MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4156f1bd9f23e8d19b26225f373b4d76e0088fcadb14b59fbe791d11127795e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4156f1bd9f23e8d19b26225f373b4d76e0088fcadb14b59fbe791d11127795e7
SHA3-384 hash: 8d84d18f66c887aa9dd68aaf3b1ff6fd28acf3f860741ef9f9cc713d18d6c67e24f4ce2ec8413ab474ee0667f2a2c574
SHA1 hash: 750bac92e2d5b86074e3a288d2f4517b5b9a752c
MD5 hash: fe5329a5ccb733e0b14f1e86badcbb73
humanhash: thirteen-winter-fix-tennis
File name:Request for Quotation (Taipei Medical Univers.exe
Download: download sample
Signature Loki
Create hunting rule
File size:414'976 bytes
First seen:2022-09-15 11:55:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f91aceea750f765ef2ba5d9988e6a00 (45 x GuLoader, 9 x RemcosRAT, 7 x Loki)
ssdeep 6144:CEh9vQptxn/AcN4nSVzhYCk1QmZEpaf7706Qyw/KhCd8bA6+JEo9TWMrBG:CRfTiSz1o7706TAKbA6IE0/o
TLSH T12694D0D2FBA086A3CE6D4734D073DA111779BDB8B6A09B4F534D30955DB3382226B21B
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 96b2b4c4e4f4f4f0 (5 x Loki)
Reporter abuse_ch
Tags:exe Loki signed

Code Signing Certificate

Organisation:Sandvaaners Klynker Hypersensitiveness
Issuer:Sandvaaners Klynker Hypersensitiveness
Algorithm:sha256WithRSAEncryption
Valid from:2021-11-28T23:16:40Z
Valid to:2024-11-27T23:16:40Z
Serial number: -0912812d81ef5c54
Thumbprint Algorithm:SHA256
Thumbprint: f2e30879bd8a839d91923c557e189861457399c309adf12a94b2b87d883a3a73
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Loki C2:
http://162.0.223.13/?5566589175702602

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://162.0.223.13/?5566589175702602 https://threatfox.abuse.ch/ioc/849723/

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Request for Quotation (Taipei Medical Univers.exe
Verdict:
Malicious activity
Analysis date:
2022-09-16 07:53:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1e0e46bf-d88b-4440-9257-2911e286046f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310232/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Searching for the window
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37698/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
75%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/632312b4ba7b8113dd64a903/reports/ddcc22ca-3a4b-4c73-8f56-a86424b71c64/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d4fa4412-be17-4ff4-8e89-28d035ccd907
Result
Threat name:
GuLoader, Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1070867
Signature
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected GuLoader
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4156f1bd9f23e8d19b26225f373b4d76e0088fcadb14b59fbe791d11127795e7/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2022-09-15 11:56:09 UTC
File Type:
PE (Exe)
Extracted files:
83
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iflpdpm7epundgzgejptoo2no3qard6k3mkllh56peorcetxsxtq._file
Verdict:
unknown
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:lokibot collection downloader spyware stealer trojan
Link:
https://tria.ge/reports/220915-n31vlagfer/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
Reads user/profile data of web browsers
Guloader,Cloudeye
Lokibot
Unpacked files
SH256 hash:
703e17d30a91775f8ddc2648b537fc846fad6415589a503a4529c36f60a17439
MD5 hash:
637e1fa13012a78922b6e98efc0b12e2
SHA1 hash:
8012d44e42cd6d813ea63d5ccbf190fe72e3c778
Link:
https://www.unpac.me/results/893a19a7-d38f-4a38-a872-798402f830c9/
SH256 hash:
03a6d1477f124fd0c01b605a5ba14049a9b6ab33f8f0c467c1391ded90679de5
MD5 hash:
6842d53e7b4e7d3f0cd2e45fe4616320
SHA1 hash:
f7b8d00938d81c1dd93e40c2c19fe3512bf3bf0c
Link:
https://www.unpac.me/results/893a19a7-d38f-4a38-a872-798402f830c9/
SH256 hash:
4156f1bd9f23e8d19b26225f373b4d76e0088fcadb14b59fbe791d11127795e7
MD5 hash:
fe5329a5ccb733e0b14f1e86badcbb73
SHA1 hash:
750bac92e2d5b86074e3a288d2f4517b5b9a752c
Link:
https://www.unpac.me/results/893a19a7-d38f-4a38-a872-798402f830c9/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4156f1bd9f23/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.23
Link:
https://yomi.yoroi.company/submissions/4156f1bd9f23e8d19b26225f373b4d76e0088fcadb14b59fbe791d11127795e7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/310232/

Comments