MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33e38733bf35535dfca14a9494ae472776e62424b728e56a43eb03e988abb9a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	33e38733bf35535dfca14a9494ae472776e62424b728e56a43eb03e988abb9a5
SHA3-384 hash:	b71dc03ea4cc2819b978d44e7749a31f090f72ca11ec14b2c896a1e4a899a2928ec456dd97556175b5e0e9813dd0582a
SHA1 hash:	47c63f3f17946fa474abb860ed7e0a7fa4931aca
MD5 hash:	069f4297d06af78fb7ca4c820d3d8c7c
humanhash:	timing-tango-magnesium-louisiana
File name:	HBL#JRYE22050036.zip
Download:	download sample
Signature	Loki Create hunting rule
File size:	1'090'144 bytes
First seen:	2022-06-06 20:07:09 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	24576:5YWpoQ03ET9YM2Bph0AkZXEl3WM9KXuIGMNcA:ulQ03AeM2Bpa7ZK3+zv
TLSH	T13A35336726465B13A542BCD118352B6A3DF92FBAC4B7B748120DBF3BE3134F6179A018
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	cocaman
Tags:	Loki zip

cocaman

Malicious email (T1566.001)
From: "Kathleen< kathleen@well-rayocean.com>" (likely spoofed)
Received: "from well-rayocean.com (unknown [185.222.57.154]) "
Date: "6 Jun 2022 19:19:58 +0200"
Subject: "H/BL: JRYE22050036 VESSEL/VOY : HAI SU 7 2215S"
Attachment: "HBL#JRYE22050036.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

470

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Variant.Tedy.121454.30980.5804.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/629e5e8c9bbf30d03f423842/reports/32770d79-4ac1-46fa-91af-a65eafa9a33a/overview

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/33e38733bf35535dfca14a9494ae472776e62424b728e56a43eb03e988abb9a5

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/33e38733bf35535dfca14a9494ae472776e62424b728e56a43eb03e988abb9a5/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2022-06-06 20:08:13 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gpryom57gvjv37fbjkkjjlshe53omjbew4uok2sd5mb6tcflxgsq._file

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer suricata trojan

Link:

https://tria.ge/reports/220606-ywjb3sffgp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Lokibot

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://litepad.co.vu/stripe/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/33e38733bf35535dfca14a9494ae472776e62424b728e56a43eb03e988abb9a5