MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e91c24511bf78dd089c2b613882d5005009e653562876c3d40625cae95cfea9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	7e91c24511bf78dd089c2b613882d5005009e653562876c3d40625cae95cfea9
SHA3-384 hash:	7f713075465626d52c9849ed58940f6bf5024bea12ee0f53f32b0c8171723fb0949fdb801f55509e9864bb739f6c7ad4
SHA1 hash:	756a5b7b2a8d0c2af8b178f366745b5f03536b56
MD5 hash:	7b6ef9f3b37eb76618c6062440a357fb
humanhash:	india-pluto-coffee-three
File name:	RFQ.info.bit.zip
Download:	download sample
Signature	Loki Create hunting rule
File size:	441'481 bytes
First seen:	2022-05-03 05:54:10 UTC
Last seen:	2022-05-03 06:04:01 UTC
File type:	zip
MIME type:	application/zip
ssdeep	6144:hKp0Ce/iKm/5HaAltzmWeSkwniLDcDZ5dvYL9VF+o8NtoX416E5xl3j:hugiKmxHJ7iSkwnqAZv8f+o8NWX4Xj
TLSH	T141942342C0455CE3E3EB8EE7E715836516B24F1D66E8B52CF8346F82CAEE8543A11DE4
TrID	80.0% (.ZIP) ZIP compressed archive (4000/1) 20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	cocaman
Tags:	Loki QUOTATION RFQ zip

cocaman

Malicious email (T1566.001)
From: "Madiha Rasheed <madha@technogroupllc.com>" (likely spoofed)
Received: "from technogroupllc.com (unknown [104.149.181.220]) "
Date: "3 May 2022 00:19:20 +0100"
Subject: "Request For Quotation."
Attachment: "RFQ.info.bit.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

215

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.GXM.genEldorado.13545.8979.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

msbuild.exe obfuscated packed

Link:

https://www.filescan.io/uploads/6270c3b662b1ae4451cff84b/reports/886cf8fc-d4fd-417e-bd5b-0e907068bd21/overview

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/7e91c24511bf78dd089c2b613882d5005009e653562876c3d40625cae95cfea9

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7e91c24511bf78dd089c2b613882d5005009e653562876c3d40625cae95cfea9/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-05-02 17:48:07 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

18 of 41 (43.90%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=p2i4erirx54n2ce4fnqtrawvabiatzstkyuhnq6uays4v2k472uq._file

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer suricata trojan

Link:

https://tria.ge/reports/220503-gme5maefaj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Lokibot

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1

suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

https://lasgidivibescontrol.com/lest/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.38

Link:

https://yomi.yoroi.company/submissions/7e91c24511bf78dd089c2b613882d5005009e653562876c3d40625cae95cfea9