MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40
SHA3-384 hash: 235a01d98fa837e2680e568d6a56c8446a5f95f258901bfc6269acf6ed56277d44ee76de78f9b84ff748f046ed068a58
SHA1 hash: 5fa0211414a8b535c4db767cb2f417264b0d3628
MD5 hash: a6c3eaa47e2d0922063f85495282b1e3
humanhash: cardinal-high-fruit-spring
File name:a6c3eaa47e2d0922063f85495282b1e3
Download: download sample
Signature Loki
Create hunting rule
File size:390'104 bytes
First seen:2022-10-05 11:04:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d4b94e8ee3f620a89d114b9da4b31873 (90 x GuLoader, 18 x njrat, 9 x RemcosRAT)
ssdeep 6144:2qaFH+9LrEb6qlZokYZvVaxh7kY4TNryt5x+NAPskxrlIsNq1kCPIsQlw3OeAK6U:25IQrvY4LvxgAPskYb1XIDlw+zK6U
Threatray 14'687 similar samples on MalwareBazaar
TLSH T12884E0107B82D813C2B44B38A6E3D37A67BDA681BE525B573341CF6D3DA1640F68639C
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f9f8f8f8b89ce070 (1 x Loki)
Reporter zbetcheckin
Tags:32 exe Loki signed

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:2021-12-26T16:12:45Z
Valid to:2024-12-25T16:12:45Z
Serial number: -381bca38999126db
Thumbprint Algorithm:SHA256
Thumbprint: 907674833f99f72934603b8138e8fa7728e311d6d39ad1247b60e5ad3bc93750
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316877/
Detection(s):
SecuriteInfo.com.Variant.Jaik.98984.11865.9450.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
DNS request
Creating a file in the %temp% subdirectories
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41308/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/633d64abd089a0c15dd55097/reports/803115af-eab5-4809-8dbc-b0dbb9c53eee/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ab492e96-c519-4d90-a6ec-e43024fd4b7f
Result
Threat name:
GuLoader, Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1084051
Signature
Antivirus / Scanner detection for submitted sample
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected GuLoader
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 05:36:12 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gdrocywc3iuuariwrdtty54xxxrnt3tia3pv22hl56rvqeschvaa._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
3d715fab1455552a0c842dc9666ccb29d2c85522c38487d86bb861416d1cdaed
Loki
55beb416633c883379bf87ea17c16fd389ef84e9c1b0b469df01fc2e5742f3c4
Loki
5b44d377e2ac43e289acf6f2ce0c3062955c523886c79f4235317535a563ec9c
Loki
6d4d55abaccc1b19903ceb6c96d760327bb9c87a744a8806bfb242d547c9e6e3
Loki
7d6091a8bcec7aca2c056c17969b59006a7672605ddb2f58adbc3d7aa8f38738
Loki
96cf18e2a423b74f89f810553f9b4ba3859bd2f71172facfc8911c6cf6221881
Loki
dd39027f02b3a47cb2677440f59575089a0673f134cff175d908be574ebc80ac
Loki
dfdedc4060f4944298bcdf25778b7f7eaaef43fdae61238d7debf88825e66294
Loki
ef66ea0bcee19ccd3d2771a170ff218a3e43b27f1b18f24e08685cb4d3fe053a
Loki
+ 14'677 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:lokibot collection downloader spyware stealer trojan
Link:
https://tria.ge/reports/221005-m591lsedan/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
Reads user/profile data of web browsers
Guloader,Cloudeye
Lokibot
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1a8b1cf9-8956-49ee-9a19-260878a9584e
Unpacked files
SH256 hash:
e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
MD5 hash:
ee260c45e97b62a5e42f17460d406068
SHA1 hash:
df35f6300a03c4d3d3bd69752574426296b78695
Link:
https://www.unpac.me/results/9f225903-a21d-43d5-9826-0db47474b022/
SH256 hash:
30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40
MD5 hash:
a6c3eaa47e2d0922063f85495282b1e3
SHA1 hash:
5fa0211414a8b535c4db767cb2f417264b0d3628
Link:
https://www.unpac.me/results/9f225903-a21d-43d5-9826-0db47474b022/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/30e2e162c2da/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 30e2e162c2da2940451688e73c7797bde2d9ee6806df5d68ebefa35812423d40

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2350844/
Cape
Cape
https://www.capesandbox.com/analysis/316877/

Comments


Avatar
zbet commented on 2022-10-05 11:04:05 UTC

url : hxxp://104.168.45.104/69085/vbc.exe