MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57c8aa8fcfc3924d3076c7ab101aca78cdef35a62d3359c51f8d0cb90eb34b20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 18


Intelligence 18 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57c8aa8fcfc3924d3076c7ab101aca78cdef35a62d3359c51f8d0cb90eb34b20
SHA3-384 hash: c8fcfa0c1114daf661dff3d293fb7ba5a4e8f90ca81b045f9586a66614f2efe6506dc3b86525936588e8f513ea29bcd1
SHA1 hash: fb0d2f9abb692058eadb5ba1d8277fef73fc34d1
MD5 hash: f3e8a3a1304f67802a0a1d6e8b46deca
humanhash: jersey-montana-diet-washington
File name:DHL_PaymentCopy.exe
Download: download sample
Signature Loki
Create hunting rule
File size:186'495 bytes
First seen:2022-05-16 06:51:40 UTC
Last seen:2022-05-18 15:48:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 3072:LODZGPEounbGT8aR5RO3eNAUjjUHbRueiESJkz4xRuPgKZ1tyza7eUg5IyWd4J/G:LOtIOk1CSjygscg4xRWgQ1tyo9RyWdY+
Threatray 7'823 similar samples on MalwareBazaar
TLSH T1EA041205F0D1E0B3DA773A321ABB4F2F4EA9213159A5531B475029AD7D52382BF8F790
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:exe Loki

Intelligence

File Origin
# of uploads :
7
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
DHL_PaymentCopy.exe
Verdict:
Malicious activity
Analysis date:
2022-05-16 07:19:10 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/7be045ef-cda5-4118-b101-3307fd70f9cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/270904/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Query of malicious DNS domain
Sending an HTTP POST request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/17903/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe formbook overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6281f4a2cc43366302cd5450/reports/f4b1e2b0-8c57-43e8-bf05-430720d1e20c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2008ffc7-5c1a-4392-9f38-d6913e9b0aae
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/994621
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/57c8aa8fcfc3924d3076c7ab101aca78cdef35a62d3359c51f8d0cb90eb34b20/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2022-05-16 03:49:02 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 41 (58.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k7ekvd6pyoje2mdwy6vragwkpdg66nngfuzvtri7ruglsdvtjmqa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
288b1eab3026050ee178211ace5bf2e8cad9d85773ffc056929cd7b6fd3bd029
Loki
3807df31a0db07c4ea7b4e06c0f8c2db76e3c84071319d1e1b356c62f3872512
Loki
567bf09698cfcb493c909227b6f3d53db7e693cc0dbfc6d9c1ca060f3ed13f17
Loki
7e7fb389420084c8d186307502d05cb767293ec80fddabb73d7b1fe9e3654bcb
Loki
8116cbb4df4ee4bb16670039400e53305fa7084b29463a8d541e308cfd0b7950
Loki
e06081aedcfc5f44b0ccde2ac1a13f287ed6533f74ca5fa050e174e5774140c2
Loki
+ 7'813 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220516-hm25tshhhl/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://lokaxz.xyz/fc/bk/ss.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
590ef27779402621b5446891b5f5a6859629c0055951b32a705bf833385ac684
MD5 hash:
12b5beed3928eec1a27380befc71374e
SHA1 hash:
0dad07e29569596a0992e3d367a73570263fe487
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/a1d0edd5-6c72-44e5-9fca-4c5b8d613941/
Parent samples :
57c8aa8fcfc3924d3076c7ab101aca78cdef35a62d3359c51f8d0cb90eb34b20
4b59e43a9ca1e953099df4cf8fddc74e6c243bef1f38236ed8b5189c67046f00
db33ad49ea94e38b3cda7b48cca06a29701052bbf784c9fff3d6300d7bf6fc81
SH256 hash:
f7f49c5787b2762245f461023f4ea4903d1b0e3502975f20a76a6d69f4f562d1
MD5 hash:
ce37379bc93f025c642630b66e6c1249
SHA1 hash:
0b6a8392f83f3af5d97f92af50ae86e742c68ca7
Link:
https://www.unpac.me/results/a1d0edd5-6c72-44e5-9fca-4c5b8d613941/
SH256 hash:
57c8aa8fcfc3924d3076c7ab101aca78cdef35a62d3359c51f8d0cb90eb34b20
MD5 hash:
f3e8a3a1304f67802a0a1d6e8b46deca
SHA1 hash:
fb0d2f9abb692058eadb5ba1d8277fef73fc34d1
Link:
https://www.unpac.me/results/a1d0edd5-6c72-44e5-9fca-4c5b8d613941/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/57c8aa8fcfc3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57c8aa8fcfc3924d3076c7ab101aca78cdef35a62d3359c51f8d0cb90eb34b20

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 57c8aa8fcfc3924d3076c7ab101aca78cdef35a62d3359c51f8d0cb90eb34b20

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/270904/

Comments