MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cb7bc593a5b4701b76d20ba93ad4e2dab62eb3b81dbc9f59965db44dafc97b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	2cb7bc593a5b4701b76d20ba93ad4e2dab62eb3b81dbc9f59965db44dafc97b8
SHA3-384 hash:	80a26f49080aed8c0cd6293dd09441def3dfeee5f98e70ad9152dbfc518d39a78f118d6336fdae807a01eba38d840353
SHA1 hash:	ce2d6a65dc6bcc8fd8b22ad3d1a774697cd8bcdd
MD5 hash:	c4e0f1f7c7fb4cecbe00c9d0c19a2837
humanhash:	happy-butter-magazine-jig
File name:	Quotation_1441_22.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	566'472 bytes
First seen:	2023-03-30 07:19:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e2a592076b17ef8bfb48b7e03965a3fc (385 x GuLoader, 58 x RemcosRAT, 40 x AgentTesla)
ssdeep	12288:cqp+8Qve8l8NNylCKrlsj1Mbt491XLlHKxTzLSS0/K779NKKc06Kux:48Ue8l8Nsl/uGK1XLVKpF58h06Kux
TLSH	T124C422902381D01BD9215BB1D573D568EBFAAE10D7376A13272C3F6F7B32E814924B26
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	Anonymous
Tags:	exe GuLoader Loki

Intelligence

File Origin

# of uploads :

# of downloads :

235

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Quotation_1441_22.exe

Verdict:

Malicious activity

Analysis date:

2023-03-30 07:21:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/396d82df-7295-4c5b-b516-c27af8fea41c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/378693/

Detection(s):

Win.Dropper.LokiBot-9994306-0

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Launching a process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/75708/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

alien comodo guloader overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/642538230dc8b8a71cf78a3b/reports/bc9803c3-35b0-40bd-8b34-7cf196311401/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/2cb7bc593a5b4701b76d20ba93ad4e2dab62eb3b81dbc9f59965db44dafc97b8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/19313347-a001-4382-bdbd-80bff2f2a8b3

Result

Threat name:

Unknown

Detection:

malicious

Classification:

rans

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1204909

Signature

Found potential ransomware demand text

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for submitted file

Obfuscated command line found

Very long command line found

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2cb7bc593a5b4701b76d20ba93ad4e2dab62eb3b81dbc9f59965db44dafc97b8/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2023-03-24 08:01:20 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 37 (54.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fs33ywj2lndqdn3nec5jhlkofwvwf2z3qhn4t5mzmxnujwx4s64a._file

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:guloader family:lokibot collection downloader spyware stealer trojan

Link:

https://tria.ge/reports/230330-h53t3sch91/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks QEMU agent file

Checks computer location settings

Guloader,Cloudeye

Lokibot

Malware Config

C2 Extraction:

http://171.22.30.147/seth2/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

55840f65725f96acb5b0bf4aafb59474ddec43a65fdd57de65b636330f4bfaa7

MD5 hash:

218bf56661e2f15aa6a64713d46c913a

SHA1 hash:

1eb5ee9d0d54874ffe7dafb492c93c946e117900

Link:

https://www.unpac.me/results/c84e584a-ebb8-46c1-9a47-32b7444c384c/

SH256 hash:

096b7802a6261e31a75511bf53a8da322e05c9b8557e5ac8ce87c740facfdb13

MD5 hash:

d4da997fbe92fabd98c998f5ec8983f5

SHA1 hash:

957c707a7353dd60a25cb474ea3df5686b01028e

Link:

https://www.unpac.me/results/c84e584a-ebb8-46c1-9a47-32b7444c384c/

SH256 hash:

2cb7bc593a5b4701b76d20ba93ad4e2dab62eb3b81dbc9f59965db44dafc97b8

MD5 hash:

c4e0f1f7c7fb4cecbe00c9d0c19a2837

SHA1 hash:

ce2d6a65dc6bcc8fd8b22ad3d1a774697cd8bcdd

Link:

https://www.unpac.me/results/c84e584a-ebb8-46c1-9a47-32b7444c384c/

Malware family:

GuLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2cb7bc593a5b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2cb7bc593a5b4701b76d20ba93ad4e2dab62eb3b81dbc9f59965db44dafc97b8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

exe 2cb7bc593a5b4701b76d20ba93ad4e2dab62eb3b81dbc9f59965db44dafc97b8

(this sample)

Dropped by

guloader

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/378693/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample