MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f42c088ce25c533f83bd77c65ff8f36e2f73691a885f7a1db9fe2eb9a759b4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f42c088ce25c533f83bd77c65ff8f36e2f73691a885f7a1db9fe2eb9a759b4f
SHA3-384 hash: 0a4126de5fa51f75b2c31b678a975ea6b7d7fd894b69ad227a7504ffe488dfdd9d5a26df7f1d6c49c792aff313044c4b
SHA1 hash: f682ba2ed5e33fc87486ca356a4fa8c66a28aa05
MD5 hash: 1a91f08973d64ed2c21a012da49c5065
humanhash: hamper-football-sixteen-lamp
File name:BANK TRANSFER SLIP.pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:774'656 bytes
First seen:2021-11-17 14:48:01 UTC
Last seen:2021-11-17 16:28:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Pq/lqhCcfZ/2YpclG5eB6tJZ7KtWrA4S2zG9+aw9cNq0p2W:oBk/2Ypc4cB63FtrA4jZqN
Threatray 12 similar samples on MalwareBazaar
TLSH T143F4F11536B84F03C5BEC7F45629814003F2766962A7EB1E2CD3B1DB3E66F958B46A03
File icon (PE):PE icon
dhash icon c8c4e2f934dc2e16 (10 x Loki, 6 x Formbook, 6 x AgentTesla)
Reporter James_inthe_box
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BANK TRANSFER SLIP.pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-11-17 14:56:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/89e25671-f6a6-4f85-907a-865344ecd4cc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Inject4.19817.19876.23732.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/619516242695a62af9f23a7c/reports/af171d0d-4f85-4455-b52b-98318fda28c9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/44c5102f-999c-4aae-90b4-616a681b63cf
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/891242
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f42c088ce25c533f83bd77c65ff8f36e2f73691a885f7a1db9fe2eb9a759b4f/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-11-17 02:04:26 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j5bmbcgoexcth6b3256gl74pg3rponurvcc7pio3t7roxgtvtnhq._file
Verdict:
malicious
Similar samples:
0015010d556c742894256aca4e378e9b0c9dcebe4aeeac66ec4d6bdb37a1599a
Loki
2295e6001d04081ff43afb1ef4a609d21fc55dd6f7e8b12d7c39e43d0dc7352e
Loki
4b2188efef8232ed57ceb0bdb1e444576ed01c26015a7bbf18bae3b7991cd9e6
Loki
4d466d0ee8fc3db2bce2be746b7fb4bd14cfc9930f95fa7cb89473bed4bd5c5a
Loki
5abf356c34fac462b7977aa7ee02ea4e072764d6acb7803fd9591af68e6a2429
Loki
5ccf09f147388edaa189fdfa1549da2240b908203d6830ee2ce4f0289838b26a
Loki
96eb36242589b7a64977eea92e0c0834e5321b605f9a306110398d4da428f3d3
Loki
bc434d6f3e71a7996405b339d78e45741bd7b251df9da7d5d0ef19a13c968086
Loki
f12bd14127772fc5ea920b39161f0c30fdf462bf9622b59eaafd7e8f1803156d
Loki
f57a7eb43c8b6a3e3c2a2d5a880ef3f56179c571ee6af3789eb643795ba9085f
Loki
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211117-r6fklsdab7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
86fe170cc6dd3a576807c1192a06ead68bf210f9ccd14f1a81d4f44c2dbcc25f
MD5 hash:
bf5c170790a9378101dbc312303925e3
SHA1 hash:
bddaf21c02ba5cec7c4dfd1b1f289e23714a8ba8
Link:
https://www.unpac.me/results/348bc747-8d86-4bf9-ba16-6e0efe33451b/
SH256 hash:
11f8a7359a95df33fb7e2bae69970d58e536da24643845f09344981ec7cc83f2
MD5 hash:
54ea170475b89791c192ba2599d81130
SHA1 hash:
b85b75c84e4f371444c6deaf754970c4b313abd9
Link:
https://www.unpac.me/results/348bc747-8d86-4bf9-ba16-6e0efe33451b/
SH256 hash:
da30888e9e7a714ee2eb9f252ab837add7669a102e742f8ea7f9edf837f34d23
MD5 hash:
86c7b556fa05a1a28ac469a4a5367f00
SHA1 hash:
70943141f395933d7e5c2f070582595fd311f192
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/348bc747-8d86-4bf9-ba16-6e0efe33451b/
Parent samples :
5cef37f1f5ed3bd0708b5f4385844ff64d08fb05f8d03cc8627c365e0b66ddb6
4f42c088ce25c533f83bd77c65ff8f36e2f73691a885f7a1db9fe2eb9a759b4f
dc4ecc67b36afe5bb29bd472efcd0bb6e52b25bf3d6f5a11649ad16f71474727
SH256 hash:
f372814bcf3175592d136494118a825c98d02c710981e1e62973c4fb970fb563
MD5 hash:
1ff21e0fb116ff5471603b774e295a5d
SHA1 hash:
18732c5173937a6e956c93c8ae40e18f31904a23
Link:
https://www.unpac.me/results/348bc747-8d86-4bf9-ba16-6e0efe33451b/
SH256 hash:
4f42c088ce25c533f83bd77c65ff8f36e2f73691a885f7a1db9fe2eb9a759b4f
MD5 hash:
1a91f08973d64ed2c21a012da49c5065
SHA1 hash:
f682ba2ed5e33fc87486ca356a4fa8c66a28aa05
Link:
https://www.unpac.me/results/348bc747-8d86-4bf9-ba16-6e0efe33451b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/4f42c088ce25c533f83bd77c65ff8f36e2f73691a885f7a1db9fe2eb9a759b4f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/206869/

Comments