MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56e9e3ac63d727a6ba0d0ff82236083ac8aa806bd70373fb9c5e8ddaa87b8ee3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56e9e3ac63d727a6ba0d0ff82236083ac8aa806bd70373fb9c5e8ddaa87b8ee3
SHA3-384 hash: c8dcee526136be409a9f4d05ce081a13a1e0eb71f9d7cbd95b4500f6c076bea10cc5c3ac48c4f63eb5eb70ca29da6e2d
SHA1 hash: 54142e4fe8c7944b351a380e0aa59af441d0bec1
MD5 hash: 2dd7ff2599b0cdcbe4645b80adad4163
humanhash: sierra-iowa-stream-comet
File name:audiodg.exe
Download: download sample
Signature Loki
Create hunting rule
File size:708'096 bytes
First seen:2021-08-03 06:20:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ehSGge4umEGLBBBBBBBBBBBXBBBBBBBBBBBdaAPy8BibAtut+oxNoIjjNBkdGP5M:o4et4dibxnNnjjNBkQPyuJW
Threatray 10 similar samples on MalwareBazaar
TLSH T1C8E49E123AFA515CF3B79EF60FD8B4AE4AFAF5B3A509F0B53892070643619818C11776
Reporter JAMESWT_WT
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Advance Payment.xlsx
Verdict:
Malicious activity
Analysis date:
2021-08-03 05:39:36 UTC
Tags:
encrypted exploit CVE-2017-11882 loader trojan lokibot stealer
Link:
https://app.any.run/tasks/b5163ee8-d767-49ae-8258-4da286be96a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175933/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.19176.19538.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/934a6ffe-164a-4f69-b31c-f055815c7760
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825894
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458309 Sample: audiodg.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 19 Multi AV Scanner detection for domain / URL 2->19 21 Found malware configuration 2->21 23 Malicious sample detected (through community Yara rule) 2->23 25 8 other signatures 2->25 6 audiodg.exe 3 2->6         started        process3 file4 17 C:\Users\user\AppData\...\audiodg.exe.log, ASCII 6->17 dropped 9 audiodg.exe 6->9         started        11 audiodg.exe 6->11         started        13 audiodg.exe 6->13         started        15 2 other processes 6->15 process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56e9e3ac63d727a6ba0d0ff82236083ac8aa806bd70373fb9c5e8ddaa87b8ee3/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-08-03 06:04:44 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
13 of 46 (28.26%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0f330652345ef8518b898bf3f58e2fc1145e5cb4f4801bdeb77f6bc802b8e99d
Loki
338aa2c1775d9e5d546abd328fdf31f20638905e85e684c7470ed5de507775ab
Loki
988ec5d9bc02691882a3180947ee76fabc3629413f79a2e4768b9adb58ba432c
Loki
9ab477e23d8cf8368d35d25f4dd3dac5edb67cc75425d485706d3223dee8d875
Loki
ade1520f81648e41c1d8f9c48c022fe413020959b936275dd6bb346d764090dd
Loki
c0208729f67153c198d453b99e2ee4cc13354480756fa9b2ce366cfdcbbdcaf1
Loki
c327c487752e223730def60d8ba802626c5c92256d4b8ccc102ec1b13475096b
Loki
d4db69bade281fb989590744f1bf16e23c686dd5c878fed34b1180ab11d30b0e
Loki
e3c270600328928f0c6576743fd759ca88b86abb024ae180549c3a5be0e7e41e
Loki
ec020ddc20a07b93afa94a9a3b95b8244bd9a8c8527742cd35957e4c91ca4604
Loki
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210803-xp1x2l7jes/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
57583d2d8b5ae4d33e0d6460632d7789de972b03ee5a113f3a7de08bfd31c84c
MD5 hash:
bfdc78aadf4f30bfcbdc2738285fd8bf
SHA1 hash:
0d8b1fb306b5da5ffc57ea431f19e7847e9f731f
Link:
https://www.unpac.me/results/63d2f070-c446-43c6-80db-aa0eed0fa31f/
SH256 hash:
cfef97ff706312dff4edd998aeee22f1283221631ebb0cc954bebbb701c1465c
MD5 hash:
a0f625a3d3348903f3c902f588c0e4f5
SHA1 hash:
20d1f0b74abe6f500e8c21119f55281926210ac0
Link:
https://www.unpac.me/results/63d2f070-c446-43c6-80db-aa0eed0fa31f/
SH256 hash:
93ee33978592414299e6caeedba3eb0eb32d0312b1c0128dac917d8698fdf0ab
MD5 hash:
c4ab37c00ee0687ca39e34fae4f34e08
SHA1 hash:
a28a7259c310bd8e34392e536a58da0a2498c689
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/63d2f070-c446-43c6-80db-aa0eed0fa31f/
Parent samples :
b90e3f203d5736096b41b710e1fa0ab10f26025e84e4fcf1e4bc760a0306ed72
871bf856570e8021effd3de1767e02189bb17bd426bf8b8974c8646789586cd5
0293d5dfdc4a137166aebb05f2c1b7b4819846032b6c1cd6431f83b4f282cf88
3dd8e57608751941804d5f1f0df50bcd1b1903a066686d1546ebdca4b38f0d6a
d24e0e7d0b1ff4aabceb241fe7d7143daea5bdd1502e236e89850405f8285943
56e9e3ac63d727a6ba0d0ff82236083ac8aa806bd70373fb9c5e8ddaa87b8ee3
c6293ae47a25ce56a2c8b6c99c4f0382b81863d8a456743f2bac4e799387ff98
dd025916c022873b3269e3280d3143ec0422f1fb3e15eed452fff5ae9bedd055
f3d4a0ea5e42ea3617fc8fc01bb61ed71fc15bab20b3936bb1c6db0782a98eab
80f5c8e7094a7fc305b06c743b8325a26f88da552e4b29dbf1f49fd970ffb6df
SH256 hash:
56e9e3ac63d727a6ba0d0ff82236083ac8aa806bd70373fb9c5e8ddaa87b8ee3
MD5 hash:
2dd7ff2599b0cdcbe4645b80adad4163
SHA1 hash:
54142e4fe8c7944b351a380e0aa59af441d0bec1
Link:
https://www.unpac.me/results/63d2f070-c446-43c6-80db-aa0eed0fa31f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/56e9e3ac63d727a6ba0d0ff82236083ac8aa806bd70373fb9c5e8ddaa87b8ee3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 56e9e3ac63d727a6ba0d0ff82236083ac8aa806bd70373fb9c5e8ddaa87b8ee3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1501656/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175933/

Comments