MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7cfbe6d3f41c153c78f4e24211ffd891cde46411f072d83798e0e03e140a7021. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 16


Intelligence 16 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7cfbe6d3f41c153c78f4e24211ffd891cde46411f072d83798e0e03e140a7021
SHA3-384 hash: 0d7066247c1c3cc20d3c83e7c5537d6000acbee23084e1e7ae7798644ddeb8ad7d41a863a90ad17fae21377cf838730f
SHA1 hash: 69683cca8c559a7cc2b6484ea982b2ca44be7a2f
MD5 hash: d1d899b06642500d72acaeb42896b348
humanhash: kitten-minnesota-delaware-utah
File name:7cfbe6d3f41c153c78f4e24211ffd891cde46411f072d83798e0e03e140a7021
Download: download sample
Signature Loki
Create hunting rule
File size:187'904 bytes
First seen:2024-12-05 15:50:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:Dj2RbI+4N6qZjddV5stDIoMNLGcJEma5cPGWUIi3gCmPc/NNsOsajV5f8ve:D+mZ5z2DeJEmaW1C9+cTsXwV5G
Threatray 1 similar samples on MalwareBazaar
TLSH T18E04C0E9F2E78E22C27C5A3246D212005371EF862473EB2B359933249A377D31519BDB
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 01894d49c8380c0c (4 x Loki)
Reporter adrian__luca
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
381
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Замовлення на купівлю_(PO478403)_ТОВ «ТАСТА ЛІСКІ Трубодеталь».zip
Verdict:
No threats detected
Analysis date:
2024-10-21 12:59:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/67e33171-934f-49ad-a1a7-720f87e9bf19

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Pony.105.14557.25329.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6751cbee12e85e185e76332a
Tags:
virus gates
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Connection attempt to an infection source
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Forced shutdown of a system process
Stealing user critical data
Query of malicious DNS domain
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit lokibot net_reactor obfuscated packed packed packer_detected stealer
Link:
https://www.filescan.io/uploads/6751cbd94ac4ab66dfca576d/reports/cdb0ad55-9247-4ac9-bbd9-c0b3d20f284a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7cfbe6d3f41c153c78f4e24211ffd891cde46411f072d83798e0e03e140a7021
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/47299d13-ce0a-47c9-bbb0-7470253010d0
Result
Threat name:
Lokibot, PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1569270
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7cfbe6d3f41c153c78f4e24211ffd891cde46411f072d83798e0e03e140a7021
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7cfbe6d3f41c153c78f4e24211ffd891cde46411f072d83798e0e03e140a7021/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-10-21 09:16:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pt56nu7udqkty6hu4jbbd76yshg6izar6bznqn4y4dqd4fakoaqq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
7cfbe6d3f41c153c78f4e24211ffd891cde46411f072d83798e0e03e140a7021
Loki
error
Loki
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection discovery spyware stealer trojan
Link:
https://tria.ge/reports/241205-s91kmaxlcp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Lokibot
Lokibot family
Malware Config
C2 Extraction:
https://dddotx.shop/Mine/PWS/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ad8c024c-15f3-40da-ab9f-fb31c2dc8e19
Unpacked files
SH256 hash:
55edc01806a4ecd052464327f9c4d2c5eb82996111426aa5095a050afaa5f8f3
MD5 hash:
334b51f4ff0fc780b3118ffc78825e5f
SHA1 hash:
ffae94d70a3394f3fc9e8102f0805d12ad3024d7
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Lokibot
Create hunting rule
SUSP_XORed_URL_In_EXE
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
STEALER_Lokibot
Create hunting rule
Link:
https://www.unpac.me/results/d8f72c50-30c6-4f3f-94df-4d159578d01d/
Parent samples :
506acdbf6f6334fb4b7519e45d60f3c90b115853fa4b76d0670bf20698f4c7c4
bfcc16e302514e80fdc77675291f1bdb32796e7b77274f7596049938d0652347
088bb7500d35c7ab73827301e505660559437479ef46312c3ee08b6253f35953
7cfbe6d3f41c153c78f4e24211ffd891cde46411f072d83798e0e03e140a7021
83f31c20b1e1819627874ca9eeb2a8b703e28656a581289821415963dcf596b8
SH256 hash:
20a7b7fa27a8a3d79e7e124e1f0ce2ca2a647f432740565d2935badd84814027
MD5 hash:
bdbfc8de76d50d05a2dba4c515a50b90
SHA1 hash:
cac80a2c292d015d7c980724e9391b88d60f0f76
Detections:
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/d8f72c50-30c6-4f3f-94df-4d159578d01d/
Parent samples :
088bb7500d35c7ab73827301e505660559437479ef46312c3ee08b6253f35953
8b5e4c846dc98bdea2524651cf2895630c27bab15f5b27d60a9fd732b1c6ba3f
75173e92fd7a13e7be3ec177c5287280aae4d2a5e6911cd1458400d96289d18d
7cfbe6d3f41c153c78f4e24211ffd891cde46411f072d83798e0e03e140a7021
83f31c20b1e1819627874ca9eeb2a8b703e28656a581289821415963dcf596b8
d59042fb9666d5a2fcb62371be2ab5c51b708f27db5711659d6b6d54e261741e
ee8578ebf209462c50f37d8fceb524db53b5b97078aa0995c775133b8d3f9d64
62ad3f54c6adf2f358213da7c9729890d86d1f17444f23d159aa6455188b34bc
1d723e459d4edcfdba3c63825c9582341d356b22ecfc22b8a446b430e0b27be5
141a6b48b260182bfbf3419b85b4d63d06a9bc41dd8ac573528c74c980b01614
668b4176657d8ff0f4d9c2559d5fc8c93b91c72fbeed238b5983f94b9055ae3a
5aa774e9545c8b8ce704219aeb374be885ec8533eaa8562db4ad5118917582be
e8d4cd03450bee6fa32028e4e4e0e415d4c4bbfcb349e77170cd983226666820
SH256 hash:
7dc2c93c32e29c820f2738633f3ef77f5e91e59f308c317868b3c196bb34ca44
MD5 hash:
e9f5940e88504e64d5eb2a52616e9377
SHA1 hash:
7605ac654f0ba0d7c2eedb8e284f76bbb822cbdf
Link:
https://www.unpac.me/results/d8f72c50-30c6-4f3f-94df-4d159578d01d/
SH256 hash:
7cfbe6d3f41c153c78f4e24211ffd891cde46411f072d83798e0e03e140a7021
MD5 hash:
d1d899b06642500d72acaeb42896b348
SHA1 hash:
69683cca8c559a7cc2b6484ea982b2ca44be7a2f
Link:
https://www.unpac.me/results/d8f72c50-30c6-4f3f-94df-4d159578d01d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7cfbe6d3f41c153c78f4e24211ffd891cde46411f072d83798e0e03e140a7021

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla
Create hunting rule
Author:Harish Kumar P
Description:Yara Rule to Detect AgentTesla
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments