MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82047917ba8c25313b170f2dc6d74f3aacfd31745d054e5f865e468dcd3b5298. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82047917ba8c25313b170f2dc6d74f3aacfd31745d054e5f865e468dcd3b5298
SHA3-384 hash: 499d2b6b110b465dbfda534dd902f134e2ec9c745afe3291af954ee6051164035d60c0947604e5d37b58af45c7b2c5ea
SHA1 hash: 82cb4bcdf30805aba155e9b25b6bc96902b48083
MD5 hash: 0729423a4ec986dabf905f07a39f8d2c
humanhash: skylark-jig-high-dakota
File name:56782234-DHL-AWB-2021.exe
Download: download sample
Signature Loki
Create hunting rule
File size:829'440 bytes
First seen:2021-01-18 08:19:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Nw2ut5cBAImgemtNLpWs6m35DCTFupM/FlnMMa9etbV:aUmg/tNLd6mNXMQ596V
Threatray 9 similar samples on MalwareBazaar
TLSH FD05193D71A44B16E4386FF45A6893CC8BBDEE191626DE4AFCC136F6C571B01870A623
Reporter abuse_ch
Tags:DHL exe Loki


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: vps.doctorpc.pe
Sending IP: 198.38.91.247
From: Purchase@kancelaria-tw.pl
Subject: DHL-Team
Attachment: 56782234-DHL-AWB-2021.rar (contains "56782234-DHL-AWB-2021.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL-Team.eml
Verdict:
No threats detected
Analysis date:
2021-01-18 07:25:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/046dbd4b-2fdf-460b-bde9-c0bcd776c424

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112455/
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.57608.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/583739
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82047917ba8c25313b170f2dc6d74f3aacfd31745d054e5f865e468dcd3b5298/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-18 04:18:17 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qichsf52rqstcoyxb4w4nv2phkwp2mlulucu4x4glzdi3tj3kkma._file
Verdict:
unknown
Similar samples:
438c02be74a4976a426c2b0e5da2d37f04772782e59739ce2acc79e9dc780ca1
Loki
518023c16668547a3d37cd93ca34ae6697364dd838c8538d6de80441f2b6c1bd
Loki
63289870bb6e2bbb13afd47bf630c048e593afacc5c968939855f85ca5022ea4
Loki
64d7e0b438049a21a6f6525f3c25d93edb0b5ed42df9d2a3e0135ec3f9a48878
Loki
65ca40e44ab6171794b0c81d8b80122604eff3aca4614901fcd30db1a5329cfb
Loki
7139fbd600738d2f456c7f11ae105e45ab0bb6e14a473ae0e68391b8125da393
Loki
9918fff296f4d3133e38a13c5983a057c01b98837ca3af7948daa1ab6fa145c6
Loki
af5e020c1ac3f3590036495b28ebad3153c66986da343142db222a5df5d42b2d
Loki
ee86f083fdb8d5e2f4d1d609faf964fa08a01875bc0abb364aeb09bb83c35f8c
Loki
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210118-ypwdjqv8ax/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
65c5b95720ded22e495574244a651055ffdf71d5cb8c04f99cde7c4501a14b36
MD5 hash:
2e47b5bd07f40067f9b2dfd827e7f943
SHA1 hash:
c9247566dd5b114975162fc449ef6f3f6c63a2c1
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/bd214976-bc6f-4931-893a-afe5c38f0f58/
Parent samples :
9f4258e5c61e45d8cedece680a26b83be12413727685afdf469bc91727751a8c
e099402cd2fecd5adebd170696d0e536fdc71dbd68d6fb642adf2cde3eed6f26
82047917ba8c25313b170f2dc6d74f3aacfd31745d054e5f865e468dcd3b5298
SH256 hash:
02994081187971bc6b28742057b27f38bb80091b4c1a01aa3ecd83b6dcab0717
MD5 hash:
e3061bcd751086c215640f9848172a20
SHA1 hash:
8f3f6783833cf6e6d9386a059b17946c9ffb8828
Link:
https://www.unpac.me/results/bd214976-bc6f-4931-893a-afe5c38f0f58/
SH256 hash:
64a419709ad219ffc006bda776b650da486d55048d2fa34525f40227da0e5c86
MD5 hash:
88c0ec8398978fa2e4240f02765086ad
SHA1 hash:
5a5c4935b2d70e890c89ad9332365f4f4aa86f3c
Link:
https://www.unpac.me/results/bd214976-bc6f-4931-893a-afe5c38f0f58/
SH256 hash:
82047917ba8c25313b170f2dc6d74f3aacfd31745d054e5f865e468dcd3b5298
MD5 hash:
0729423a4ec986dabf905f07a39f8d2c
SHA1 hash:
82cb4bcdf30805aba155e9b25b6bc96902b48083
Link:
https://www.unpac.me/results/bd214976-bc6f-4931-893a-afe5c38f0f58/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/82047917ba8c25313b170f2dc6d74f3aacfd31745d054e5f865e468dcd3b5298

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

rar 31ffec142c1a204bb33edb1c9610e2de57da7c9c1dfc74756216ffd93fcbe5d5

Loki

Executable exe 82047917ba8c25313b170f2dc6d74f3aacfd31745d054e5f865e468dcd3b5298

(this sample)

  
Dropped by
MD5 ed3262f26bede07125d9c6422e78b2f9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112455/
  
Dropped by
SHA256 31ffec142c1a204bb33edb1c9610e2de57da7c9c1dfc74756216ffd93fcbe5d5

Comments