MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59819eed25c7ec484455237149273827c8c3476bf961f5be7443e856d3131259. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 9

Intelligence 9 IOCs 1 YARA File information Comments

SHA256 hash:	59819eed25c7ec484455237149273827c8c3476bf961f5be7443e856d3131259
SHA3-384 hash:	bca6bb5f8bcf0df1cbc29a49eedfc6562016769e97ad66face4dc9816624b0e5fa15bb9a3cec3491d8c078165f020b3b
SHA1 hash:	3d2fbcfaa9d02a605c4b5b016f67332630ac225d
MD5 hash:	a6e4c0010ad549a3ca425ef7e4f38adc
humanhash:	victor-delta-white-alanine
File name:	Solicitud de oferta 14-02-2022.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	458'384 bytes
First seen:	2022-02-14 15:56:03 UTC
Last seen:	2022-02-14 17:36:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep	6144:XbE/HUsqlsSzyI0F0UjVrH76Brup88h8h+843ggbxfNSXNISJSdIX3u:XbwqKoyI0F0UjVrH7pv1bxfUdIOC3
Threatray	9'248 similar samples on MalwareBazaar
TLSH	T1EEA4CF2D073CC856F0B42DFC28229BB9BEFC5F11626DF96753206CD719F12829A89197
File icon (PE):
dhash icon	1998b0b69ee6fc08 (3 x Loki, 1 x GuLoader)
Reporter	abuse_ch
Tags:	exe Loki signed

Code Signing Certificate

Organisation:	Abandonneredes7
Issuer:	Abandonneredes7
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-02-14T14:14:21Z
Valid to:	2023-02-14T14:14:21Z
Serial number:	00
Intelligence:	325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:	This certificate is on the Cert Central blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	6befef9224c7dbf57bd61427fad01066d920b347dedc11e3889d20cd538b6827
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

abuse_ch

Loki C2:
http://164.90.194.235/?id=7361073434082270

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://164.90.194.235/?id=7361073434082270	https://threatfox.abuse.ch/ioc/387465/

Intelligence

File Origin

# of uploads :

# of downloads :

205

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/241413/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.3466.25950.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %temp% subdirectories

Creating a file

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/620a7ba1289e2f3e4fd9ea20/reports/c87690be-ae7f-4def-80fe-5ea4fb52e852/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/926c0b88-9fe9-4868-8f3f-ec588b8c5e3a

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/939506

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Hides threads from debuggers

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/59819eed25c7ec484455237149273827c8c3476bf961f5be7443e856d3131259/

Threat name:

Win32.Trojan.SpyNoon

Status:

Malicious

First seen:

2022-02-14 15:57:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 27 (74.07%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=lgaz53jfy7weqrcvenyusjzye7emgr3l7fq7lptuipufnuytcjmq._file

Verdict:

suspicious

Label(s):

cloudeye

Loki

23b5df2d469238921bc4292d4ad2f179d57b19eba17a93c37af5d3ccae03f1c0

Loki

39cd27e2d57db8bfedfc31413679e5c4cb27274a45c0acb98c0ad81905729ca5

Loki

767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255

Loki

819c9d8c88fc1ffbfeae1797646f7b90f930fef4dae513fe8e43fad3bf475bf0

Loki

88a56adfda71155cd315c64ca5ab176120f7d74369cc752cb63ee6a00f90e736

Loki

892ef7a1974f417377e4b50358b42c68248a4f4c1f393328421ad48e73861640

Loki

da3208711d472f6c9af1141faa1272cab7b80cbaef1cfe0c24c5b1597f7a0c99

Loki

ee23fa71bea1f05017e21b38e7592db6334a0fc4e9e44bb48452b40a4ddf0677

Loki

+ 9'238 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:guloader family:lokibot collection downloader spyware stealer suricata trojan

Link:

https://tria.ge/reports/220214-tdcpcsbdbj/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Checks QEMU agent file

Loads dropped DLL

Reads user/profile data of web browsers

Guloader,Cloudeye

Lokibot

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://164.90.194.235/?id=7361073434082270
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

59819eed25c7ec484455237149273827c8c3476bf961f5be7443e856d3131259

MD5 hash:

a6e4c0010ad549a3ca425ef7e4f38adc

SHA1 hash:

3d2fbcfaa9d02a605c4b5b016f67332630ac225d

Link:

https://www.unpac.me/results/de788072-bcd7-4f57-9883-f24065f4500e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/59819eed25c7ec484455237149273827c8c3476bf961f5be7443e856d3131259

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/241413/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample