MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 747618305eae7ecbbdb2aad77d366405ad59770dc5cb5393857b112f3ea71f69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	747618305eae7ecbbdb2aad77d366405ad59770dc5cb5393857b112f3ea71f69
SHA3-384 hash:	5cca3266d3e758cfa0833fbd27ebabe49adaa35727cccaa824c1adaddc9669b5906c97207749439dc68701a5c509185c
SHA1 hash:	78d6c5ec58a829a45f053ad80a9129d73ee0892f
MD5 hash:	0185d3368df52e14375f3495388ffeb9
humanhash:	kansas-hamper-equal-dakota
File name:	[DHL] AWB# 397911942611.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	881'152 bytes
First seen:	2022-04-28 11:39:47 UTC
Last seen:	2022-04-28 12:43:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:jwKdOLWJezgWme6tTa552Uq0eX7iTB91LCCbfUOYDPrr8Qo17GVGE83T3:jwZQ673V552DuTvtCGWjAQk7or8D
Threatray	8'294 similar samples on MalwareBazaar
TLSH	T1AC15E00ABA59CAF5D5394F73BDC3500C07A22CF5E902C55B6AC7F24A0A723B60D956B3
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	f3fbfbfbdbdbdbdb (6 x AgentTesla, 3 x Formbook, 2 x NanoCore)
Reporter	abuse_ch
Tags:	DHL exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

304

Origin country :

n/a

Vendor Threat Intelligence

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/267532/

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.7672.17016.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe obfuscated packed

Link:

https://www.filescan.io/uploads/626a7d1a43389532771d2013/reports/fa8a94c6-6e76-4fa9-9557-f6faa500e81f/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/971ead7e-befa-4e2b-82fe-8deb7edbcbd0

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/984792

Signature

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Add Scheduled Task From User AppData Temp

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/747618305eae7ecbbdb2aad77d366405ad59770dc5cb5393857b112f3ea71f69/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-04-28 11:40:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 25 (56.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=or3bqmc6vz7mxpnsvllx2nteawwvs5ynyxfvhe4fpmis6pvhd5uq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

32f4ed2758d54d89b86ead83702e718d654e1fa6c78b4b46c4ca6fb25077d699

Loki

3f54d4c72e0965af59b283d96ddfce94d9e302b1529a2ab8a00b61737ca49d23

Loki

570ca80a1165eff70e52b4c9c69745fb94f2816640ac71d7cb055d4b5aa1680c

Loki

900fd05c173389415366e0b8eab3f9eb60deb3a559ae87047e5c4407712ff90f

Loki

bbe65b794bbd8e5950100994809d8744331b943035f93572b73830b97e59eed0

Loki

+ 8'284 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer suricata trojan

Link:

https://tria.ge/reports/220428-nswg5afhdj/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Reads user/profile data of web browsers

Lokibot

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://198.187.30.47/p.php?id=21232783593130885
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

a5fa5d3e31bd470129b4c71b928b9661c1c704632ecf5b68d2fc648dfb657389

MD5 hash:

6b40898baaa1c06a9eacaf397da5cabe

SHA1 hash:

ced1cede92d16da6b585d9ee56ee2f1bdbf0eb98

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/e5e78e71-e940-491e-8df4-8d56e386b56c/

Parent samples :

1ba98686446412473dd5b0f72c5e9f7f9f278ffa3ad09879024df8b202992403
747618305eae7ecbbdb2aad77d366405ad59770dc5cb5393857b112f3ea71f69

SH256 hash:

7e9a86769f897836905c2a3bab08793db188e2461c797dd5bda54d5000cde33c

MD5 hash:

a13b88ff7c6910759a690da73f12692e

SHA1 hash:

4efc49bd507b04578a2f6366626419c7f62990af

Detections:

win_lokipws_auto

Link:

https://www.unpac.me/results/e5e78e71-e940-491e-8df4-8d56e386b56c/

SH256 hash:

92fc621e886ad486195efe1b074a5186c27599e3dd4d71c72cae3078b8660ae2

MD5 hash:

e80503550a2aa077f62f09c7dc6be7e4

SHA1 hash:

f93e86c149eac50b611a1f9a7b59f5d81026262c

Link:

https://www.unpac.me/results/e5e78e71-e940-491e-8df4-8d56e386b56c/

SH256 hash:

84ae15dd72460e4ff5f6174bb9bef6f71935b062812ea725fdf3299a7e841127

MD5 hash:

83b8621541204c12ba7f952606d52ea0

SHA1 hash:

38e4d15401309a2a650b2f3c8c2def32476b3539

Link:

https://www.unpac.me/results/e5e78e71-e940-491e-8df4-8d56e386b56c/

SH256 hash:

747618305eae7ecbbdb2aad77d366405ad59770dc5cb5393857b112f3ea71f69

MD5 hash:

0185d3368df52e14375f3495388ffeb9

SHA1 hash:

78d6c5ec58a829a45f053ad80a9129d73ee0892f

Link:

https://www.unpac.me/results/e5e78e71-e940-491e-8df4-8d56e386b56c/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/747618305eae/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/747618305eae7ecbbdb2aad77d366405ad59770dc5cb5393857b112f3ea71f69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/267532/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample