MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c22960ea7610edbe1cf29f39e92c41af4088b5e64aaf5f000b6588583e2e6cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c22960ea7610edbe1cf29f39e92c41af4088b5e64aaf5f000b6588583e2e6cb
SHA3-384 hash: e290f7a4a26e49aaf3b3bdde32e7c12843ab29ddc4d7139f7e2143c4fb31481253f739eb39f1f25a40339abb3cb7903f
SHA1 hash: 4ac2b1f3585f372d10d6a4fa788e7325bf0c4c9d
MD5 hash: 93622aa56dc31739fc6583c1f0f3341a
humanhash: william-chicken-twelve-coffee
File name:DHL Shipment, customs invoice 3709392691.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'626'112 bytes
First seen:2022-04-04 18:19:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:Fu00lSqWbepSvIy4hWygFiHUdRMUhyRGbTMjoCsXQtzjXkrdemB4fJG:FuNwLbepSvIF+sUhyRz7sA5GdZB9
Threatray 14'640 similar samples on MalwareBazaar
TLSH T182753A0D26C1885AFE8197B4F9BF2BE51754CA7688E98303E3B5663DD42F3651FA0702
File icon (PE):PE icon
dhash icon 8862e0d8f2fc7c19 (2 x DanaBot, 1 x Loki, 1 x RemcosRAT)
Reporter abuse_ch
Tags:DHL exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/260715/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Unauthorized injection to a recently created process
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Launching cmd.exe command interpreter
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/624b36a9db9ca5cf841da42c/reports/0a441980-b27e-4a7e-baaa-bd4eee704df9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cb3ebde1-41e2-49d4-9775-b013e5798f7d
Result
Threat name:
FormBook Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/970346
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Drops executable to a common third party application directory
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Costura Assembly Loader
Yara detected FormBook
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 602833 Sample: DHL Shipment, customs invoi... Startdate: 04/04/2022 Architecture: WINDOWS Score: 100 95 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 Antivirus detection for URL or domain 2->99 101 14 other signatures 2->101 10 DHL Shipment, customs invoice 3709392691.exe 1 5 2->10         started        14 firefox.exe 3 2->14         started        process3 file4 69 C:\Users\user\AppData\Local\firefox.exe, PE32 10->69 dropped 71 C:\...\Rgqhaasrbqjdrccplkjycgfkay loki.exe, PE32 10->71 dropped 73 C:\Users\user\...\firefox.exe:Zone.Identifier, ASCII 10->73 dropped 75 DHL Shipment, cust... 3709392691.exe.log, ASCII 10->75 dropped 109 Drops executable to a common third party application directory 10->109 111 Injects a PE file into a foreign processes 10->111 16 DHL Shipment, customs invoice 3709392691.exe 10->16         started        19 Rgqhaasrbqjdrccplkjycgfkay loki.exe 54 10->19         started        23 cmd.exe 1 10->23         started        25 DHL Shipment, customs invoice 3709392691.exe 10->25         started        113 Antivirus detection for dropped file 14->113 115 Machine Learning detection for dropped file 14->115 117 Tries to detect virtualization through RDTSC time measurements 14->117 27 firefox.exe 14->27         started        29 cmd.exe 14->29         started        31 Rgqhaasrbqjdrccplkjycgfkay loki.exe 14->31         started        33 firefox.exe 14->33         started        signatures5 process6 dnsIp7 79 Modifies the context of a thread in another process (thread injection) 16->79 81 Maps a DLL or memory area into another process 16->81 83 Sample uses process hollowing technique 16->83 85 Queues an APC in another process (thread injection) 16->85 35 explorer.exe 16->35 injected 77 62.197.136.176, 49775, 49776, 49777 SPRINTLINKUS Netherlands 19->77 67 C:\Users\user\AppData\...\B52B3F.exe (copy), PE32 19->67 dropped 87 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->87 89 Tries to steal Mail credentials (via file / registry access) 19->89 91 Tries to harvest and steal ftp login credentials 19->91 93 Tries to harvest and steal browser information (history, passwords, etc) 19->93 37 conhost.exe 23->37         started        39 timeout.exe 1 23->39         started        41 conhost.exe 29->41         started        43 timeout.exe 29->43         started        file8 signatures9 process10 process11 45 firefox.exe 1 35->45         started        48 systray.exe 35->48         started        50 chkdsk.exe 35->50         started        52 wlanext.exe 35->52         started        signatures12 119 Injects a PE file into a foreign processes 45->119 54 firefox.exe 45->54         started        57 cmd.exe 45->57         started        121 Self deletion via cmd delete 48->121 123 Maps a DLL or memory area into another process 48->123 125 Tries to detect virtualization through RDTSC time measurements 48->125 59 cmd.exe 48->59         started        process13 signatures14 103 Modifies the context of a thread in another process (thread injection) 54->103 105 Maps a DLL or memory area into another process 54->105 107 Sample uses process hollowing technique 54->107 61 conhost.exe 57->61         started        63 timeout.exe 57->63         started        65 conhost.exe 59->65         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c22960ea7610edbe1cf29f39e92c41af4088b5e64aaf5f000b6588583e2e6cb/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-04-04 18:20:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lqrjmdvhmehnxyopfhzz5ewedl2arc26msvpl4aawzmila7c43fq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
5d199f6e3b18707bf891e790552a097e326cb170308a95d4915b1a8e1718a4cf
Loki
67cb5ce28fc7e9a5dae6c7be6da453844762fdea43d985cfc761c1ded66487f0
Loki
7c0ab1d837684e8d37e75578f4821e25d7729cb9d3739f397cabbb9c95f2ddae
Loki
a2d7a6453efd6b8c31af2e225ae7f93064d44fe328b5bb2e530d820e5e6ca5f8
Loki
c63cb761da677849b8382eb1d926569f00a04d57f2c789b63e7f2eb2e368a00c
Loki
c652919676cc6f3ea808c6e1023de343d27ed8f72f4f1b94523c4ecfb09bf223
Loki
daac858e9ca5b0c8044385c2d94cbef17c41b0bd5c569ad7e03f0a51b4caab7a
Loki
db4d5bd36f923fdd47daf48ace971f47e9764d27a2f88241f09c754c042efc28
Loki
f136f4f9c59c4ff2582063222c6df106a3d1e3d7d9220ff73e3cb2ec487fe1db
Loki
+ 14'630 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:lokibot campaign:w83h collection persistence rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/220404-wyqstsecfr/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Formbook Payload
Formbook
Lokibot
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://62.197.136.176/wealth/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
93bd68a077461e5cb55915d5fd6fafc57829badc8c763cccc7aa36fa38dc60b2
MD5 hash:
23d74ca691de2442bbb81c29ff05c553
SHA1 hash:
97a8b6c3e7daa0adb33a7b62ccf71824c0e1983e
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/aeafec87-af8c-4b96-8ea7-1737e1498f97/
Parent samples :
b49e86472e01e666fabb5e6024f7405b8e3c02c7602dba20a4d937537dbd79fa
5c22960ea7610edbe1cf29f39e92c41af4088b5e64aaf5f000b6588583e2e6cb
322dc83c729bef18426974f5ee9043b02674a917f11404b094a5e899375c6df3
519a77b3e875886add3b2e84ac63cb9e9707381fce9d25d79616554d4c6c2287
9504b7d70560189218da2f73a816ed686e6f52373dd025a79ddbc1a0e74cf33c
SH256 hash:
61c10e5c1d0d5f0b7f2618db36c863f8f0fa2fc92f3431fdbc8f386564b5451e
MD5 hash:
d7cf0d988ffb3ffe897d9b0588597bf2
SHA1 hash:
47d4bc415bdaeb56e8224c400638cf09ac757339
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/aeafec87-af8c-4b96-8ea7-1737e1498f97/
SH256 hash:
1334d57faa22bda32c16676fdff4b5f6586ad55731cdc8adbefd8696b41ca558
MD5 hash:
510361ca48629159644e5500bb21e7d6
SHA1 hash:
c5e58d5d8d3a778164776b57751609b7ae8a8df9
Link:
https://www.unpac.me/results/aeafec87-af8c-4b96-8ea7-1737e1498f97/
SH256 hash:
229a83ad61c7019d80ddbeac75d5b775fc92d737f8c09288be71984f9ea6faf5
MD5 hash:
8399468f797daf21946ddda165fcb7a0
SHA1 hash:
b6fc6ecf8c844b433181575b0369feef47dbcf7c
Link:
https://www.unpac.me/results/aeafec87-af8c-4b96-8ea7-1737e1498f97/
SH256 hash:
fae9e72a9892e047546778b8a9cc08c73f904dd7feb8f9ccf0c79188262410fd
MD5 hash:
57a0918f5cd7048d29349ba4591a3b2f
SHA1 hash:
832a1b18ecf63cff21c7dfd8382173e57eb2d200
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/aeafec87-af8c-4b96-8ea7-1737e1498f97/
SH256 hash:
5c22960ea7610edbe1cf29f39e92c41af4088b5e64aaf5f000b6588583e2e6cb
MD5 hash:
93622aa56dc31739fc6583c1f0f3341a
SHA1 hash:
4ac2b1f3585f372d10d6a4fa788e7325bf0c4c9d
Link:
https://www.unpac.me/results/aeafec87-af8c-4b96-8ea7-1737e1498f97/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5c22960ea761/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/5c22960ea7610edbe1cf29f39e92c41af4088b5e64aaf5f000b6588583e2e6cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:LokiBot
Create hunting rule
Author:kevoreilly
Description:LokiBot Payload
Rule name:malware_Lokibot_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.lokipws.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/260715/

Comments