MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82e12573052c2f4088b79873bc969a0b0262d2beced743b68282248c3dc42ff7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	82e12573052c2f4088b79873bc969a0b0262d2beced743b68282248c3dc42ff7
SHA3-384 hash:	d1782d2be41a7e4e9e2594a6103d45f3db1c1ee93f6bdb7cad817e2b84b12e51b7976c71fa54326a900b9df535e08ad0
SHA1 hash:	66f063971466ec7d971ace5493d83f6e80128874
MD5 hash:	686bcaa21a34733719f1fdb14dbcb639
humanhash:	kitten-kansas-timing-michigan
File name:	DHL Original Shipping Document 4722823719_PDF.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	569'715 bytes
First seen:	2021-08-16 15:00:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	82004e82653b7bafbfcf73a18d8cef95 (3 x Loki, 3 x RemcosRAT, 1 x RevCodeRAT)
ssdeep	12288:M3RwHX34JgXZrXhcepr1klgTszv1P9V594uFs1zReedXIiExcUVq:M3Rmcepp9TsTh9Vme46Vq
Threatray	4'268 similar samples on MalwareBazaar
TLSH	T1E0C4CF11B9C1C032DA73383147B0D1B14D7DB9312F2696DB63D819BA9F64AC1A936B2F
dhash icon	c89c98acacacbcac (31 x Loki, 23 x AgentTesla, 22 x AveMariaRAT)
Reporter	malwarelabnet
Tags:	exe Loki Lokibot

Intelligence

File Origin

# of uploads :

# of downloads :

412

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DHL Original Shipping Document 4722823719_PDF.exe

Verdict:

Malicious activity

Analysis date:

2021-08-16 15:09:14 UTC

Tags:

trojan lokibot stealer

Link:

https://app.any.run/tasks/f388155b-b914-45b3-bc0e-9f432fb2fbfc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Loki

Link:

https://www.capesandbox.com/analysis/179585/

Detection(s):

Win.Dropper.Smdd-6956905-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Deleting a recently created file

Sending a UDP request

Unauthorized injection to a recently created process

Reading critical registry keys

Changing a file

Replacing files

Connection attempt

Sending an HTTP POST request

Creating a file in the %AppData% subdirectories

Stealing user critical data

Moving of the original file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7fa6f986-536d-4fbd-89c4-a30b84498289

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/833607

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/82e12573052c2f4088b79873bc969a0b0262d2beced743b68282248c3dc42ff7/

Threat name:

Win32.Trojan.Ursnif

Status:

Malicious

First seen:

2021-08-16 05:38:38 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qlqsk4yffqxubcfxtbz3zfu2bmbgfuv6z3luhnucqisiypoef73q._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

324d549fb7b9999aa0e6fb8a6824f7a05fe5f1f21d76fb2d360cb34c56eb1995

Loki

3fb730890c8c04eb09d8b2acff9c376d8054d5d3748898a907099055ec54f2ac

Loki

44df96504ff0a727740da2a67982e2d214849ecf98a64de1ffcbf92bb46331a1

Loki

6438095080694e51e7802ba419e9854234dccdd3cc818eee26cea88f6391177f

Loki

871fa4ba1f0c569a5e3eecc4580b37039a5ba0ea1b07435b881e021ec7532785

Loki

c7d0361fe4ffb35e685f172468a532c9c50f136bd54ac8225db1c96b9942edbe

Loki

ebdee756cd475a65df67185291c3fffad83b91d8c59f8248160f6b0ff15fb279

Loki

+ 4'258 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot spyware stealer suricata trojan

Link:

https://tria.ge/reports/210816-r95dgstay2/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Lokibot

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://185.227.139.5/sxisodifntose.php/soXeChGo0UhiI
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

fe3106bd0bc6b6a6bcae869ec3b3feb2ac37d26d7e39a04c1236aff472beca7c

MD5 hash:

7cf908871403a01f4b5b7ba6d1ee7841

SHA1 hash:

c49ebd01f06beebff86c26a1f598b3e629611bd0

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/2e863c36-5295-49ee-910d-d4e35e99da1c/

Parent samples :

82e12573052c2f4088b79873bc969a0b0262d2beced743b68282248c3dc42ff7
88d340b5f4e128ee71446adff5b002ef8017bb5f919f7e170ecd4fc10566b8c9

SH256 hash:

82e12573052c2f4088b79873bc969a0b0262d2beced743b68282248c3dc42ff7

MD5 hash:

686bcaa21a34733719f1fdb14dbcb639

SHA1 hash:

66f063971466ec7d971ace5493d83f6e80128874

Link:

https://www.unpac.me/results/2e863c36-5295-49ee-910d-d4e35e99da1c/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/82e12573052c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/82e12573052c2f4088b79873bc969a0b0262d2beced743b68282248c3dc42ff7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/179585/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample