/77ce245c-c28a-4c44-bd97-d212d8fd5c0e/
SH256 hash:
8cab50128103091dc802fa352658fa5a6ef059d0478cc251a318778b097a1b6f
MD5 hash:
2a9e2a97f93ed4df7267e1ef6028ce4d
SHA1 hash:
28672c458c0a3f7c617e8bf45ec22cae980ac221
Link:
https://www.unpac.me/results/77ce245c-c28a-4c44-bd97-d212d8fd5c0e/
SH256 hash:
06535f6ed8de21369c67fd5c2f37688af55c21f57bcbf655b0f7ed128b2f1cf9
MD5 hash:
e36841343da08432d9dfca01728059a9
SHA1 hash:
16996ed3eb870bac3aaf793531c9baa0130f8143
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
lokibot
Create hunting rule
Link:
https://www.unpac.me/results/77ce245c-c28a-4c44-bd97-d212d8fd5c0e/
Parent samples :
a4bb6e9c41c7d7f5b782355f7fb056f44fe66ad6ebd0d589b7941b8905e219d8
a3d46f7fe68a30115c4eae725622d4336e7ea6dde46b0104d113ddd55ff1e5a5
c86ba22021597e8876b4432a5ffb954f495e7f2a0a926af5f630e1f3e3e8acf5
3ed8d8e12f6a32642e80244929d185d80bb599ba317628a32d9cea8f46cb5f45
2af4c514474e77feb774b9c0faf1b17a41f92dbbef37c9d3f2d5778223f9a733
fa4058c30f37d1cdb72e5bbcc467ff8f9b584b090bfdf723ac1f04817980096a
SH256 hash:
2af4c514474e77feb774b9c0faf1b17a41f92dbbef37c9d3f2d5778223f9a733
MD5 hash:
0eebe460ee90755b159e1ecec0092b61
SHA1 hash:
5cfe30be0675a2aa50c460840fb4ebc6f8e7c1e4
Link:
https://www.unpac.me/results/77ce245c-c28a-4c44-bd97-d212d8fd5c0e/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2af4c514474e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/2af4c514474e77feb774b9c0faf1b17a41f92dbbef37c9d3f2d5778223f9a733

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 2af4c514474e77feb774b9c0faf1b17a41f92dbbef37c9d3f2d5778223f9a733

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/291488/

Comments