MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38d3d43ff1b91bc5856ac9b14bdd4720f705448e079e7bf4931f02e9519da834. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38d3d43ff1b91bc5856ac9b14bdd4720f705448e079e7bf4931f02e9519da834
SHA3-384 hash: b08bf5670ae6fcc87ea6bee0462dcb3c87fb7b6ed739e5bc0df37933f3153542240fb7d13f7e01da71bc7fd922849f1e
SHA1 hash: a3df12abcabab62b4db34bfe15a585fb2bb4e4fc
MD5 hash: e2455bb09aee614e128200c2c6db957a
humanhash: music-iowa-cup-earth
File name:EPDA & SOA.exe
Download: download sample
Signature Loki
Create hunting rule
File size:631'296 bytes
First seen:2023-05-18 14:05:36 UTC
Last seen:2023-05-20 14:57:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:ps3pU3Pq8DwEtTa7Y8NdTwTw4Yds//DXdj2HKmjwSqwi7ue/47Y4gImjjNHcYzED:zqB88NCzks/rV0tUC44g9jKM4A3LT
Threatray 4'424 similar samples on MalwareBazaar
TLSH T1C4D4C02022F58B4AD5BA83F55DE0E2F017F59D99B42AC30B4ED6FCDB32A9B510750A13
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://194.180.48.58/blessedjay/five/fre.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
262
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
EPDA & SOA.exe
Verdict:
Malicious activity
Analysis date:
2023-05-18 16:27:01 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/181de7e3-b0ea-4744-ae43-7d72a6be85bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2036.24637.26777.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/646631366687116ea47f4a9f/reports/482a2da8-308b-4f72-94f5-5b97fc053aab/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/38d3d43ff1b91bc5856ac9b14bdd4720f705448e079e7bf4931f02e9519da834
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9eb2b663-08b5-40be-aeeb-37b28ce843fc
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1236253
Signature
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 869249 Sample: EPDA_&_SOA.exe Startdate: 18/05/2023 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 6 other signatures 2->49 7 EPDA_&_SOA.exe 7 2->7         started        11 WbLGEDbhmO.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\...\WbLGEDbhmO.exe, PE32 7->33 dropped 35 C:\Users\...\WbLGEDbhmO.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp2CA0.tmp, XML 7->37 dropped 39 C:\Users\user\AppData\...PDA_&_SOA.exe.log, ASCII 7->39 dropped 51 Uses schtasks.exe or at.exe to add and modify task schedules 7->51 53 Adds a directory exclusion to Windows Defender 7->53 55 Injects a PE file into a foreign processes 7->55 13 EPDA_&_SOA.exe 54 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        25 2 other processes 7->25 57 Multi AV Scanner detection for dropped file 11->57 59 Machine Learning detection for dropped file 11->59 21 schtasks.exe 1 11->21         started        23 WbLGEDbhmO.exe 11->23         started        signatures5 process6 dnsIp7 41 194.180.48.58, 49699, 49700, 49701 LVLT-10753US Germany 13->41 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->61 63 Tries to steal Mail credentials (via file / registry access) 13->63 65 Tries to harvest and steal ftp login credentials 13->65 67 Tries to harvest and steal browser information (history, passwords, etc) 13->67 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38d3d43ff1b91bc5856ac9b14bdd4720f705448e079e7bf4931f02e9519da834/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-18 14:06:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hdj5ip7rxen4lblkzgyuxxkhed3qkreoa6phx5etd4bosum5va2a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
3836e97722f2267266161a857140dfda9731e6bcec5147169c86410a39ac24e7
Loki
40d89b32ac24d8d4e95b6c43218f15e9a3144191786f248e963dea351f718af4
Loki
57ff6de510ccaa060efa53e2c9e1c1b8c3b132fa55289a8a7ecc321a5370043a
Loki
7b96a1bf0bc01fdb25ed2343448b412df9e154cec081970bf360096b995be9f6
Loki
ad06dd86354aa9e61e6de1aabf9efa7539fb13edb2e23e1eb63b86d59203e55f
Loki
b3303273446384f72e2a0f90c455f69598f341164c2bcfded2cf95b30e3a9295
Loki
d89787191bcbb0685fe37fb26409367f1b00a23e4f578081785f7dba7aa2a9ce
Loki
e3e6d851f1598eb145492e46d7431f72436178f1a60ebc4d6742839e12d52200
Loki
f0f7717c93fa1fc099bb73da00989d8e75f24047779c1c54e74db9c21db6b3d8
Loki
f8725762bcc5a3d83234fd7a55cba1a002af80ecfe0eca2972899f49fa12934d
Loki
+ 4'414 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230518-regnlacc49/
Behaviour
outlook_office_path
outlook_win_path
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://194.180.48.58/blessedjay/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
1eead55e6563ed1fca135afe9019db66ba08b11469f372a5ae45348d504db2a6
MD5 hash:
be4c2ee81053dd33fa64ac6370f0b61d
SHA1 hash:
b1c94b43655adf54c6de16788ce372a9440352b2
Link:
https://www.unpac.me/results/3ba257cb-abbd-4515-8c70-e7a3d3790bad/
SH256 hash:
2907ceb0aff33154a49177d6e04e822538f3fb439a55264cdf84b162564afea6
MD5 hash:
ae06e9b9c5d6df3bdb39fbbc75d9b9cd
SHA1 hash:
b03aff7dda4462819b1250e44d80c83aca37237f
Link:
https://www.unpac.me/results/3ba257cb-abbd-4515-8c70-e7a3d3790bad/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/3ba257cb-abbd-4515-8c70-e7a3d3790bad/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
7d207ddc1fe5af106b019f4c7a3b905856630a883aec0b1168e424b21f994966
MD5 hash:
47d3484f9f99af29cc1fc87665bfce24
SHA1 hash:
83a1efa249b02fa28b215758a5dd38735b999357
Link:
https://www.unpac.me/results/3ba257cb-abbd-4515-8c70-e7a3d3790bad/
SH256 hash:
41fe1cfe4de1e03e121fbcedbc4415a36861922c84796f5b1e1773f85737955d
MD5 hash:
0649ca36d06ab784fa844ddded283048
SHA1 hash:
554f9aa45c540c339be1aea784db575c62b2ba8a
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/3ba257cb-abbd-4515-8c70-e7a3d3790bad/
Parent samples :
38d3d43ff1b91bc5856ac9b14bdd4720f705448e079e7bf4931f02e9519da834
fc25fc39a2466760367fa55e0885ac65ae43395d8918e3ee5f3e4c094cdea58c
ad4b09d5bd45cb28e02d15b16313813aac8db083363be6aa81d2d6e53ed97a9a
SH256 hash:
38d3d43ff1b91bc5856ac9b14bdd4720f705448e079e7bf4931f02e9519da834
MD5 hash:
e2455bb09aee614e128200c2c6db957a
SHA1 hash:
a3df12abcabab62b4db34bfe15a585fb2bb4e4fc
Link:
https://www.unpac.me/results/3ba257cb-abbd-4515-8c70-e7a3d3790bad/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/38d3d43ff1b9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/38d3d43ff1b91bc5856ac9b14bdd4720f705448e079e7bf4931f02e9519da834

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments