MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c6180b194f10ab55f060037b3eaa1b13c01651d04f3d522ab8f3a39df13309f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c6180b194f10ab55f060037b3eaa1b13c01651d04f3d522ab8f3a39df13309f
SHA3-384 hash: 240e1f67d111e19913719ac6184d4b427790dfe79dc42ea6dccbc1a7c2cfd47f14f6bcbac86378df9451a98a9b921b82
SHA1 hash: b3d11b48e7ef375a1fe820fe8961e6276cf08c5a
MD5 hash: 1f8c325cf83ce8aacf96088670947a5e
humanhash: single-coffee-finch-fillet
File name:1f8c325cf83ce8aacf96088670947a5e.exe
Download: download sample
Signature Loki
Create hunting rule
File size:478'208 bytes
First seen:2021-03-01 15:10:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'813 x AgentTesla, 19'735 x Formbook, 12'282 x SnakeKeylogger)
ssdeep 6144:FN3//x5lgkD//x5lgkD//x5lgkU3MQg92JN2pHy81152XgkJ9GeuAX+/zBHx:lgkNgkNgkU3oNRy81iXgi9uAXOR
Threatray 2'535 similar samples on MalwareBazaar
TLSH E8A4F180B5A1CBD5D7B50EF2A425CC0807371E176416DE8A1E4AB1CB5DB3B03496AEDF
Reporter abuse_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_swft01032021.doc
Verdict:
Malicious activity
Analysis date:
2021-03-01 13:03:41 UTC
Tags:
ole-embedded trojan opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/a7239d81-e935-44c9-9345-40da2757367d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLAgent06
Create hunting rule
Link:
https://www.capesandbox.com/analysis/120339/
Detection(s):
SecuriteInfo.com..10174.20525.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Sending a UDP request
Launching a process
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/622373
Signature
Bypasses PowerShell execution policy
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Yara detected Beds Obfuscator
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 360181 Sample: vzoWnmtGk0.exe Startdate: 01/03/2021 Architecture: WINDOWS Score: 80 48 osndjdjjjdjshgaggdkf.com 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Machine Learning detection for sample 2->54 56 3 other signatures 2->56 8 vzoWnmtGk0.exe 3 2->8         started        11 Drivers.exe 3 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\...\vzoWnmtGk0.exe.log, ASCII 8->30 dropped 13 powershell.exe 15 8->13         started        17 vzoWnmtGk0.exe 15 2 8->17         started        20 vzoWnmtGk0.exe 8->20         started        22 Drivers.exe 14 2 11->22         started        24 powershell.exe 19 11->24         started        process6 dnsIp7 32 C:\Users\user\AppData\Roaming\...\Drivers.exe, PE32 13->32 dropped 34 C:\Users\user\...\Drivers.exe:Zone.Identifier, ASCII 13->34 dropped 58 Drops PE files to the startup folder 13->58 60 Powershell drops PE file 13->60 26 conhost.exe 13->26         started        36 osndjdjjjdjshgaggdkf.com 17->36 38 chelseafc.map.fastly.net 151.101.2.133, 443, 49715, 49716 FASTLYUS United States 17->38 44 4 other IPs or domains 17->44 40 osndjdjjjdjshgaggdkf.com 22->40 42 www.manutd.com 22->42 46 2 other IPs or domains 22->46 28 conhost.exe 24->28         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c6180b194f10ab55f060037b3eaa1b13c01651d04f3d522ab8f3a39df13309f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-01 15:10:10 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
1df38ad7f7297914ac4345c3572a92bd2a0507baedff37681f35b3bb8fa0d9eb
Loki
3b9ff29f35dafcb9a28349285b3a4f834c21d3a4061f05c775ee53b11fdd6a05
Loki
3bed1ace3b8e8797d0df86154ec358ebfd94d011be503b6b35a44e845029fe5e
Loki
5434b3121b379bde98f409a5d00c6da0be9f001b73e73860ca0c530386e002c6
Loki
67022a9257f711a8c6287fd668c24d8ded9cefbbe1b0e5cf299a1fd9a03fc29f
Loki
7689fde52d772a6810cccf89d32a6bb8e944a9ce435a44dc52032feeee61d6eb
Loki
8a13494953554ec0315e8f31ece8fc8a0f8ff12de3530680555eb37686434dc4
Loki
ad6946570be39c2f4da1777083f2339cae24bec7928b460db68e55e53c915e22
Loki
b374351f0f9b840defca70f32554b5ee570905a96ec6ef032987476684e94742
Loki
d509c4f1ddd6e950b6dd0937275519234c856d7b75e16c6d3a9d1ac2434da345
Loki
+ 2'525 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://tria.ge/reports/210301-7dxp8znvkx/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Beds Protector Packer
Unpacked files
SH256 hash:
67f3dbc45f90576dff09566275517867198c0838a8348d6557e4f854bf381097
MD5 hash:
87e32f9a9784f3ae2bb6d2355c88bbc3
SHA1 hash:
11f302175352d84b80b2cd4babe8bdd3c4abefc6
Link:
https://www.unpac.me/results/d9ec1601-8b6e-49c1-b0f1-daca6183ccfd/
SH256 hash:
044498d1dd4d4b0d2278874bdcc8122b5c5f91923ee475c3d428367e79bfc789
MD5 hash:
75d78a966ca8921f22dcb9729156e10c
SHA1 hash:
e710e324c4bebe1077ca207132dfaf74f18fa4fa
Link:
https://www.unpac.me/results/d9ec1601-8b6e-49c1-b0f1-daca6183ccfd/
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/d9ec1601-8b6e-49c1-b0f1-daca6183ccfd/
SH256 hash:
4c6180b194f10ab55f060037b3eaa1b13c01651d04f3d522ab8f3a39df13309f
MD5 hash:
1f8c325cf83ce8aacf96088670947a5e
SHA1 hash:
b3d11b48e7ef375a1fe820fe8961e6276cf08c5a
Link:
https://www.unpac.me/results/d9ec1601-8b6e-49c1-b0f1-daca6183ccfd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c6180b194f10ab55f060037b3eaa1b13c01651d04f3d522ab8f3a39df13309f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 4c6180b194f10ab55f060037b3eaa1b13c01651d04f3d522ab8f3a39df13309f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/120339/
  
URLhaus
https://urlhaus.abuse.ch/url/1040011/
  
Delivery method
Distributed via web download

Comments