MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61979ec19c1d1f0e6d17b32d0ae2f2cbf5a351762d11c7c7b4acab16a5a781e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61979ec19c1d1f0e6d17b32d0ae2f2cbf5a351762d11c7c7b4acab16a5a781e8
SHA3-384 hash: 6029400a1c3431bcf9c5830f7c14842ea46bb1ad62afd0778e61940d64cbb6d4890aaa2458ed9ccfef2e2e6f3a53ef3d
SHA1 hash: c845ebfd219409e5d449d72de39e94a6a521af7e
MD5 hash: c5177d79deda94bf25f86c35ca473370
humanhash: echo-double-fourteen-solar
File name:DHL Receipt_AWB811470484778.exe
Download: download sample
Signature Loki
Create hunting rule
File size:684'032 bytes
First seen:2022-04-15 06:55:38 UTC
Last seen:2022-04-15 08:29:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'813 x AgentTesla, 19'735 x Formbook, 12'282 x SnakeKeylogger)
ssdeep 12288:mJMg4IkUMRlyO6bLE8tmQj6T1Zz3DutO77DJyg9gREFPoEifq:aMg4znRlyZbL0QjODz3Dl1jgRCQEifq
Threatray 7'936 similar samples on MalwareBazaar
TLSH T149E4224637EEBB32C87DAFF955A6940413B0026BAE65D7888CD671CA0B217C45BD0F93
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.3% (.SCR) Windows screen saver (13101/52/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 04d4ccd8c4ccd400 (10 x AgentTesla, 6 x SnakeKeylogger, 4 x Loki)
Reporter abuse_ch
Tags:DHL exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
354
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
DHL Receipt_AWB811470484778.exe
Verdict:
Malicious activity
Analysis date:
2022-04-15 07:48:36 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/b8058ef6-7ee3-4b1d-acca-06b118a569cf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263925/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.1126.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6259170effe27d5119d75e45/reports/c653fdfa-9451-418a-ba4c-0774b5f417ff/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8c81557a-00a0-4247-b887-d176c881182e
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/977305
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/61979ec19c1d1f0e6d17b32d0ae2f2cbf5a351762d11c7c7b4acab16a5a781e8/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-04-15 02:58:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mglz5qm4dupq43ixwmwqvyxszp22gulwfui4pr5uvsvrnjnhqhua._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0bcb4c2c798db189132b9e70588a72df14efdc5ee998ba4203aed16fbe56960f
Loki
7c60096d1d69544edaba264f456916ee1fc30f0b2a296b12574d7149aff0f73f
Loki
86c6cc93d8405840ca3be8cbc58db75d6ed324c115461969aebcbf0a84f13a21
Loki
a412a5da88b8066b205c9fb016c8bc6b28399901c0dda795577f0c466f4f7183
Loki
dbac3948a35ae44b1e43093d34888baf8f759ce2c5a6316bab07f9944c395112
Loki
+ 7'926 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/220415-hqcz4sddg3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://164.90.194.235/?id=6173671561486492
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
fc68d75cfa646cc9f5ef5650802bd3e94d504fec2751c2976ae2e54cfb5b4ce0
MD5 hash:
a6afcf8d36fad1c05f5393bc6b92d0d7
SHA1 hash:
81e78f6e94eb0ed6a9133d3036008a82b067d20a
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/c93425eb-ba59-4604-aa87-1278774ea63f/
Parent samples :
d8986c491358dd57521143e28f678913fbf096c268c810f7cab50e1ead518142
61979ec19c1d1f0e6d17b32d0ae2f2cbf5a351762d11c7c7b4acab16a5a781e8
SH256 hash:
73cf47a34e66393a5e40842ee05ad9469a24cb5906216af26064a10ca95f3431
MD5 hash:
4be4c529aefb301a9bc088de58769d20
SHA1 hash:
7a2879baccbdb0c879a421936b6979fb5051fb02
Link:
https://www.unpac.me/results/c93425eb-ba59-4604-aa87-1278774ea63f/
SH256 hash:
fe2c8bc9df1bb1dba9626d1918badb1c063211d270ca39e4ce4edd90b3163bda
MD5 hash:
9bcb55134604ae4b8668f6cc4e7387b7
SHA1 hash:
3c6c038ce52c4a80c414b0d2fa3b8f648e1b716f
Link:
https://www.unpac.me/results/c93425eb-ba59-4604-aa87-1278774ea63f/
SH256 hash:
af1f5074eff36653e6d54c5c7aabf990aee2cc70a72db4cfb1707e452349c574
MD5 hash:
fc0ae7f6d4aa4aa2c27c26407936ec3d
SHA1 hash:
dfa9b61be7f02298605ffe7e007617016c9bfc2b
Link:
https://www.unpac.me/results/c93425eb-ba59-4604-aa87-1278774ea63f/
SH256 hash:
61979ec19c1d1f0e6d17b32d0ae2f2cbf5a351762d11c7c7b4acab16a5a781e8
MD5 hash:
c5177d79deda94bf25f86c35ca473370
SHA1 hash:
c845ebfd219409e5d449d72de39e94a6a521af7e
Link:
https://www.unpac.me/results/c93425eb-ba59-4604-aa87-1278774ea63f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61979ec19c1d1f0e6d17b32d0ae2f2cbf5a351762d11c7c7b4acab16a5a781e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:t0_1
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 61979ec19c1d1f0e6d17b32d0ae2f2cbf5a351762d11c7c7b4acab16a5a781e8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/263925/

Comments