MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7401a0994cadfc28e5997fb08b5f9e519422241b0edc10c40e0ec01b405b6aa0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7401a0994cadfc28e5997fb08b5f9e519422241b0edc10c40e0ec01b405b6aa0
SHA3-384 hash: aa568a0f481eb3ddc93b85b66e87d3b2487400b4f76c0fad6cb7b3057b88901f0d5c709400da37850049806f84079fb1
SHA1 hash: ac336dd5ab2d7e4c1822ccb5680b7243a0825fdd
MD5 hash: 09a3a511da8cebbb282ca95d6beb8e15
humanhash: lima-oscar-mobile-artist
File name:FedEx Receipt_AWB# 10235115676.exe
Download: download sample
Signature Loki
Create hunting rule
File size:699'392 bytes
First seen:2023-06-07 09:48:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:0d6L7PVpfQicbhaDnLMzIL2q+RTdOL8IaW/RBjGSIa4ldwkPQ5OWyyMjSpHaLrOS:yOyqGUL8c/RBjGTHlZP+byzjSdCu
Threatray 4'300 similar samples on MalwareBazaar
TLSH T160E4016933A7604FCD6E7FBD18594B78C9F9AA463112C3839ED3648DED28F558A00363
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2ccf4e0e8d1c29c (12 x AgentTesla, 10 x Loki, 2 x SnakeKeylogger)
Reporter lowmal3
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
FedEx Receipt_AWB# 10235115676.exe
Verdict:
Malicious activity
Analysis date:
2023-06-07 09:50:39 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/6e40e5b7-b717-49de-867f-77748fb7a9c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/396350/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67413918.16391.15297.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker comodo darkkomet packed
Link:
https://www.filescan.io/uploads/64805253921f6a43bfb5da11/reports/0218248c-b672-458d-b32b-d0e24217f2c2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7401a0994cadfc28e5997fb08b5f9e519422241b0edc10c40e0ec01b405b6aa0
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/56a7b608-80e8-45e7-8e2d-0393dc8cd331
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1250151
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7401a0994cadfc28e5997fb08b5f9e519422241b0edc10c40e0ec01b405b6aa0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-06-07 01:11:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oqa2bgkmvx6crzmzp6yiwx46kgkceja3b3obbraob3abwqc3nkqa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
09c6284a6a3ff23dac87fb515c96d20cb67f33ec6afda9dd79bd2debc70bb3f2
Loki
1290e2fa7dd284fcddc2bf9caeac02ccbae1f1e715766eefd7644c245a6ecc53
Loki
2d62d20f9f016e3e2cccfd5414f8566aba4c76da2efb2ab9e8607021507bdf43
Loki
94a92d06d9fac7101cb5c15f1afe2bce92b2186085cadc1ea2c72b2f6e154912
Loki
9d19092e410ffb1914d7cd9271ec34b5aa8973eda65fd821851e53921a7017fe
Loki
9d4dab822267b1a1423a1a8ce5a459b1734327639db754549e60bd706648ab8d
Loki
bed6b66d53fdcb31a58849e4e52e5d87162051fbe7593c185582c2982aa3770d
Loki
c6b9515b2ec0ab542e367db58cefdedcd446f00ea5bf864ed1906c38ceba1e1a
Loki
fc4e8b16874c86e3d8ad3ce052b15421cd95d6c6f194587f2f5e08fa79e54172
Loki
fd5030b33e9f626dceea517a8ff935dcd2f9d9d8d6ff9ded6f998ecee7de7e52
Loki
+ 4'290 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230607-lsrstsaa8x/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://161.35.102.56/~nikol/?p=7855399
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
618923d59f930be8a44e624b8429106a91578fb8dd35863f0f228071f920e956
MD5 hash:
68f61259a858778c65d02eda3e8203af
SHA1 hash:
ef26a85662ee34e087460ee010f771e3665385cf
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/0af985ca-32f6-4a72-8656-38b6c1f73a29/
Parent samples :
f8725762bcc5a3d83234fd7a55cba1a002af80ecfe0eca2972899f49fa12934d
7401a0994cadfc28e5997fb08b5f9e519422241b0edc10c40e0ec01b405b6aa0
690bf56c513b3b1e8ef7eb1cabd0e7ae3caf33e6d4442264ec5b17c74b9c5d92
SH256 hash:
c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d
MD5 hash:
9390df6c9a6111978dee5414bc42eda6
SHA1 hash:
d3cb1c366b9e466afa93eb369838a04d30777795
Link:
https://www.unpac.me/results/0af985ca-32f6-4a72-8656-38b6c1f73a29/
SH256 hash:
3f1bb439dc1e39bdc7ea992cdbacc9583d53e6c4949433f94a8e5be5fa4d3d29
MD5 hash:
be030d800cea4838ad5a4a7559ed3c32
SHA1 hash:
81a03d90b451475d7b229ae91a811800e03f6cb2
Link:
https://www.unpac.me/results/0af985ca-32f6-4a72-8656-38b6c1f73a29/
SH256 hash:
473daf46ad3535fb00e113515d28f0caf1a68f1ae284c2749de5a41caf8c66ad
MD5 hash:
593c350870e1508a757de46f1c619e98
SHA1 hash:
22f3b13a8e0527c1288297db1c9510eec2995feb
Link:
https://www.unpac.me/results/0af985ca-32f6-4a72-8656-38b6c1f73a29/
SH256 hash:
450a02f06a695b02a89298dd855606793fac06a15c5ce00f1c75f16c3b81c0e2
MD5 hash:
992424bf97b77e56e50844ceb8e46bc8
SHA1 hash:
1ed012051e95b2fa7845979de1933403b89af8d4
Link:
https://www.unpac.me/results/0af985ca-32f6-4a72-8656-38b6c1f73a29/
SH256 hash:
7401a0994cadfc28e5997fb08b5f9e519422241b0edc10c40e0ec01b405b6aa0
MD5 hash:
09a3a511da8cebbb282ca95d6beb8e15
SHA1 hash:
ac336dd5ab2d7e4c1822ccb5680b7243a0825fdd
Link:
https://www.unpac.me/results/0af985ca-32f6-4a72-8656-38b6c1f73a29/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7401a0994cad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7401a0994cadfc28e5997fb08b5f9e519422241b0edc10c40e0ec01b405b6aa0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 7401a0994cadfc28e5997fb08b5f9e519422241b0edc10c40e0ec01b405b6aa0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/396350/

Comments