MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7329528ead7542c9af48aeff33fcfa265731b53ad352af1efc3666911f115090. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7329528ead7542c9af48aeff33fcfa265731b53ad352af1efc3666911f115090
SHA3-384 hash: 0750d88c3653a85e7aeb272c633b88b731d94fda2829046ea59a7ef21100a5632557cf91bfd416c25c66f2650304c07e
SHA1 hash: 045568cace1af652cf3dea51f561bfe80c0035d7
MD5 hash: bbf8cc59cbe4cd8d3845c1499335c07f
humanhash: stream-orange-tango-whiskey
File name:Purchase Inquiry.exe
Download: download sample
Signature Loki
Create hunting rule
File size:738'304 bytes
First seen:2022-11-28 08:10:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:Be1O4WxovDi23bDIg95lzKogGNkwZ3cYRMdS98MTHRyoY:eIgvxKodMS2MjRpY
Threatray 11'402 similar samples on MalwareBazaar
TLSH T148F47C6862A69989F3AF5171B2ECBBB0027234E3D1D9D78B85959181C3C9FD60DC07CE
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:exe Loki Maersk

Intelligence

File Origin
# of uploads :
1
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
Purchase Inquiry.exe
Verdict:
Malicious activity
Analysis date:
2022-11-28 08:12:59 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/cf908ff1-5ccd-41d9-a83b-7f243ffbbd3b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/339321/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63846d169c57db591d88f173/reports/191e2547-af15-4d54-8ac5-b68a7251d9d8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/80ee511b-8a11-4361-aeee-391d3cdd4d72
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1122327
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7329528ead7542c9af48aeff33fcfa265731b53ad352af1efc3666911f115090/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-11-28 02:54:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=omuvfdvnovbmtl2iv37th7h2ezltdnj22njk6hx4gztjchyrkcia._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
004cc0803bb20bd71c217c0a7987420f3b6fffec022b6c1c1f20b87b86b1de9c
Loki
320cd864f1bcd59e122d933cb6cb19cdb1b679bb4e04d48ae81be09803c1cf29
Loki
4aa612a46e91713c9c9fc9aa3c3ae5fd06b9192f52edbae35b5ac3488c8e5f42
Loki
5771ed2b8fe261413b610984c4a4ccbefa6e571e64e718c746e5e4493dfacb55
Loki
acdbb288983f19bd882bc9962cbf1d4cabe3cdfb67a25de5a69b935d60a57df5
Loki
ef1448decefb015f11301f421e12c1720da209931757761a31c89e969fbc9885
Loki
+ 11'392 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/221128-j29nwsdb9s/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://157.245.36.27/~dokterpol/?page=14914169539334
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
1d88b0d7a81e4170fcdd268abad10f299183c6e691ac710adb375ecc828d8239
MD5 hash:
ed0666c9f1cfc485fbb2ba39c853f0d2
SHA1 hash:
e387b222c1b382ebed0e1828d918846b6f6cee15
Link:
https://www.unpac.me/results/a236097e-c896-4bbd-947d-3ecd6034d645/
SH256 hash:
3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03
MD5 hash:
1619753b625e58c25b73fbf1f0bff482
SHA1 hash:
c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4
Link:
https://www.unpac.me/results/a236097e-c896-4bbd-947d-3ecd6034d645/
SH256 hash:
6bca29d27d4473f78640615fd06ab8e03839d5937cda27c0c9efa739cf346311
MD5 hash:
90d0dba1ab539f4c81ba8b30972a73da
SHA1 hash:
bb8753f0e7d4be5b71b9397a20113971672cae9a
Link:
https://www.unpac.me/results/a236097e-c896-4bbd-947d-3ecd6034d645/
SH256 hash:
cb87a988b91cd8b6dcdf7c20bdf5f64586531c07dce3dd59518b692440aa26df
MD5 hash:
452dca3561274dad354d17b0b72979d3
SHA1 hash:
b70a3184f79f8248cefe222c6f4c5bb2c3ed4d44
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/a236097e-c896-4bbd-947d-3ecd6034d645/
Parent samples :
e80d943c7a54d88b5c29d6f2ba93f5840e54aa14a060e072c55becf1cd4a6019
534683512dd0e905a27a5f84499c04d72f2510ddabaf1e859a884fc1e7cb331d
7329528ead7542c9af48aeff33fcfa265731b53ad352af1efc3666911f115090
208591b78135b397fcf22a58338bea5c086935362fb5e255e40ecb1a78245209
f1bc2cc9b64620d67979d57c2eb33f6a75562d65c7ba1940ebd6d011c122abbd
8558b4d389b22ea8b2ec98c62d43646e2b733fb7c3209d6d7d2f0ae8744650fd
SH256 hash:
ddb4b9708827cb344d5c08c6b07571d0d6a38fd4b594bcbdb73fa4e0104b274d
MD5 hash:
4709d80b2fe48a1401137beae6f231c7
SHA1 hash:
53856da064431f669e254da51bf4a3e7db634120
Link:
https://www.unpac.me/results/a236097e-c896-4bbd-947d-3ecd6034d645/
SH256 hash:
7329528ead7542c9af48aeff33fcfa265731b53ad352af1efc3666911f115090
MD5 hash:
bbf8cc59cbe4cd8d3845c1499335c07f
SHA1 hash:
045568cace1af652cf3dea51f561bfe80c0035d7
Link:
https://www.unpac.me/results/a236097e-c896-4bbd-947d-3ecd6034d645/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7329528ead75/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/7329528ead7542c9af48aeff33fcfa265731b53ad352af1efc3666911f115090

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

rar 323dfe748192de2c66729a6b781f73188233d4cf2efef722271499a047847011

Loki

Executable exe 7329528ead7542c9af48aeff33fcfa265731b53ad352af1efc3666911f115090

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 323dfe748192de2c66729a6b781f73188233d4cf2efef722271499a047847011
Cape
Cape
https://www.capesandbox.com/analysis/339321/
  
Dropped by
MD5 51e0b6c565bf6b22f2b0e9312332ff69

Comments