MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a754319ebd0d67fdd1bc301eeaaebae3cd95397af50187a3daaa624f81f5ea1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 18

Intelligence 18 IOCs YARA File information Comments

SHA256 hash:	3a754319ebd0d67fdd1bc301eeaaebae3cd95397af50187a3daaa624f81f5ea1
SHA3-384 hash:	113ce4bb0766199840d1b383eb87319488d1dc446216c3efc50b9210c22d3c78a2ed50d7eeaa95cbeb42dc4553f88ee2
SHA1 hash:	0188c53bc363ecc6f9af25ea0e25efec9339ab8c
MD5 hash:	b6b250cdd01c89053ce54781eed634dc
humanhash:	may-angel-romeo-august
File name:	Contract Deposit.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	125'706 bytes
First seen:	2022-11-01 13:05:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep	3072:qUJoFfWzzl+cSMqeWxvCeRznuHf4yTBH+SuM8oJjj5:qweEpJWxvNRjWdTBeroJB
Threatray	9'335 similar samples on MalwareBazaar
TLSH	T1DDC3F126BAC5C173D98706B189FA5675D3B7A1081A30269F97F01E3F69306C3E9126B3
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	James_inthe_box
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

358

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

Contract Deposit.exe

Verdict:

Malicious activity

Analysis date:

2022-11-01 13:08:05 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/0730354a-2227-48c5-b33c-79a35464be08

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/326811/

Detection(s):

SecuriteInfo.com.Variant.Lazy.259192.19266.24556.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Reading critical registry keys

Changing a file

DNS request

Sending an HTTP POST request

Creating a file in the %AppData% subdirectories

Sending a custom TCP request

Moving a file to the %AppData% subdirectory

Enabling the 'hidden' option for recently created files

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/47243/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

babar overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/636119bb791bb7e48afdfc43/reports/b0e3638a-ec7a-408e-86db-429d6ea1fe50/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c861feae-7293-4d57-a5c9-4b7cc3275b0e

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1102505

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3a754319ebd0d67fdd1bc301eeaaebae3cd95397af50187a3daaa624f81f5ea1/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2022-11-01 01:12:40 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

30 of 42 (71.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hj2uggpl2dlh7xi3yma65kxlvy6nsu4xv5ibq6r5vktcj6a7l2qq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

6cfd1167777006598f5eb5d1c08e1434aefe606dfd983c683a8f14639d56d053

Loki

7db764dd4ae52c134585ef5e1fd266448d12c45e2a5e4a6665de764c6e05fdf7

Loki

d780e4059a0ef101f5eba5d1544a2c4472658de34e64a07bc6ae3033b30d05d4

Loki

e1088c0a7c4152188ff7a8383956cb3b4e912bef7e4c476e5b5ab10f2e48f47d

Loki

+ 9'325 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/221101-qb3k8acba5/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Lokibot

Malware Config

C2 Extraction:

http://chilok.us/EKENES/all/allforone.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6ff416b5-3c7a-4d9a-9e69-f67ba50a99e5

Unpacked files

SH256 hash:

c21ad46c951ae91f2b1c436412264f4b0900545e9251e4ead8a70f6ae85eb755

MD5 hash:

e7fdde2a478cf524fdbd8b5ee88b66b7

SHA1 hash:

82aa00f148651b4b05d38c057798c0b428a4a6c4

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/68677b36-f097-4ca9-b290-8cfe0de5abb1/

Parent samples :

3a754319ebd0d67fdd1bc301eeaaebae3cd95397af50187a3daaa624f81f5ea1
6352678a23fae52974a1cce977df859bb5912bbd335486781af0f2bda1654272
c21ad46c951ae91f2b1c436412264f4b0900545e9251e4ead8a70f6ae85eb755

SH256 hash:

809915cf58e735801d139ba1f241e4080fb59ba82e4c70e45a5a140e98b084bd

MD5 hash:

58edcee33b50053109ba623eef2c38b8

SHA1 hash:

b347dd852219f6f7a10cb7680cadad2fd8c23055

Link:

https://www.unpac.me/results/68677b36-f097-4ca9-b290-8cfe0de5abb1/

SH256 hash:

ac0cf70aff670e27326029901538459e4edae2feb53e8a673f9768563578bee2

MD5 hash:

610b84d92643bc2d69db01d48720d3d8

SHA1 hash:

db4d9477f4bd83e26c09548f2703a725ac182114

Link:

https://www.unpac.me/results/68677b36-f097-4ca9-b290-8cfe0de5abb1/

SH256 hash:

3a754319ebd0d67fdd1bc301eeaaebae3cd95397af50187a3daaa624f81f5ea1

MD5 hash:

b6b250cdd01c89053ce54781eed634dc

SHA1 hash:

0188c53bc363ecc6f9af25ea0e25efec9339ab8c

Link:

https://www.unpac.me/results/68677b36-f097-4ca9-b290-8cfe0de5abb1/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3a754319ebd0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/3a754319ebd0d67fdd1bc301eeaaebae3cd95397af50187a3daaa624f81f5ea1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/326811/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample