MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a223f3097e572a00aa6f1029bbbb6d71d66bb5bbf239177d232dca3c7f9bf33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 8 File information Yara Comments

SHA256 hash: 6a223f3097e572a00aa6f1029bbbb6d71d66bb5bbf239177d232dca3c7f9bf33
SHA3-384 hash: 2794db61f082a05b80a1014619a96da1eab2c7981c0a16369ddf374167e925de65d856e8ed0a38b026cdbd9255eba4aa
SHA1 hash: 5e28c29f740842a5eee6f2717d25f86dd3b0f752
MD5 hash: 32ffae9524a6321051248e4313c91852
humanhash: uniform-california-triple-crazy
File name:SecuriteInfo.com.Trojan.MulDrop.1161.895.14575
Download: download sample
Signature HawkEye
File size:516'096 bytes
First seen:2020-08-01 19:36:35 UTC
Last seen:2020-08-02 07:34:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 12288:wiC+3hdq+/6qpONWtWrnngnnnKnanxbY:wiC+xdq66NNWtWrnngnnnKnanxb
TLSH FDB4E590A8535838CA244778BA7396B01DF9ECB0C907E67167207EF6F13BA20ED75572
Reporter @SecuriteInfoCom
Tags:HawkEye

Intelligence


File Origin
# of uploads :
2
# of downloads :
41
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a file
Creating a file in the %temp% directory
Creating a process from a recently created file
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Connection attempt
Creating a window
Changing a file
Replacing files
DNS request
Sending an HTTP POST request
Deleting a recently created file
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Stealing user critical data
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun
Result
Threat name:
Lokibot Netwire
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Contains functionality to log keystrokes
Creates an undocumented autostart registry key
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Yara detected Netwire RAT
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255718 Sample: SecuriteInfo.com.Trojan.Mul... Startdate: 02/08/2020 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Yara detected Lokibot 2->45 47 4 other signatures 2->47 8 SecuriteInfo.com.Trojan.MulDrop.1161.895.exe 5 2->8         started        11 Host.exe 2->11         started        13 Host.exe 2->13         started        process3 file4 31 SecuriteInfo.com.T...op.1161.895.exe.log, ASCII 8->31 dropped 15 RegAsm.exe 12 8->15         started        process5 file6 33 C:\Users\user\AppData\Local\Temp\build.exe, PE32 15->33 dropped 35 C:\Users\user\AppData\...\StartUpHost.exe, PE32 15->35 dropped 18 StartUpHost.exe 2 15->18         started        22 build.exe 54 15->22         started        process7 dnsIp8 29 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 18->29 dropped 49 Contains functionality to log keystrokes 18->49 51 Machine Learning detection for dropped file 18->51 25 Host.exe 2 18->25         started        37 dresson1.com 204.11.56.48, 49717, 49719, 49720 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 22->37 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->53 55 Tries to steal Mail credentials (via file registry) 22->55 57 Tries to steal Mail credentials (via file access) 22->57 59 Tries to harvest and steal ftp login credentials 22->59 file9 signatures10 process11 dnsIp12 39 91.192.100.3, 1199, 49715, 49716 AS-SOFTPLUSCH Switzerland 25->39 61 Contains functionality to log keystrokes 25->61 63 Creates an undocumented autostart registry key 25->63 65 Machine Learning detection for dropped file 25->65 signatures13
Threat name:
ByteCode-MSIL.Backdoor.Androm
Status:
Malicious
First seen:
2018-10-28 22:14:33 UTC
AV detection:
24 of 29 (82.76%)
Threat level
  5/5
Result
Malware family:
lokibot
Score:
  10/10
Tags:
trojan spyware stealer family:lokibot persistence
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
Lokibot
Malware Config
Extraction:
http://dresson1.com/wip-admin/js/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

HawkEye

Executable exe 6a223f3097e572a00aa6f1029bbbb6d71d66bb5bbf239177d232dca3c7f9bf33

(this sample)

  
Delivery method
Distributed via web download

Comments