MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 617d784060f360da3d5234e487477da0d27fa97de4624492cf1b25d139a0722b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 617d784060f360da3d5234e487477da0d27fa97de4624492cf1b25d139a0722b
SHA3-384 hash: 676dc8b40fa942131f341518567502afa39e766892261fdc8f220f720bc12382e9cfe52a33bd27a4c66cfb36613cca6b
SHA1 hash: 0527d31647131d92671b846918e8646e4d9e6ae4
MD5 hash: 1bbf837af728f8b38518ed710baffee5
humanhash: august-ohio-cold-timing
File name:e-Invoice_0018081843.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'068'544 bytes
First seen:2023-06-15 05:49:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:7y6fxgNBHZaMQCfoCjB1Rxr8pETBMdSgMgNjrVDhSEaFtZJ:7FxgN5Z+CfokB1R6p+BCM2YJ
Threatray 4'325 similar samples on MalwareBazaar
TLSH T16A35A13E9CBE52376670C6A6CF94B866F094D3B731121D39A4D36285862BC4B3AC713D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
297
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e-Invoice_0018081843.exe
Verdict:
Suspicious activity
Analysis date:
2023-06-15 05:50:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/50fc8283-e196-4e61-a128-8615200bf96f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/399017/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.19776.3823.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Sending an HTTP POST request
Enabling the 'hidden' option for analyzed file
Stealing user critical data
Moving of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lokibot lolbin packed
Link:
https://www.filescan.io/uploads/648aa68d9069800b43bc2607/reports/dab60943-1bb7-4120-bbf5-9eabbae8366d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/617d784060f360da3d5234e487477da0d27fa97de4624492cf1b25d139a0722b
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff692fcd-8d2e-4266-9b83-9e24a9e29175
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1255034
Signature
.NET source code contains very large strings
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/617d784060f360da3d5234e487477da0d27fa97de4624492cf1b25d139a0722b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-06-15 03:07:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mf6xqqda6nqnupksgtsior35udjh7kl54rrejewpdms5conaoivq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
4115b8dcc5fe1686132189b3fb783c4e017d34581688618358dd93c76075f0c1
Loki
58036d338d5e813b0143524d21a140f38d8b58f1a531b72f7ce4a82091380185
Loki
5c01a6552e36179e065fcc044162f061bc780efdaaac71e7b0fe94efce6b449f
Loki
5db6a8dfafd6956beaf4127500cd5232d78d70165a1775fa1da58277a43327ed
Loki
852e0d9a8f474077261d053d587868b211e70eff320a7e7067c3fc1cb3253ea5
Loki
856d9678db405a6c131e80b60351819e8ec3ed19b043d170d19ca078f7723ab4
Loki
9329a473fbc644201fef14d26d708eca73a6d524c629c6b2881527525bfff3a6
Loki
95d05f1cf422a2fbcf3207e4c6c047138525bcd7d30deb26060c269e88e1df39
Loki
fd5030b33e9f626dceea517a8ff935dcd2f9d9d8d6ff9ded6f998ecee7de7e52
Loki
ff927067632cbc9312282420e5ed0e75505e871970b76c169cd57f0ca52c3d84
Loki
+ 4'315 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230615-gjk7gaeg62/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://161.35.102.56/~nikol/?p=868686
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
967f18fb7eae129b852614b1906ca7897b7acb871ade96ade3ee368adccbb3d9
MD5 hash:
d8b210db744e856b9aab28c4eb7471b9
SHA1 hash:
bd45a037302804203d1a8191a4708a51560f79c7
Link:
https://www.unpac.me/results/d052fc15-9132-4ea4-a393-124aac4534b0/
SH256 hash:
59430e72df881999b223595977c40f202f78f0274eedb51b7257d22ebb0f1f6f
MD5 hash:
b54d486a2739ef77f72e3043ec6767b6
SHA1 hash:
a5345c6e0834db4efeaa6c0393e1cb38817622e9
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/d052fc15-9132-4ea4-a393-124aac4534b0/
Parent samples :
95d05f1cf422a2fbcf3207e4c6c047138525bcd7d30deb26060c269e88e1df39
617d784060f360da3d5234e487477da0d27fa97de4624492cf1b25d139a0722b
SH256 hash:
f8dbc6077f6b01c6eec334061d687ff1b291a2aa5513cf1e0b5bde4a8dbc5588
MD5 hash:
15aab611795bcbf2758052944013be1a
SHA1 hash:
772a1002b111e117cf3b1e9f0cabda4894777399
Link:
https://www.unpac.me/results/d052fc15-9132-4ea4-a393-124aac4534b0/
SH256 hash:
90abc1235306796e82f284392509f1cd6c9150b8fa2b93b5cd976537462c7b53
MD5 hash:
363cc1ac1fa18f653a353d6e8cbc18ae
SHA1 hash:
63670df5c3909c16060eae0e74b491f1985ea37f
Link:
https://www.unpac.me/results/d052fc15-9132-4ea4-a393-124aac4534b0/
SH256 hash:
d2a5458857c0dfe7f8acf3f03e6dd7de1d8c7ddf88b8da87ec09825e0b335411
MD5 hash:
4ceb4068050bbd2ab9b3e9c8c1cc457a
SHA1 hash:
27921dbc8120e7c0b3f473c0718ae2b1d0f19a66
Link:
https://www.unpac.me/results/d052fc15-9132-4ea4-a393-124aac4534b0/
SH256 hash:
617d784060f360da3d5234e487477da0d27fa97de4624492cf1b25d139a0722b
MD5 hash:
1bbf837af728f8b38518ed710baffee5
SHA1 hash:
0527d31647131d92671b846918e8646e4d9e6ae4
Link:
https://www.unpac.me/results/d052fc15-9132-4ea4-a393-124aac4534b0/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/617d784060f3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/617d784060f360da3d5234e487477da0d27fa97de4624492cf1b25d139a0722b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 617d784060f360da3d5234e487477da0d27fa97de4624492cf1b25d139a0722b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/399017/

Comments