MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e0d0762433ff21184bb4e8330db8fa104958537fad81fb39d8e3e7d849ee9f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 17

Intelligence 17 IOCs YARA 2 File information Comments

SHA256 hash:	2e0d0762433ff21184bb4e8330db8fa104958537fad81fb39d8e3e7d849ee9f8
SHA3-384 hash:	769da68edb596ed8d137f555b9e27824115ad1f9d64d30ca379e98e157661117281079cc10c1a0ac51d6194d5bf1b45f
SHA1 hash:	b7664d8f8182e736a3cf4509c5a38fb1c17a7fad
MD5 hash:	5e4d39e60ff35813b11c0f7875c87d38
humanhash:	tango-earth-pasta-hawaii
File name:	Shipment Document BL,INV and packing list.jpg.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	574'976 bytes
First seen:	2023-07-19 09:10:28 UTC
Last seen:	2023-07-20 13:03:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:trFfAdymAY2kcdbL4EfMRD9QMKOXSehTZk1lhlcGifGL6fq0:bfoN6GEfMRhKASehTC1lgyW
Threatray	4'228 similar samples on MalwareBazaar
TLSH	T161C402557D978513C00A2F3BC04225B443BB8BC67923D61B2C8FB129AE9A7CF4D90B97
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter	cocaman
Tags:	DHL exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

303

Origin country :

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

Shipment Document BL,INV and packing list.jpg.exe

Verdict:

Malicious activity

Analysis date:

2023-07-19 09:12:12 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/64b445d4-7773-4944-aca3-3a94056dfb38

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/424546/

Detection(s):

SecuriteInfo.com.Variant.Lazy.362909.29547.22912.UNOFFICIAL

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/64b7a8a88ca71f19e0893b98/reports/0801fb6f-603e-4631-915d-4a47903a4dad/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/2e0d0762433ff21184bb4e8330db8fa104958537fad81fb39d8e3e7d849ee9f8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3423c4e1-e033-4c99-aa3a-d3845c769ff7

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1275811

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/2e0d0762433ff21184bb4e8330db8fa104958537fad81fb39d8e3e7d849ee9f8/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-07-18 12:27:25 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 38 (71.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fygqoysdh7zbdbf3j2btbw4puecjlbjx7lmb7m45ry7h3be65h4a._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230719-k5llxaba6v/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://138.68.56.139/?p=13459621
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

45b5a61e4a8f4025d3e94f407c0e84a2cde427a918f2a5446278e22117da1d4c

MD5 hash:

ca775551666be768a9241f43eec98b87

SHA1 hash:

fbbd937067a24c48ee5274d3fa2881a991e64f3c

Link:

https://www.unpac.me/results/692a2310-b440-40c5-a36f-9250055b4015/

SH256 hash:

53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77

MD5 hash:

37e82d3e2864e27b34f5fbacaea759c3

SHA1 hash:

a87024a466e052bff09a170bb8c6f374f6c84c32

Link:

https://www.unpac.me/results/692a2310-b440-40c5-a36f-9250055b4015/

SH256 hash:

f07e02df3b0c33dd917e55847e8d1f4dc259daacdc42b0915d5d84e7e7c51aff

MD5 hash:

18282495db158d6db91016c217a9c93b

SHA1 hash:

1de3aba4314e56497c122ec8346fab4af25654cf

Link:

https://www.unpac.me/results/692a2310-b440-40c5-a36f-9250055b4015/

SH256 hash:

bc5b99f46d73cf7d1c7b0aeb705169490c4237c64d586ffcc4288db8b40173ea

MD5 hash:

38c8186f8c1d1ef5b62dd5ee4e11eed2

SHA1 hash:

0891a3b4d118ca45d8da842c62a11fdcfcb66d24

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/692a2310-b440-40c5-a36f-9250055b4015/

Parent samples :

2e0d0762433ff21184bb4e8330db8fa104958537fad81fb39d8e3e7d849ee9f8
2ce96413ec00dfb12023381264f92287f425fbc8af4357f370f8f9ab9a030dbc

SH256 hash:

2e0d0762433ff21184bb4e8330db8fa104958537fad81fb39d8e3e7d849ee9f8

MD5 hash:

5e4d39e60ff35813b11c0f7875c87d38

SHA1 hash:

b7664d8f8182e736a3cf4509c5a38fb1c17a7fad

Link:

https://www.unpac.me/results/692a2310-b440-40c5-a36f-9250055b4015/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2e0d0762433f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2e0d0762433ff21184bb4e8330db8fa104958537fad81fb39d8e3e7d849ee9f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.