MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ccfa25b4a3ff244daa9ac9b87f06efbeda2f92b81555c2a389c97c615ff3c46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	3ccfa25b4a3ff244daa9ac9b87f06efbeda2f92b81555c2a389c97c615ff3c46
SHA3-384 hash:	7d5685b21db960f2a0bc44819052dd81358d6056880e6ad65e7ffab25ef05de7a4253868e4aaaa7e9834c2d5dd0b8c17
SHA1 hash:	e0419ae29ea06091d2a026a8ac599062b09df5b3
MD5 hash:	3ad4e441ab86eb0a21625e27bb32e0a8
humanhash:	sixteen-oranges-enemy-ink
File name:	LCL Export Sailing Schedules for your reference.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	302'080 bytes
First seen:	2021-11-27 19:16:42 UTC
Last seen:	2021-11-29 07:56:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	6144:fDE7uq6BFm/I87xrNOPn6N1aeZlzrDMbsi8LpQ9ywvb9vtvTxFU+Wgu1J:foixBFm/I6pNjqeZ5/MIimQrZRTxFUa
Threatray	5'630 similar samples on MalwareBazaar
TLSH	T18E541288B675A7ABDB4E53F9586700C51BB2B50F2101F34F1DCDA28A0EDEF458920DE6
Reporter	GovCERT_CH
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

248

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

LCL Export Sailing Schedules for your reference.exe

Verdict:

Malicious activity

Analysis date:

2021-11-27 19:19:43 UTC

Tags:

trojan lokibot stealer

Link:

https://app.any.run/tasks/c31881dd-0bcb-42cf-8dbf-f9e994a4d226

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

DNS request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Creating a file

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Stealing user critical data

Query of malicious DNS domain

Enabling autorun by creating a file

Unauthorized injection to a system process

Sending an HTTP POST request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61a2843002c80febc2ab8d56/reports/3a422a91-464c-48b8-88f4-59b1672994a5/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1249fa28-f70e-4c79-aba2-02a24daeb3cc

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/897201

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicius Add Task From User AppData Temp

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/3ccfa25b4a3ff244daa9ac9b87f06efbeda2f92b81555c2a389c97c615ff3c46/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-11-27 15:30:25 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hth2ew2kh7zejwvjvsnyp4do7pw2f6jlqfkvykrytsl4mfp7hrda._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/211127-xzcs2agad4/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Lokibot

Malware Config

C2 Extraction:

http://domynuts.ga/accounts/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

4f4bda65013bc5bf0ff54452c8a8ac390941c8c01aa5ceb8ac7aad193374b575

MD5 hash:

0a62713d8f31323a1b689100ac94723e

SHA1 hash:

9f9683e44dea2240993b08fa002966df0cefec7f

Link:

https://www.unpac.me/results/b2f7e6f8-e36c-4b95-a4d9-aebe617ac215/

SH256 hash:

892c06aa2510d3595f883d2ad2166afe4c0a38ee36c3517346130ddf12aea6c5

MD5 hash:

5a834ca206679da82a07451323ac44f0

SHA1 hash:

9d826f5dfe0d00b19ade80201152a443b0c9036b

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/b2f7e6f8-e36c-4b95-a4d9-aebe617ac215/

Parent samples :

949d911ef54a1c977e3c7084d6dbf22c87e9757f6a850afa7f73c5dd32b174ef
3ccfa25b4a3ff244daa9ac9b87f06efbeda2f92b81555c2a389c97c615ff3c46
780d72b9fcb56f2bfa564e631b3a61f0e018620e0dc884535cf5cb22d6c94eea
99876ba3443f83eb1570141b55c44a1be4685d10fd329dc15f5439bfdb4c5419

SH256 hash:

f6639a3b21a09ca5e9e43e10f8ac7f822956232806805252096f03f68bc9815c

MD5 hash:

aa334e922c53c5cba0b43c342ac13b14

SHA1 hash:

68109327b5e98174293bb348dfea6a088cbd5d2f

Link:

https://www.unpac.me/results/b2f7e6f8-e36c-4b95-a4d9-aebe617ac215/

SH256 hash:

3ccfa25b4a3ff244daa9ac9b87f06efbeda2f92b81555c2a389c97c615ff3c46

MD5 hash:

3ad4e441ab86eb0a21625e27bb32e0a8

SHA1 hash:

e0419ae29ea06091d2a026a8ac599062b09df5b3

Link:

https://www.unpac.me/results/b2f7e6f8-e36c-4b95-a4d9-aebe617ac215/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/3ccfa25b4a3f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3ccfa25b4a3ff244daa9ac9b87f06efbeda2f92b81555c2a389c97c615ff3c46

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

exe 3ccfa25b4a3ff244daa9ac9b87f06efbeda2f92b81555c2a389c97c615ff3c46

(this sample)

Dropped by

loki

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample