MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6238d27cd0939013f647f1dec1fa739d0dd3b31c68f6a5865ce49a334db9029e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6238d27cd0939013f647f1dec1fa739d0dd3b31c68f6a5865ce49a334db9029e
SHA3-384 hash: 44ddae0593c65da3d52ccf9809007dd677a9aa26ae329da1e041ef0e1f352524cdbc3191fc5f2c39c6f496bec755efe6
SHA1 hash: b7adc2a236ac0488d3bbb594f5ea22d60ad6d9e6
MD5 hash: fb0a3dfce1eb936d199731a3569d436f
humanhash: don-football-social-lima
File name:Request for Quotation.exe
Download: download sample
Signature Loki
Create hunting rule
File size:590'848 bytes
First seen:2022-05-31 05:33:04 UTC
Last seen:2022-05-31 06:31:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:yrXpUSlB61512O7kAalZrdZduBYm4dHbcktW3vHN+bidqzFpiF:kXpUSlB61512O7PwpYU1bckk3/N+GU2F
Threatray 8'485 similar samples on MalwareBazaar
TLSH T12AC4027126BC9693CEBB0FF581958580637CD21E6607F32DEDD0999A24E338166077E3
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70f8ecccece87070 (15 x Formbook, 9 x AgentTesla, 8 x Loki)
Reporter GovCERT_CH
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
309
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
Request for Quotation.exe
Verdict:
Malicious activity
Analysis date:
2022-05-31 05:34:36 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/7f04cc27-2fd2-4818-995b-94ca12d2841b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/275585/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.60305.741.29128.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Reading critical registry keys
Enabling the 'hidden' option for analyzed file
Stealing user critical data
Moving of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6295a8cb054dcf0eca089e54/reports/161bf63e-f097-48a3-945a-e9761ff0dc87/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c9d565e6-c696-4cdb-9f82-1d90df512c6a
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1003949
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6238d27cd0939013f647f1dec1fa739d0dd3b31c68f6a5865ce49a334db9029e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-31 01:22:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mi4ne7gqsoibh5sh6hpmd6tttug5hmy4nd3klbs44sndgtnzakpa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
17601e8cd5da7f6b4030546780e2ea2793f104cb978db4aaeb634b8d9be642b8
Loki
4569409e80631fe85b794a736958f686aa04672e73f870e8aeddaad6b7b971c7
Loki
692704ea1178102b991d87a95bd169434ee68c687863e012351ffed523e075b5
Loki
9d39d5e879fbf69a66c504a727dd38dc01d5555f324017888b8679c42a42ce03
Loki
ee49c3adf109600b2531d24af0268325f3fd717a6209d63150fa19bf74a7db79
Loki
+ 8'475 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220531-f9expsfed6/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://198.187.30.47/p.php?id=44446158722981898
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
f8102672967cc472770b6d1fb80453ac596190f917c297f8ddf8a20200d7cd95
MD5 hash:
3254eca01dc6944ee1fc6c5c3ae5e250
SHA1 hash:
5fe21db49e016cd87ebbae47f5a4b1172908e937
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/804bb243-2d26-40b5-b84f-3e1fdf9e2950/
Parent samples :
35f907225af129bc3fd351e6935b506ea43ec65bc897d9bc9c57c14c878e01af
b629f165b4624132b06e3b4fbc96a1d38973f384b042cb15c8b8ec39b458577a
4a003d045e5e6a272258d8172b045cdea9b76da58aa184689a6f48c84ecfdc7b
db19f1bef553dda6b33f8e792dc85c8bb8098826ecc41afe9be84ac3d73f7b33
d7a88d2806270f681ee98030de00c8bed6d96826d2a7ba927669482096be25fb
3b7cd8ff535440d339e49dfc722f87d10280d0cd927a1a1998dfe72a132a6a47
6238d27cd0939013f647f1dec1fa739d0dd3b31c68f6a5865ce49a334db9029e
5eff99bc037c0cf586f94af94a0cdb30944487f8d3d9caf6b05952038aa35f29
3e1ed40043db2a405086385b7217fba4dc74341a62045b39bc7a50ac62288da8
d5d99aba9b69d9cc9f5b12d4f382a62ecc967f3a0308e0efe3dc00954437feba
0544bc511453c3b483e58e51ac2f626b85257802b2525e51124ccff6e69f362a
e4c7f4677e025daf43d30e700ceee5115dcd86cdf4d6e66498c5c37b6ecda016
SH256 hash:
3f1129243ea43f2decdfce6c1018a68bea2707bca8e2fdd0268e5d24126e596d
MD5 hash:
17bd3396f0bcf020b452f2ad6292ab98
SHA1 hash:
22e0c8c49736ee40b988a68862ec5003cb70673f
Link:
https://www.unpac.me/results/804bb243-2d26-40b5-b84f-3e1fdf9e2950/
SH256 hash:
879c29560b21be7d9b69ca27ca4756df86e080fa3e34cb191aad5cb1e5f05504
MD5 hash:
30b6a54a992eae921a2eb8c5ea130911
SHA1 hash:
1c83f0319bffe007077c6656418c9b7344d5affe
Link:
https://www.unpac.me/results/804bb243-2d26-40b5-b84f-3e1fdf9e2950/
SH256 hash:
d292f3d10474b871a6dcc02ad972024e33b4a1df7231f523592f68bae928738a
MD5 hash:
d1a4b19d46a03acbc0f1d5661711a07b
SHA1 hash:
1950a91d71fb99afe2c9e99df96b8ea8ef9de457
Link:
https://www.unpac.me/results/804bb243-2d26-40b5-b84f-3e1fdf9e2950/
SH256 hash:
6238d27cd0939013f647f1dec1fa739d0dd3b31c68f6a5865ce49a334db9029e
MD5 hash:
fb0a3dfce1eb936d199731a3569d436f
SHA1 hash:
b7adc2a236ac0488d3bbb594f5ea22d60ad6d9e6
Link:
https://www.unpac.me/results/804bb243-2d26-40b5-b84f-3e1fdf9e2950/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6238d27cd093/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6238d27cd0939013f647f1dec1fa739d0dd3b31c68f6a5865ce49a334db9029e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 6238d27cd0939013f647f1dec1fa739d0dd3b31c68f6a5865ce49a334db9029e

(this sample)

  
Dropped by
loki
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/275585/

Comments