MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ca0370032a82c1c1ee13e88727bd0763365b1731cc0d10934fe37f7ef949865. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ca0370032a82c1c1ee13e88727bd0763365b1731cc0d10934fe37f7ef949865
SHA3-384 hash: 84f501dc7bf9b9a408a4a2e325ccc5edace4c28e3bfac3aef3ee934a46ec6dadcef90c4b8c88c5e7f31b0f348ef4d97e
SHA1 hash: 729d0d0bd3da46eb7728ae4547ba0e82f81f832d
MD5 hash: 8d384a90dcd988261276f07857c5be0e
humanhash: alabama-undress-mockingbird-mirror
File name:8d384a90dcd988261276f07857c5be0e
Download: download sample
Signature Loki
Create hunting rule
File size:883'200 bytes
First seen:2022-11-22 10:04:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:uM+L74mBfNUstzovMtJWkonbch1mskWOlGHJvZkrE3r8JN:TM/o4h1m5WYGHJRdI
Threatray 14'043 similar samples on MalwareBazaar
TLSH T127154A4F2B7FDEF0EA245CFB221457039D3651DABA8BCA7883984BC660F161C5B74864
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
QDMD996022 BL COPY.doc
Verdict:
Malicious activity
Analysis date:
2022-11-22 09:15:50 UTC
Tags:
exploit cve-2017-11882 loader trojan lokibot
Link:
https://app.any.run/tasks/568d6b7d-2f6b-4c59-a790-8df67cd29ed0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/337169/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.44634.23822.3415.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637c9ecf883647d07fb66816/reports/ed05c538-3606-43c3-9e6e-34026813437e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b912cb0e-12a6-41e3-b5c8-2b819bcbde3a
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1118817
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ca0370032a82c1c1ee13e88727bd0763365b1731cc0d10934fe37f7ef949865/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-22 10:05:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hsqdoabsvawbyhxbh2ehe66qoyzwlmltdtanccju7y37p34utbsq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
04f557582bc8b4c4af843d0c837124da73f887ac5b997efdd78f96d45caced85
Loki
27e73b1508f3d4e114390a25e11c201bfa2a66d8cab4e385d9bce54fc2df206f
Loki
4e12ca0674f72503e00f35b8b27aa98da0855baa9e25264b357bb934e31a2217
Loki
7f0fcb4f3651ec6a3b273322857afe8aa8373f77964afd0bb592378a4a97fe1a
Loki
+ 14'033 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/221122-l4hdjahf27/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://sempersim.su/gm5/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
3c991a72c8e047741d335988afa4abdce606075f3dcc82ed1567c5d583a8edc1
MD5 hash:
4232101413dc24d4c6a68f9be716daa2
SHA1 hash:
f4d118c377b5d64d535089e6750123f6f768379f
Link:
https://www.unpac.me/results/851320da-9970-4e1c-9c21-9f669d3c9990/
SH256 hash:
5548acc32a20686f5f9f4721134324aca4d28ae737bacaf00ee05d296c30b1e4
MD5 hash:
83e86e642ec9ae08d7d176c4fd5a5b0d
SHA1 hash:
e9efa535a86aeeddc3e0f5b99b5521490a627f65
Link:
https://www.unpac.me/results/851320da-9970-4e1c-9c21-9f669d3c9990/
SH256 hash:
420ab43da7ec928eda1921a217f094f31819ee0611e80ccf154a5ddbcd12953e
MD5 hash:
ee8ae9f3e9e070eb591162e3e16c45b3
SHA1 hash:
c01aa21b08f1b64370ead8de8a16b60f5ccdaa6f
Link:
https://www.unpac.me/results/851320da-9970-4e1c-9c21-9f669d3c9990/
SH256 hash:
a80a221ee1aedb54f9be7d841b68f74fda72b4d5036a0df7beac8cc64ed09230
MD5 hash:
ac1323656a1724df15ac1cd2f3ef36c5
SHA1 hash:
b5c342387e8f6b52685ffebbb67c8a7df42dadf4
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/851320da-9970-4e1c-9c21-9f669d3c9990/
SH256 hash:
31b663b91f11b8f7da1d8bd87f8532e563f301754b1ca2c0a97c2f358ad116dd
MD5 hash:
ba1868faf5de09265b89c44732c1ab3d
SHA1 hash:
38997e35e0c68866a2a6e4a7356252e1f252e2e5
Link:
https://www.unpac.me/results/851320da-9970-4e1c-9c21-9f669d3c9990/
SH256 hash:
3ca0370032a82c1c1ee13e88727bd0763365b1731cc0d10934fe37f7ef949865
MD5 hash:
8d384a90dcd988261276f07857c5be0e
SHA1 hash:
729d0d0bd3da46eb7728ae4547ba0e82f81f832d
Link:
https://www.unpac.me/results/851320da-9970-4e1c-9c21-9f669d3c9990/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3ca0370032a8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/3ca0370032a82c1c1ee13e88727bd0763365b1731cc0d10934fe37f7ef949865

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 3ca0370032a82c1c1ee13e88727bd0763365b1731cc0d10934fe37f7ef949865

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2429606/
Cape
Cape
https://www.capesandbox.com/analysis/337169/

Comments


Avatar
zbet commented on 2022-11-22 10:05:01 UTC

url : hxxp://208.67.105.179/zangzx.exe