MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 407e2a13d5a5f6a216c6314c8075bc1bc7ff5f02c27b96274456732b1e7c1f74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 407e2a13d5a5f6a216c6314c8075bc1bc7ff5f02c27b96274456732b1e7c1f74
SHA3-384 hash: 929bd517b242f50445fc48925a56ac763e04f4c7bdb6f72662974e68571cb02c6200a246c9dc0c15965dd61990abb429
SHA1 hash: b87c13f6f13946f6ec617884fc14cda9cb20a83c
MD5 hash: ceeb6d36fc3d5bd7f1fe5dcc2af495c2
humanhash: cat-zulu-july-fifteen
File name:ceeb6d36fc3d5bd7f1fe5dcc2af495c2
Download: download sample
Signature Loki
Create hunting rule
File size:585'728 bytes
First seen:2021-11-18 20:18:58 UTC
Last seen:2021-11-18 22:59:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:d853Y0pI3KwZJ/5ifFdjKTsswOg0Mf84zartD00d:OlmKuJ8djFOg0yWC0d
TLSH T18DC4E00437B89F42D33A4EB29933A04187726D766A21D6DB6ED12CDF253EF4402A2F57
Reporter zbetcheckin
Tags:32 exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://84.38.133.143/mido/430Ngbtze1j7Et3.exe
Verdict:
Suspicious activity
Analysis date:
2021-11-18 10:42:48 UTC
Tags:
opendir loader
Link:
https://app.any.run/tasks/40538c0e-ba53-4a14-bc66-c457cf4f932a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.45248.14409.28506.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for analyzed file
Stealing user critical data
Query of malicious DNS domain
Moving of the original file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6196b53b4912a8c920a2ef2a/reports/8b4a703d-0688-4220-983d-2456742da8e6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d965fce5-5dca-4cb4-b2a6-a718f23e58ef
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/892285
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/407e2a13d5a5f6a216c6314c8075bc1bc7ff5f02c27b96274456732b1e7c1f74/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-18 20:19:07 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ib7cue6vux3kefwggfgia5n4dpd76xycyj5zmj2ekzzswht4d52a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/211118-y3t26aaec4/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://secure01-redirect.net/ga27/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
ae1b32d0afb17a4d1003d3bf862326eea991d3fb3494d42bec5f6f793aed6b78
MD5 hash:
27fc268f8d7471c5214d146797f1525d
SHA1 hash:
46dac8b9e792c18067e4512838bef347c3b1b8ed
Link:
https://www.unpac.me/results/2bb117df-b999-4e1f-8382-70066a82145f/
SH256 hash:
a46a22378b80a526a73c409a5d7a0819562906348a41de7899c6a458efd9bc97
MD5 hash:
42342fd138b8d045d4c02e737dcd30f1
SHA1 hash:
5829426ad65579d1281f04a33518a24ba3742a6a
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/2bb117df-b999-4e1f-8382-70066a82145f/
Parent samples :
07acaa3b3daa02b7553fec44fa3a8de8fbe2f438204bda2aba8c4a2a92c7b6bc
845e9dad5f85f08c92b2bb93e91aaca9914e9381808fdb656cb6a1af9d6f27a6
407e2a13d5a5f6a216c6314c8075bc1bc7ff5f02c27b96274456732b1e7c1f74
6774298f4fa71c6fcaddf6365a27181452b84c3593d1c61042f4f6f0a8311613
SH256 hash:
66f1c076593c287ccb7af978e89830cd5a944e3bf7c2447a45f4097a382bda85
MD5 hash:
54deaf4c7736343027c26e36d59f59c3
SHA1 hash:
b76ad0c01e54ef9f5cb552debc7ba2767982f887
Link:
https://www.unpac.me/results/2bb117df-b999-4e1f-8382-70066a82145f/
SH256 hash:
86fe170cc6dd3a576807c1192a06ead68bf210f9ccd14f1a81d4f44c2dbcc25f
MD5 hash:
bf5c170790a9378101dbc312303925e3
SHA1 hash:
bddaf21c02ba5cec7c4dfd1b1f289e23714a8ba8
Link:
https://www.unpac.me/results/2bb117df-b999-4e1f-8382-70066a82145f/
SH256 hash:
407e2a13d5a5f6a216c6314c8075bc1bc7ff5f02c27b96274456732b1e7c1f74
MD5 hash:
ceeb6d36fc3d5bd7f1fe5dcc2af495c2
SHA1 hash:
b87c13f6f13946f6ec617884fc14cda9cb20a83c
Link:
https://www.unpac.me/results/2bb117df-b999-4e1f-8382-70066a82145f/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/407e2a13d5a5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/407e2a13d5a5f6a216c6314c8075bc1bc7ff5f02c27b96274456732b1e7c1f74

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 407e2a13d5a5f6a216c6314c8075bc1bc7ff5f02c27b96274456732b1e7c1f74

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1799974/
Cape
Cape
https://www.capesandbox.com/analysis/207390/

Comments


Avatar
zbet commented on 2021-11-18 20:18:58 UTC

url : hxxp://84.38.133.143/mido/430Ngbtze1j7Et3.exe