MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58e6bf305c484d04531080d5b13aa8313671a69494f8cff4ab1782c4c048af8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58e6bf305c484d04531080d5b13aa8313671a69494f8cff4ab1782c4c048af8c
SHA3-384 hash: 54a3bbed67ef6b38835dd8976a7313cbc658a14fc278add02ed54079516fbfc9f4cc50d9f88838553f243a7ac796c18f
SHA1 hash: adcaef008779d6a4da1f061643822fca53fbb001
MD5 hash: 8f2bb42643cb14591f045c7845c5dcc8
humanhash: juliet-alpha-carpet-fruit
File name:Purchase inquiry.exe
Download: download sample
Signature Loki
Create hunting rule
File size:810'496 bytes
First seen:2022-03-03 21:37:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:QylW32CDN8txXqCZapdG4eTgCaosQHox:rW35B46p84ugCrsJ
Threatray 7'715 similar samples on MalwareBazaar
TLSH T1E305CF0438E78034E93A9BB0DAC4EBF09B7DF215E549A0F654105F257642BBE8949EFC
Reporter GovCERT_CH
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
271
Origin country :
n/a
Vendor Threat Intelligence
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/247125/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.CWO.genEldorado.25997.9332.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Enabling the 'hidden' option for analyzed file
Moving of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa1751ef-c7cf-4285-9dc7-b8f11560d575
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/950408
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/58e6bf305c484d04531080d5b13aa8313671a69494f8cff4ab1782c4c048af8c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-03 16:33:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
29 of 40 (72.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ldtl6mc4jbgqiuyqqdk3covige3hdjuust4m75flc6bmjqciv6ga._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
6c5b05c8e7c1ec5c9b7b963069e1f1b10d0d3f0bd6f25dc8bcbcd5658124fc5c
Loki
80b3d09d590350e23fc0d25b2e71f3f038a741503bab97caac2a9287474f8d7c
Loki
9a597a7be3da23c4e2fe27e40a72a4b509fdb2959174380c673aae882e8163de
Loki
c563c22a6ef57303146195f39aba8eff9dff5e46ddc85e05fb6dab4d14543bfa
Loki
d47ae4f4dc0c0b8381f7f13bb64c4cf2c04751790763da3777ab99f75a6521b5
Loki
e14006290a95cf7076835582c0efba856ebf3eca9576504544d21c16483fc0f6
Loki
+ 7'705 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/220303-1g2wzscfa5/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://164.90.194.235/?id=2834036298392462
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
377a84fe27ba8c91e5425d2ec0e1304e74c25b14f1dbfc829114cbc52445a42c
MD5 hash:
8b4d8753db1f17f60545bc05b5074657
SHA1 hash:
867558369cef26c749badae6283672c8f3029ff3
Link:
https://www.unpac.me/results/9b5b8231-e574-4f1b-ab78-767bf5c20f41/
SH256 hash:
d4cb361bf26bf6b85f3d981a234c8a0c9c97d9721c617c2fcb5b438d1b4e062a
MD5 hash:
b55f694537cef9d797fa7315d18734aa
SHA1 hash:
80d87759fcda10eefa3491a59cd999773391bdb4
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/9b5b8231-e574-4f1b-ab78-767bf5c20f41/
Parent samples :
26767fdadf16f2c90661edc392bd1af5363d613bc03a7998d909c36bd2c04a70
ef85d2ccb9824e4eb3436002c2ddb3d96ad999f6e8c96382e0c9b6d95f3440aa
19ccd41a264e8282df203be9601b2adabbf2603c9e57b7ca31c6c2734cb0d976
4cac63d38ebc10ce7d2a3f5c7364b4c34ab3c830f083af26297e57d0ec3e7e96
70cdadc6f79700ff1536ceac6d265707c61088bf0c210208d26829c070ae8710
7c818c206e8eedeff296ffffb639be56ea17677b48aa586e47bc93ec46805d0f
58e6bf305c484d04531080d5b13aa8313671a69494f8cff4ab1782c4c048af8c
SH256 hash:
bad2f289f55cbfff8bb04e780305f0a62d9ebc61381bc4f99d2b85ed729b3327
MD5 hash:
a30de6f8f90030a070a94d25d0c0d99f
SHA1 hash:
6ec0940de1f2f207232610fc693cdf84c6e339d4
Link:
https://www.unpac.me/results/9b5b8231-e574-4f1b-ab78-767bf5c20f41/
SH256 hash:
e3bdaf9e98eb65a070cf4424bc123e57ade151c41e4a0d375e769749155c1715
MD5 hash:
78a25e75b94923e889ecd100349facbe
SHA1 hash:
6b3f8db525d3c98f92ed480e664ab8ee9458340b
Link:
https://www.unpac.me/results/9b5b8231-e574-4f1b-ab78-767bf5c20f41/
SH256 hash:
58e6bf305c484d04531080d5b13aa8313671a69494f8cff4ab1782c4c048af8c
MD5 hash:
8f2bb42643cb14591f045c7845c5dcc8
SHA1 hash:
adcaef008779d6a4da1f061643822fca53fbb001
Link:
https://www.unpac.me/results/9b5b8231-e574-4f1b-ab78-767bf5c20f41/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/58e6bf305c48/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/58e6bf305c484d04531080d5b13aa8313671a69494f8cff4ab1782c4c048af8c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 58e6bf305c484d04531080d5b13aa8313671a69494f8cff4ab1782c4c048af8c

(this sample)

  
Dropped by
loki
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/247125/

Comments