MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45cb5b5cb3f89017758190e83cf28cdca801f84bba07aa0217606430cb13e16a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45cb5b5cb3f89017758190e83cf28cdca801f84bba07aa0217606430cb13e16a
SHA3-384 hash: 6ea82005f1b434ccd09f7489037fd656c84d952aa8a9519b81f2ce93615e877a29f628d36d49373665f625dbdeb9d950
SHA1 hash: 0cb17f0fef8b6f135691b30d3960699fc9703681
MD5 hash: 178f631595778ce7324d8ace8e718560
humanhash: finch-batman-avocado-kentucky
File name:Invoice no 2965.exe
Download: download sample
Signature Loki
Create hunting rule
File size:138'637 bytes
First seen:2022-12-19 07:43:49 UTC
Last seen:2022-12-19 14:27:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 97318da386948415d08cef4a9006d669 (71 x Formbook, 35 x SnakeKeylogger, 26 x AgentTesla)
ssdeep 3072:rlTSr+vbmJaSJRd3xgxQA7ydXOBRi8cbbMvolYW0/ZTLDQ:rkwUlzGyVOS8CkX1/ZTvQ
TLSH T1DAD30206A9D1C1BFE44245B216B686ADCFF2B1041113B38F9F806FFE69154E399972E3
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:exe Loki

Intelligence

File Origin
# of uploads :
5
# of downloads :
165
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
Invoice no 2965.exe
Verdict:
Malicious activity
Analysis date:
2022-12-19 07:44:21 UTC
Tags:
installer trojan lokibot
Link:
https://app.any.run/tasks/a635558f-f3ea-46b6-966e-7faf8497bfc6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/347838/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.11067.31130.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Reading critical registry keys
Changing a file
DNS request
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
Searching for the window
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63a016438f89a0881295a523/reports/12b62331-4b48-4981-b050-a1dfb19ff3d0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/09abb5b6-d1e5-4bbf-9c09-f0e17c9d7646
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1136916
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 769642 Sample: Invoice no 2965.exe Startdate: 19/12/2022 Architecture: WINDOWS Score: 100 25 drinz.us 2->25 41 Snort IDS alert for network traffic 2->41 43 Multi AV Scanner detection for domain / URL 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 8 other signatures 2->47 8 Invoice no 2965.exe 19 2->8         started        signatures3 process4 file5 19 C:\Users\user\AppData\Local\Temp\sbfzs.aum, DOS 8->19 dropped 21 C:\Users\user\AppData\Local\...\julhulg.exe, PE32 8->21 dropped 11 julhulg.exe 8->11         started        process6 signatures7 49 Multi AV Scanner detection for dropped file 11->49 51 Tries to steal Mail credentials (via file registry) 11->51 53 Machine Learning detection for dropped file 11->53 55 2 other signatures 11->55 14 julhulg.exe 54 11->14         started        process8 dnsIp9 27 188.114.96.3, 49699, 49701, 49706 CLOUDFLARENETUS European Union 14->27 29 drinz.us 188.114.97.3, 49698, 49700, 49702 CLOUDFLARENETUS European Union 14->29 31 192.168.2.1 unknown unknown 14->31 23 C:\Users\user\AppData\...\B52B3F.exe (copy), PE32 14->23 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Tries to steal Mail credentials (via file / registry access) 14->35 37 Tries to harvest and steal ftp login credentials 14->37 39 Tries to harvest and steal browser information (history, passwords, etc) 14->39 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45cb5b5cb3f89017758190e83cf28cdca801f84bba07aa0217606430cb13e16a/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-12-19 02:47:11 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ixfvwxft7cibo5mbsdudz4um3suad6clxid2uaqxmbsdbsyt4fva._file
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/221219-jktlcahe5y/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
Malware Config
C2 Extraction:
http://drinz.us/FILAZ/QU/coosaza.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/463769e7-2351-499b-8d85-7114e23b9f3e
Unpacked files
SH256 hash:
43cec2db0e28a09baca0fe29b69c7382d25473ac146d21a6f84763bb7e8b9e98
MD5 hash:
4c4c9da4f262cb66ed53b99f53c78e14
SHA1 hash:
d7ee962528e07da7b66aa8dabea98804c36502a4
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/d3df6d0a-0d45-4e64-9dd8-0695f90a922b/
Parent samples :
34cb99613940f2408bc3ca05b9fef7b8d490cd8cada151b65251a1f76fdddc81
e1f1a46473b3ace74c79e93e2b14e01855107c183ef4859f23fef8c9c0f18508
1c98eba313c5786fc35259e16cf96053540a5e36b875b490b3f2fbf0cca43645
1052cd8feba9809abbd2cc008e37420a6b287c423b4df5b0a1385a1ce34fcb11
cf0e1a66f5e4e2277f8860afbc082395b7a3d452d24eeb0631c8f34dae047a45
45cb5b5cb3f89017758190e83cf28cdca801f84bba07aa0217606430cb13e16a
SH256 hash:
8180fedb7544882e1008527bf25c2e585cfb34f0f52c5fdead07ae558f636de4
MD5 hash:
716f4c63a9ad3d4365c63839a1a2e29f
SHA1 hash:
cd3b42a6aca5c12519de92e367a22721536a82e4
Link:
https://www.unpac.me/results/d3df6d0a-0d45-4e64-9dd8-0695f90a922b/
SH256 hash:
45cb5b5cb3f89017758190e83cf28cdca801f84bba07aa0217606430cb13e16a
MD5 hash:
178f631595778ce7324d8ace8e718560
SHA1 hash:
0cb17f0fef8b6f135691b30d3960699fc9703681
Link:
https://www.unpac.me/results/d3df6d0a-0d45-4e64-9dd8-0695f90a922b/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/45cb5b5cb3f8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/45cb5b5cb3f89017758190e83cf28cdca801f84bba07aa0217606430cb13e16a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 45cb5b5cb3f89017758190e83cf28cdca801f84bba07aa0217606430cb13e16a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/347838/

Comments