MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43e7e33417e21b41c839b367474714e1b889eeb68f13838a7d2ddbdaa8ddf6b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43e7e33417e21b41c839b367474714e1b889eeb68f13838a7d2ddbdaa8ddf6b6
SHA3-384 hash: d113c1d435ada75c467923a156bf5c0a0dfd01e61a8e40d54f3f02727fc80cc8b9277db33e2116cb0d0e209a94a95aa5
SHA1 hash: dfbabc2153ae94c7cad9dd1bafc33c7fd7a0331a
MD5 hash: f0503b1899bd51b123d100d1802695eb
humanhash: tennis-spaghetti-yankee-indigo
File name:Original Invoice PL&BL Draft.exe
Download: download sample
Signature Loki
Create hunting rule
File size:412'672 bytes
First seen:2021-01-19 07:30:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 616765ca1e3c367f5f3771d38d13b610 (7 x Loki, 4 x RemcosRAT, 4 x AgentTesla)
ssdeep 6144:j3CDRM9sIkrdnvKgUmCeya1sDkqQz1vYhdDO0YXjIe6mb55Opm:jf9HmdvKKCehSDkqQGhYZsGb5Ym
Threatray 2'336 similar samples on MalwareBazaar
TLSH 79947C62718FE033C022027243E4E663057ABDF31E2F68AF9BD969BD15F6DD0522571A
Reporter abuse_ch
Tags:DHL exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: ycg0.217.bnjo.ml
Sending IP: 167.172.103.40
From: DHL Express <support@dhl.com>
Subject: Consignment Notification: Your Shipment Has Arrived
Attachment: Original Invoice PLBL Draft.gz (contains "Original Invoice PL&BL Draft.exe")

Loki C2:
http://51.195.53.221/p.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Original Invoice PL&BL Draft.exe
Verdict:
Malicious activity
Analysis date:
2021-01-19 07:53:48 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/c3ce4f62-b867-4dfc-baea-dc14727190c8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112785/
Detection(s):
PUA.Win.Adware.Bang5mai-6804572-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Reading critical registry keys
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Moving of the original file
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/584706
Signature
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/43e7e33417e21b41c839b367474714e1b889eeb68f13838a7d2ddbdaa8ddf6b6/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-19 02:42:34 UTC
AV detection:
16 of 44 (36.36%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ipt6gnax4inudsbzwntuoryu4g4it3vwr4jyhct5fxn5vkg5623a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0b813805cdf296dc50f3336dcbf6e41f4dc119e753be9511634857eba90a7b0f
Loki
22f5494084ff004f52cf031f8dc00e72f764863e88b90be6e8fe0009af7178b9
Loki
35f2d31f591a7850c05f86c1124aef7193bdd2f2ad7421d1fb09e1144b3fc3d3
Loki
3da3d4d08d81e85337fcad590190b1575b80834e246012f3684ebe6d86118886
Loki
445e1ae4fb515ce4fca81255fc4f569ba238d2a7b3ba0c093f4d55bc8fa5ae08
Loki
7c543362b23c8618d029f1fff5185c8af6adaaa3a6f358d4c8415e8e71ae7818
Loki
88fefe74a59525eecee004f0ca10e3b964462adc1f3b44a794282e17dd3dd67e
Loki
8f381987b6d04acb2f13d81524cd91deed670b4e678d34fc3960278a28cc4eb6
Loki
9dd8b9b40de05ac0aaf1bb9e1710faea9ef584f5eff71d3af7ad3a2dc083649f
Loki
e3699291676cb658693307f1f568e8ae9d82e50f3b2a3c3031437c5d54fe7c16
Loki
+ 2'326 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210119-yqskmcjkz2/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://51.195.53.221/p.php/syPLR31sAspbS
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
17e6b7ed6c215ac7ef45f4a85031622d007a58adc8db3a7c28db487fa7f0fe9c
MD5 hash:
a67d17c53716fd0e07555dd2a85bf6f4
SHA1 hash:
41207b5952753e24d5fb16420247559d9dd2391b
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/7aab4f9a-8653-4905-ab1d-54610be8fa91/
SH256 hash:
43e7e33417e21b41c839b367474714e1b889eeb68f13838a7d2ddbdaa8ddf6b6
MD5 hash:
f0503b1899bd51b123d100d1802695eb
SHA1 hash:
dfbabc2153ae94c7cad9dd1bafc33c7fd7a0331a
Link:
https://www.unpac.me/results/7aab4f9a-8653-4905-ab1d-54610be8fa91/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43e7e33417e21b41c839b367474714e1b889eeb68f13838a7d2ddbdaa8ddf6b6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

zip 7a7a7a960000dab01d9e0d823a6c81c49eee10bc25af346350fb34327e6bd8ce

Loki

Executable exe 43e7e33417e21b41c839b367474714e1b889eeb68f13838a7d2ddbdaa8ddf6b6

(this sample)

  
Dropped by
MD5 fc8d51b8ddf1d40d7604d69a03c188f6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112785/
  
Dropped by
SHA256 7a7a7a960000dab01d9e0d823a6c81c49eee10bc25af346350fb34327e6bd8ce

Comments