MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3005d348dec402dc4d89094a2ea22c963dc981129cfa675926aaabfb3e160a7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3005d348dec402dc4d89094a2ea22c963dc981129cfa675926aaabfb3e160a7d
SHA3-384 hash: c67898bf26a9b15386d7e87633dd7011ec7076c6426a61cb6263017a53861e3e25e172bf1102971a9f559f3b15f5ad55
SHA1 hash: 08c86a438960da191a299e70363c0f7174440a5a
MD5 hash: a3e1a1e95124a14c1cda6e2653ce4ab0
humanhash: jig-pluto-enemy-march
File name:CORRECTED PROFORMA INVOICE#8349.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'349'120 bytes
First seen:2021-03-16 11:24:14 UTC
Last seen:2021-03-16 12:50:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:2fviXOtIh0RToVGDC/ygsyB/su508hdM45y9MCJpOnetAaCuLu1c/rcFMIizUp:2msyBku5jgMCrOetAll2/OiQp
Threatray 61 similar samples on MalwareBazaar
TLSH 9355401316F4FE24D27D7270DC77500986ECA1729338B469BD4E33868A6FA404F676AE
Reporter TeamDreier
Tags:Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CORRECTED PROFORMA INVOICE#8349.exe
Verdict:
Suspicious activity
Analysis date:
2021-03-16 11:31:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ed54fe2e-4042-45fe-9d38-169f65fac40f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.579.26829.11178.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ab9eb7d2-ab42-4985-af13-f08d98703236
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/640650
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3005d348dec402dc4d89094a2ea22c963dc981129cfa675926aaabfb3e160a7d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-16 07:02:43 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gac5gsg6yqbnytmjbffc5irmsy64taistt5gowjgvkv7wpqwbj6q._file
Verdict:
unknown
Similar samples:
04a0f9efe9c9cb9e0e26a94e8e7d7fd274e9fb9a068d350080246c098699dbe5
Loki
17bb7657e5e89ebadc0d65b4dbb539c2ce5a9b3ea834db2da17ce427d5ef0670
Loki
3a335557b8d48b82e0ece941b67f6d8dd65722791450ef02536fe72da363dbaa
Loki
569dec2c15a4a7dfab4540e6ed61ce8008985de16e5b2f91222c7b93793614cc
Loki
7259e0bb5cfcb5b2cfdde68c8c5a426f290d1984d6a165bac5df7248ee3a5abc
Loki
770710adcc9c97316e0f43dcc99ef1561dfe8ec086a1514d4c3d7d0d90b24181
Loki
818394d82d92e8a84de4e818eac65bbd15cdfafacdec28c7a73a91f5848c03c4
Loki
a9a706f6bf46b495b886f632dcafdcc8a3d493c465451c69d25fa04006a918c2
Loki
d1578c69687d86467e25b915f2637611cd8cdacaa209fce7e6e35275f28fa6a3
Loki
eabf6a7c559daf45d6aabedf7492cbeef34446b63b77352415446298b14e8957
Loki
+ 51 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210316-ce7wyvnk3e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
2b43013edb5706a946f4e523a1a219b31fe2a7e05c48884c048882b3c1327655
MD5 hash:
b7159eb14fe565d4e233604b629bbd8a
SHA1 hash:
64f82c67e6c7cbc078141162a49bffcee3d9ebb9
Link:
https://www.unpac.me/results/c928713b-9262-49cd-a8af-eb624729f617/
SH256 hash:
3005d348dec402dc4d89094a2ea22c963dc981129cfa675926aaabfb3e160a7d
MD5 hash:
a3e1a1e95124a14c1cda6e2653ce4ab0
SHA1 hash:
08c86a438960da191a299e70363c0f7174440a5a
Link:
https://www.unpac.me/results/c928713b-9262-49cd-a8af-eb624729f617/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3005d348dec402dc4d89094a2ea22c963dc981129cfa675926aaabfb3e160a7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments