MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55e3c71c40618505b890607e53a5f800aa154a909f911359b765933a8f2c0eb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 16

Intelligence 16 IOCs YARA File information Comments

SHA256 hash:	55e3c71c40618505b890607e53a5f800aa154a909f911359b765933a8f2c0eb1
SHA3-384 hash:	5e711dc75c1baa8f9f9e82ea3e2cc33dafb7c616cc05b8669feef53666a11bb92762e59f1cbd6180d788cc672a553aab
SHA1 hash:	95222ede6eef401b954fe3593fcc1a9a5f74b07c
MD5 hash:	352cdc27fdb7138292c14c851cfe9239
humanhash:	social-east-carolina-island
File name:	RETURN PAYMENT TT.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	604'672 bytes
First seen:	2023-05-11 16:07:13 UTC
Last seen:	2023-05-15 06:16:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:MmYCfCvbWxs+w3vq3NmRQTAY/OSnvsXYvzCMf:MmNqjWxsd3ANGSAYrnU
Threatray	4'380 similar samples on MalwareBazaar
TLSH	T1E3D4D0892237BCDEC445867166543C939E3CB12762BDA0B9A51B748CCD4E8A2CFE45F3
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	35caead8b495ca30 (1 x Loki, 1 x SnakeKeylogger, 1 x AgentTesla)
Reporter	lowmal3
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

261

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

RETURN PAYMENT TT.exe

Verdict:

Suspicious activity

Analysis date:

2023-05-11 16:10:47 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e70e117b-4aeb-4262-91f7-4c2c004aee7b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/388432/

Detection(s):

Sanesecurity.Rogue.0hr.20230511-1134.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/645d12e3a70cc0e6cb303265/reports/b88ecb01-5f45-43ef-b7fe-23623b319e6b/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/55e3c71c40618505b890607e53a5f800aa154a909f911359b765933a8f2c0eb1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/84ddcd7e-c156-479b-a9c3-432a2c35df48

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1230910

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/55e3c71c40618505b890607e53a5f800aa154a909f911359b765933a8f2c0eb1/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-05-11 03:36:52 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 37 (56.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kxr4ohcamgcqloeqmb7fhjpyacvbksuqt6irgwnxmwjtvdzmb2yq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230511-tk7s3sag33/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://208.67.105.148/blessedjay/five/fre,php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

a98f221d7c588bf73677ae9ff73552def1f0e8561d06bee7f0ca673f42f7bc0f

MD5 hash:

05a3adf75f2bcd6c5ff17f96d154fc03

SHA1 hash:

f7b2fd14ba8d833e1ccddd61beda56f4003f55b9

Link:

https://www.unpac.me/results/7051556f-9afc-44c5-bdb7-079f15c66ab7/

SH256 hash:

3ab1dcc37e7c5c643bf41e9f0f81f816f24974fbddde95e2af52426e3374dd35

MD5 hash:

8a2c496875c0871aecc16aae768b323f

SHA1 hash:

f5423a32125c70b512de301c5616c7b75477e2e7

Link:

https://www.unpac.me/results/7051556f-9afc-44c5-bdb7-079f15c66ab7/

SH256 hash:

a1e1d9159280186d94530ed9a544bef03405cf74f605652ccaaf121c85e71bef

MD5 hash:

df3271f8eff9d5ac35eadec928b192ad

SHA1 hash:

93bb40bb043d88e8bd589d0474f0c98c69f82e38

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/7051556f-9afc-44c5-bdb7-079f15c66ab7/

Parent samples :

50b98481af6d01585e639143040a43d067403bc84511267fc4ea965966a9f1d1
55e3c71c40618505b890607e53a5f800aa154a909f911359b765933a8f2c0eb1
38e7d064e4ec8c045647a14a45a2af5e21ffbc452ba8e69cdff4957eb515037f

SH256 hash:

d8fc5dfdf2800247eb610beb076fec4d2becf6d951e89445d43237fe97814218

MD5 hash:

e5d93dadd08b8bc727e4f4853c6881ba

SHA1 hash:

27e0e057d33f01586193b0cbf06561c2863951f4

Link:

https://www.unpac.me/results/7051556f-9afc-44c5-bdb7-079f15c66ab7/

SH256 hash:

9cc7df95b6f1e62ceb44e2ea9c0fc5e737a0d097487d7604927fb665256806b3

MD5 hash:

ba233e728ea42a6000597249387bf026

SHA1 hash:

0cba494ee2534248dc805373ed4efa8a17e2e16e

Link:

https://www.unpac.me/results/7051556f-9afc-44c5-bdb7-079f15c66ab7/

SH256 hash:

55e3c71c40618505b890607e53a5f800aa154a909f911359b765933a8f2c0eb1

MD5 hash:

352cdc27fdb7138292c14c851cfe9239

SHA1 hash:

95222ede6eef401b954fe3593fcc1a9a5f74b07c

Link:

https://www.unpac.me/results/7051556f-9afc-44c5-bdb7-079f15c66ab7/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/55e3c71c4061/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/55e3c71c40618505b890607e53a5f800aa154a909f911359b765933a8f2c0eb1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

exe 55e3c71c40618505b890607e53a5f800aa154a909f911359b765933a8f2c0eb1

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/388432/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample