MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b557541f25f92236e3a076070e5664f63f4b7bfea6ef2cd4de7c128ad8b587a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	7b557541f25f92236e3a076070e5664f63f4b7bfea6ef2cd4de7c128ad8b587a
SHA3-384 hash:	767e823b9af9dd09f4d60e95534ccc7d2570b8c4ee6561c976ace31fd4106850dba39e3a555f7c1c2cf185d49ac622e6
SHA1 hash:	0f4964d3522e625fc2453bf7cdd5b9a43edef1b5
MD5 hash:	efb8538e1414d96d27c2d3f8854be491
humanhash:	apart-mobile-ceiling-five
File name:	Draft Invoice delivery Receipts.ace
Download:	download sample
Signature	Loki Create hunting rule
File size:	323'423 bytes
First seen:	2021-09-13 05:34:49 UTC
Last seen:	2021-09-13 12:36:42 UTC
File type:	ace
MIME type:	application/octet-stream
ssdeep	6144:BpJc15yWznr0/h57beHEa+Yu4+NAVRrqW5WF8aPFgnJiCSVtEEN/:BLcKheHx/Z+NIBqJkJQVmS/
TLSH	T18F642316D48413FB2DCB1B929790F3FB157280E3553FB909FAD4A2C988A78AB3674449
Reporter	cocaman
Tags:	ace DHL INVOICE Loki

cocaman

Malicious email (T1566.001)
From: "DHL Express <Noreply@dhl.com>" (likely spoofed)
Received: "from ru05.random.com (unknown [109.237.103.70]) "
Date: "13 Sep 2021 02:25:14 -0700"
Subject: "RE: DHL on Demand Delivery"
Attachment: "Draft Invoice delivery Receipts.ace"

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.25738.AceHeur.Exe.UNOFFICIAL

Sanesecurity.Malware.25166.AceHeur.Exe.UNOFFICIAL

SecuriteInfo.com.Suspicious-ACE-exe.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6174f9efdb358dd15ed9134f/reports/258c890c-f977-42a0-bd2d-dbba2bdb59aa/overview

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7b557541f25f92236e3a076070e5664f63f4b7bfea6ef2cd4de7c128ad8b587a/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2021-09-13 03:01:44 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

18 of 45 (40.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pnkxkqpsl6jcg3r2a5qhbzlgj5r7jn575jxpftkn47asrlmllb5a._file

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot spyware stealer suricata trojan

Link:

https://tria.ge/reports/210913-f9yptagacl/

Behaviour

Creates scheduled task(s)

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Lokibot

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://136.243.159.53/~element/page.php?id=474
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/7b557541f25f92236e3a076070e5664f63f4b7bfea6ef2cd4de7c128ad8b587a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ACE_Containing_EXE Create hunting rule
Author:	Florian Roth - based on Nick Hoffman' rule - Morphick Inc
Description:	Looks for ACE Archives containing an exe/scr file