MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a92e3b84f322216db9123b7a2bff5b1669d981add700ceb6fb690c8c08ca5bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a92e3b84f322216db9123b7a2bff5b1669d981add700ceb6fb690c8c08ca5bc
SHA3-384 hash: 4bfb8fe7384abecd295ec994e163c3f8af6f3f8c2843e21d622bbc83be06002e176b267a2e458c07e9feff5eed30e2b8
SHA1 hash: 70ae60095f6331009aa56966bfd63b58c08c7601
MD5 hash: 0ccf4e8a78fa821ac23dd92879766bc4
humanhash: ten-may-diet-steak
File name:Original Invoice_pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:386'048 bytes
First seen:2020-10-15 12:05:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:yr0Dx9dBuk7Rxpq8BSvMPIeQFIna2x5RMEkct8Y3gsvI3y7:ygD/3Jrpq+AKa2jWTq9QsvIC
Threatray 254 similar samples on MalwareBazaar
TLSH 8D84BFB1F992546EC56A0775C09AC4C0FAB61EC63F618A0E61DA730C0E30A5AEF1775F
Reporter abuse_ch
Tags:exe Loki TNT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: xbx0.527.fdion.ml
Sending IP: 159.89.105.204
From: TNT EXPRESS <Airene.Jovellanos@tnt.com>
Subject: Consignment Notification: You Have A Package With Us
Attachment: Original Invoice_pdf.gz (contains "Original Invoice_pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71358/
Detection(s):
SecuriteInfo.com.Generic.mg.0ccf4e8a78fa821a.6417.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a window
Unauthorized injection to a recently created process
Creating a file
Reading critical registry keys
Changing a file
Replacing files
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Connection attempt to an infection source
Moving of the original file
Sending an HTTP POST request to an infection source
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/492302
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Binary contains a suspicious time stamp
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5a92e3b84f322216db9123b7a2bff5b1669d981add700ceb6fb690c8c08ca5bc/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 10:02:49 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lkjohocpgirbnw4reo32fp7vwftj3ga23vyaz23pw2imrqemuw6a._file
Verdict:
unknown
Similar samples:
0451c23deb9a283b5aead1f5a49d95b09e35c21e953eeeec71ff1d71eaecd9f3
Loki
0edc105e9bc4e9b297487650e45b6ee0b0ca1e97e2194a2b455d657e428be977
Loki
223c38be022bf37ef243556438ecd472ae67bbb46fcf0e7ce4ea3173260141e9
Loki
4323dbb489f82a5a4906fbc6e0dc37a6589dc7b073f2fa0a569b7d3409314e15
Loki
5e5dc622108b69d77e09abf99287d670c8f0249e59971ee49ef7506adb572ecf
Loki
659c836026b1ee353c16584705804815ea357519b446db36822fb40bed5ab320
Loki
73f6286bd85316cb72796f461e1ad724b8434837f1a10a4a625862c3a7e3c173
Loki
8878c46875d3b0d420bd76508490e5c6df7a55359d1d039f0edb145e836addb1
Loki
d9600ffc9406d71c60b7eb036248230510c3b971a1de563ca7b8b57e822f7879
Loki
f4e60792b136f02c28fd35322ee58bf723aeaa3611d286417d8b2b0707612cdc
Loki
+ 244 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/201015-h6dze83jlx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://195.69.140.147/.op/cr.php/3IAhLIb1TTSzV
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
5a92e3b84f322216db9123b7a2bff5b1669d981add700ceb6fb690c8c08ca5bc
MD5 hash:
0ccf4e8a78fa821ac23dd92879766bc4
SHA1 hash:
70ae60095f6331009aa56966bfd63b58c08c7601
Link:
https://www.unpac.me/results/d044c9c0-1cc1-41b4-85b1-615ff99a7173/
SH256 hash:
88c1ca6811286ba82321c7ffe5e38ad8e3b5ed35f8d593fa5005baabc8064664
MD5 hash:
827df12d52d6e144fa5a06fdb1e85a3e
SHA1 hash:
2619270bb021b6e3064405f6776f6603871913d9
Link:
https://www.unpac.me/results/d044c9c0-1cc1-41b4-85b1-615ff99a7173/
Parent samples :
8ea5067082a325edf7c4436c4543c8620b4b65306c5bb582d8e962bca151f1b5
b252ee4bb76b6f31587ea0820ee4c3989f39e7f4c921397ecd79f1718c854cbe
dcbec7985540b0bef3dc49943360237dd6566c1be790f77a0288d7ca6bb53e23
SH256 hash:
db2e12607a6cc185754ca9a200005aaecb522ab4526453f3d57cca402d34a81c
MD5 hash:
fa0e7bb57c09f1ff11d6b7f46ce92228
SHA1 hash:
5bf9cebe437d8271bede17d85aa185172460ea6c
Link:
https://www.unpac.me/results/d044c9c0-1cc1-41b4-85b1-615ff99a7173/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/d044c9c0-1cc1-41b4-85b1-615ff99a7173/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
f8bee4108a324df32ad5a2ebafa6b7f411402a21e2598cf9db66486970f80fdd
MD5 hash:
a92da98ff6f5ae608503d074617bcc2a
SHA1 hash:
d3eafcccca011bb3a7a5ae52dd9704ceafcde472
Link:
https://www.unpac.me/results/d044c9c0-1cc1-41b4-85b1-615ff99a7173/
SH256 hash:
cc68e3eb8bccc4a249ec5b6f7d83cb2230442040a398aa362c30bfa520987bc5
MD5 hash:
0c74f2c28837f15bd9481236e4fff068
SHA1 hash:
d6aaa270e7cde6512b8861d725556433b7da78b9
Link:
https://www.unpac.me/results/d044c9c0-1cc1-41b4-85b1-615ff99a7173/
SH256 hash:
7998448e4cd1c0a2dc62164e47d9e0c471cc3d0d2dc3d51ad33f2545e6d70d49
MD5 hash:
e97f053fb68054d7b5968f24d83ca253
SHA1 hash:
58860ee1d7e70fda2cd8571b5a79151235124258
Link:
https://www.unpac.me/results/d044c9c0-1cc1-41b4-85b1-615ff99a7173/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a92e3b84f322216db9123b7a2bff5b1669d981add700ceb6fb690c8c08ca5bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_lokipws_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

zip eb37c24085b13cc03f636511992948aea82f5b39e7c31bf530f6f0527bd171e3

Loki

Executable exe 5a92e3b84f322216db9123b7a2bff5b1669d981add700ceb6fb690c8c08ca5bc

(this sample)

  
Dropped by
MD5 859a08fd168d9709cffb12eef00349c4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71358/
  
Dropped by
SHA256 eb37c24085b13cc03f636511992948aea82f5b39e7c31bf530f6f0527bd171e3

Comments