MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b864567ce2527e7dee91118c1bbf6bd1855ca15588c3a743fe535574345b451. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	7b864567ce2527e7dee91118c1bbf6bd1855ca15588c3a743fe535574345b451
SHA3-384 hash:	1cb7de234a9df1a91010bf94e36fd2d9369b531130ea394b1c4c72fe7155327df047d038fc6f08082a5656c71d6d9714
SHA1 hash:	fb0925b0ded9b413c0562cfcf32fd9da14ef9a7a
MD5 hash:	7ee83dd92fdd8ee73a7a7ce01051deb1
humanhash:	white-avocado-arizona-hawaii
File name:	Draft Invoice delivery Receipts.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	402'432 bytes
First seen:	2021-09-13 05:35:07 UTC
Last seen:	2021-09-13 13:24:16 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:WZBAk4DbF53e0IUFLVOwuWDanajyYe3uNIVb:q65OCuIyYe3eu
Threatray	4'674 similar samples on MalwareBazaar
TLSH	T116849C202CEE902AF173AF7A5ED4B5969AAFF2733603E85D145103874723B41DED193A
Reporter	cocaman
Tags:	exe INVOICE Loki

Intelligence

File Origin

# of uploads :

# of downloads :

122

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Draft Invoice delivery Receipts.exe

Verdict:

Malicious activity

Analysis date:

2021-09-13 05:38:33 UTC

Tags:

trojan lokibot stealer

Link:

https://app.any.run/tasks/d96bee25-7a12-48a8-93d5-531f6cf52614

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Loki

Link:

https://www.capesandbox.com/analysis/187191/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file in the %temp% directory

Delayed writing of the file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6174f9f6db358dd15ed91351/reports/d0337019-8557-41f9-b1bd-abfd19a9e8d0/overview

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/76257f5a-e86d-4543-82a2-094db0ec7028

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/849473

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/7b864567ce2527e7dee91118c1bbf6bd1855ca15588c3a743fe535574345b451/

Threat name:

ByteCode-MSIL.Trojan.Sabsik

Status:

Malicious

First seen:

2021-09-13 03:01:45 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 45 (40.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=podekz6oeut6pxxjcemmdo7wxumflsqvlcgdu5b74u2voq2fwriq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot spyware stealer trojan

Link:

https://tria.ge/reports/210913-gakvcachg5/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Lokibot

Malware Config

C2 Extraction:

http://136.243.159.53/~element/page.php?id=474
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

ad4a7895d529d5164302bb88596964ab42ff125bf0f5544418c80b6d438cb587

MD5 hash:

43ababb6b0a02907aad43084f12b10d9

SHA1 hash:

b60ba705891d5a666d64300181b475a46714ffa8

Link:

https://www.unpac.me/results/e050f5cb-58a8-4a92-8685-7f57a4c1f1d1/

SH256 hash:

f00d24e95642c0895c3ae2573cdd08f1c685827a959c938b2e07eeeaa25e7e13

MD5 hash:

f50efe86ff4df9264ea67c3a5be7bf66

SHA1 hash:

9483655f85e8bceaf8bf574feb9714422ff92c00

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/e050f5cb-58a8-4a92-8685-7f57a4c1f1d1/

SH256 hash:

2257c9e5fcc604e4da83d4dd221b884ee15e38222dce2692a2a7f32aae7754f3

MD5 hash:

09d0060e7c9b351f0c77f9b254a04d7b

SHA1 hash:

55fdd81fa1a51ccb71717af58dd3926052d4174c

Link:

https://www.unpac.me/results/e050f5cb-58a8-4a92-8685-7f57a4c1f1d1/

SH256 hash:

7b864567ce2527e7dee91118c1bbf6bd1855ca15588c3a743fe535574345b451

MD5 hash:

7ee83dd92fdd8ee73a7a7ce01051deb1

SHA1 hash:

fb0925b0ded9b413c0562cfcf32fd9da14ef9a7a

Link:

https://www.unpac.me/results/e050f5cb-58a8-4a92-8685-7f57a4c1f1d1/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/7b864567ce25/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7b864567ce2527e7dee91118c1bbf6bd1855ca15588c3a743fe535574345b451

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

ace 7b557541f25f92236e3a076070e5664f63f4b7bfea6ef2cd4de7c128ad8b587a

Loki

exe 7b864567ce2527e7dee91118c1bbf6bd1855ca15588c3a743fe535574345b451

(this sample)

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/187191/

Dropped by

SHA256 7b557541f25f92236e3a076070e5664f63f4b7bfea6ef2cd4de7c128ad8b587a

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample