MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ec3a47d84d4fdc7f4359e840592afefa7b70cdbb03e4d4d1c06c0d5ec083424. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ec3a47d84d4fdc7f4359e840592afefa7b70cdbb03e4d4d1c06c0d5ec083424
SHA3-384 hash: df45ce50638aacecc4ca1b0852767e2ff52913628eadb3fd7fbee7212c21a797d4d1bf2da44cd57e428fc39625edd819
SHA1 hash: 468535278920ceeac1218a3a437543993c169710
MD5 hash: d4671347c475b26c36d98c634b1997ad
humanhash: autumn-aspen-floor-xray
File name:FedEx Receipt- AWB#5305323204643.exe
Download: download sample
Signature Loki
Create hunting rule
File size:865'792 bytes
First seen:2022-10-07 07:20:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:s2iNKJ2uGPrlMIbGN/XaDSpRQR8IFcicxwRMhyknD8EMBZoW:s1d1zmIqpXYSpDIF/MXD8EyZN
Threatray 10'069 similar samples on MalwareBazaar
TLSH T1D70537BA21D54107E8257275D887D1F32AFBAD606061E1CB2AD73F6FBC811BB911334A
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://162.0.223.13/?ui31hfjahdifajdkfjxiozd

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://162.0.223.13/?ui31hfjahdifajdkfjxiozd https://threatfox.abuse.ch/ioc/872099/

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317527/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/633fd361d089a0c15dd5ae2f/reports/b7543e17-e7b1-4ed9-8548-da56aca7e6db/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be4e2810-0444-4906-9e64-4995fb6cd81b
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1085547
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7ec3a47d84d4fdc7f4359e840592afefa7b70cdbb03e4d4d1c06c0d5ec083424/
Threat name:
Win32.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-10-07 07:21:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
19 of 26 (73.08%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p3b2i7me2t64p5bvt2calevp56t3odg3wa7e2ti4a3anl3aigqsa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
050a053b4f14b010cfc82949bb761c209d1b4a8e98675e1e13fe072ef942b246
Loki
1aebe5d59997e78b81ad714be8dfd697665381018041c62a40a55f0ce215ea35
Loki
1df17eb8a8c1bafe0b56f2b875c934582d7bd5398fbebbf27761da4a789871d9
Loki
35bf40f65ad336f3d6192dd5b520085fe55780d9740f697de15923712c87f6d3
Loki
86872882a1df4af709b5a75bade82d33754df38e07fdf50311c93d7b8ca055cc
Loki
8889a80ba52046a9980a2575191afbf1eed046dccc770acb32542e648e1dd7a1
Loki
9fd17bb86920c52db8ddcbd18efb3725f5570db182676fa678756cc3d3e11c9d
Loki
+ 10'059 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/221007-h6n3babha4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://162.0.223.13/?ui31hfjahdifajdkfjxiozd
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e9f0d097-98e0-487d-9207-82fee33bf1a1
Unpacked files
SH256 hash:
fe3710d69f6c419706c1d819757e2e399c8903cc847169e99b8b72e6d5ff168a
MD5 hash:
4a33f0edb7b63a26fd7ea642720bf63d
SHA1 hash:
91a900fbcc8226f756b44d4295434e14f4cb0588
Link:
https://www.unpac.me/results/e7df676e-1c3f-4c3b-9a21-8f8af5213da1/
SH256 hash:
d9fe30cd94647e1d3cb794c7158a8919163efbe6976856e38abbdc050ebc543c
MD5 hash:
dab1c1db487727bbe97a6f2f5ffddf04
SHA1 hash:
7cfb4a3271a1f4cdeaa73b718b0c150b9633d30e
Link:
https://www.unpac.me/results/e7df676e-1c3f-4c3b-9a21-8f8af5213da1/
SH256 hash:
1383999cb3682a0a0a54fad8a8e3f0fda2d4ce6422fa35286cece258aa1844a1
MD5 hash:
d891ee2f90e3392ee593067a038f3335
SHA1 hash:
347e96ac60f38938b0061ce5c21bec28c87f71f9
Link:
https://www.unpac.me/results/e7df676e-1c3f-4c3b-9a21-8f8af5213da1/
SH256 hash:
f9f2da2f7797af537a7dcc337ab71b9a5e0a43e2f29d465f07450c62110f30ee
MD5 hash:
2ffc2058c7dccfc221146e30c2fc0eb3
SHA1 hash:
1298832ef0bf034f702724c25d3baf670f4ee66a
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/e7df676e-1c3f-4c3b-9a21-8f8af5213da1/
Parent samples :
1df17eb8a8c1bafe0b56f2b875c934582d7bd5398fbebbf27761da4a789871d9
7ec3a47d84d4fdc7f4359e840592afefa7b70cdbb03e4d4d1c06c0d5ec083424
b53e62c1d7215a0dc33d035ac0721e2c5cc8a72aa8f7ea4ff7a3c01a55131345
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/e7df676e-1c3f-4c3b-9a21-8f8af5213da1/
SH256 hash:
7ec3a47d84d4fdc7f4359e840592afefa7b70cdbb03e4d4d1c06c0d5ec083424
MD5 hash:
d4671347c475b26c36d98c634b1997ad
SHA1 hash:
468535278920ceeac1218a3a437543993c169710
Link:
https://www.unpac.me/results/e7df676e-1c3f-4c3b-9a21-8f8af5213da1/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7ec3a47d84d4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ec3a47d84d4fdc7f4359e840592afefa7b70cdbb03e4d4d1c06c0d5ec083424

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/317527/

Comments