MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 381759931f17a19dd575787e51085e7db64a332865fe8fd7a7c05ab86b0a1a25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 381759931f17a19dd575787e51085e7db64a332865fe8fd7a7c05ab86b0a1a25
SHA3-384 hash: f094e45a95273c1e20fd1d8e23804a59d3bdb1b758a374d4c5aee7b242a3641429336336c9f381fc9bd22e0a1f7ccf52
SHA1 hash: 267de3dbafff2a4aafa71894c360c74711a99f28
MD5 hash: 83877ffe6715988d49705006befdca43
humanhash: speaker-tennis-ceiling-tennessee
File name:DHL Express _Awb#84157108962.exe
Download: download sample
Signature Loki
Create hunting rule
File size:757'248 bytes
First seen:2023-03-15 15:27:03 UTC
Last seen:2023-03-15 17:28:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:biz2iviJGRTwdbyyKyGTEd8Ho93aPyWi/YUgMgG14dxGfJtz6l:biqJTZyy9AEGuDWi/YUgny4Wf
Threatray 31 similar samples on MalwareBazaar
TLSH T126F4028DA62E5792CE3D33FB80623898837166508252F36D1CC658E71FF2FD8A905D5B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon f8ec96b2b296ccf0 (8 x AgentTesla, 4 x SnakeKeylogger, 3 x Formbook)
Reporter abuse_ch
Tags:DHL exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
DHL Express _Awb#84157108962.exe
Verdict:
Malicious activity
Analysis date:
2023-03-15 15:56:52 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/2293d471-b5e9-4290-bcf8-65789720a07a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/374594/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65941961.7569.9256.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gorgon packed
Link:
https://www.filescan.io/uploads/6411e3cab6216cc97f2de88e/reports/47b58224-b6da-4988-b10f-8a1d338cfb4d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/381759931f17a19dd575787e51085e7db64a332865fe8fd7a7c05ab86b0a1a25
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0d670ff2-9788-473b-8d7e-d731d1fc55ba
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1194345
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/381759931f17a19dd575787e51085e7db64a332865fe8fd7a7c05ab86b0a1a25/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-15 02:59:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=halvtey7c6qz3vlvpb7fccc6pw3eumzimx7i7v5hybnlq2ykdisq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0cd6273cb957d6e97a533d50c86de4980c956f55119bb511f17a5c0458f10f21
Loki
0dbb6f861a2eed8972d095bcd34f55669c060ecfc592d44cedc9b320e1fe094d
Loki
1a4cb882dbff14000f8050dd777ad91390ef18c824fad6a75239c9df1865e5a9
Loki
2fbe8381a484cb4c52055f448ec0934e04230d60fe109b3982008c598714c8ae
Loki
57dd90f650bd99263dc2a2b8dffe69d09c191c84483b5bad8cd322d1e0b39287
Loki
70be751106b253c90ed4d19a828dbf3505f1d3dd322c2220c4856157f8297b09
Loki
85f0acef04342dd85144d4e1a450782907122513ad29af0f0b70559179d8e6af
Loki
8b5d2f25a3b2c3ca76ff1815a0a45442bd4e1e8b74709af37670208f397f4ad5
Loki
a0ef330540f4a9d53c9b6fd713570d8fc327f8af1b51e66918a528cf9f501cd3
Loki
+ 21 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230315-svrzyadh79/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://68.183.13.128/?page_id=215360
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
78778612014f3662d1d296e978e93e983fc505bf1f097ae6a29a1688034e17b2
MD5 hash:
7dd3f67b5ba215e7e4053ce401a3be24
SHA1 hash:
d1ed2860e17e0b4d4d789dc5fb6a5d4d16579f55
Link:
https://www.unpac.me/results/4b2fc8b2-c585-4a8c-8294-7cee260a6c61/
SH256 hash:
20dea585de0c70d6d2b0f655c03ec5fe055c9365e4080e0fa753d55a5ebece9b
MD5 hash:
d807cf9ee35aa673288e5bce66e6994c
SHA1 hash:
cd94a8c3881b2f04ccf1cba3da4b9653683c506d
Link:
https://www.unpac.me/results/4b2fc8b2-c585-4a8c-8294-7cee260a6c61/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/4b2fc8b2-c585-4a8c-8294-7cee260a6c61/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
af0974803a096d6ca896d2404ffdc43cc8038c321747537bc22fb51c470a56d0
MD5 hash:
e0b04e9b859637787ab8a54fe4126ec7
SHA1 hash:
1f91d3234819eb537ad5efc632d280beb43331a6
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/4b2fc8b2-c585-4a8c-8294-7cee260a6c61/
Parent samples :
deb989bfedd869d8ce4f26ff0dec29c8f0c3c2bef1f6b441bb63eb3266fba13b
381759931f17a19dd575787e51085e7db64a332865fe8fd7a7c05ab86b0a1a25
SH256 hash:
900604b97bcdc423a6fe8980412c5bf39b3ac913fb202c07a3f1ede1125b9669
MD5 hash:
773d5adce2fd0ea58436d150256d54f0
SHA1 hash:
1986e82ef0cd50febd6de65121132cac6d328844
Link:
https://www.unpac.me/results/4b2fc8b2-c585-4a8c-8294-7cee260a6c61/
SH256 hash:
381759931f17a19dd575787e51085e7db64a332865fe8fd7a7c05ab86b0a1a25
MD5 hash:
83877ffe6715988d49705006befdca43
SHA1 hash:
267de3dbafff2a4aafa71894c360c74711a99f28
Link:
https://www.unpac.me/results/4b2fc8b2-c585-4a8c-8294-7cee260a6c61/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/381759931f17/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/381759931f17a19dd575787e51085e7db64a332865fe8fd7a7c05ab86b0a1a25

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/374594/

Comments