MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8316cf1ff4d3efc0b0718d3f517fa9392bd68c456c3d0c96306793e210f48b15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 16

Intelligence 16 IOCs YARA File information Comments

SHA256 hash:	8316cf1ff4d3efc0b0718d3f517fa9392bd68c456c3d0c96306793e210f48b15
SHA3-384 hash:	fdfea93a01e60acb273733d55408c2828bf22909784e16865121e82f76e815bf65789fac23d4a363d6b621f89b5a4e07
SHA1 hash:	27981aa015340cf83cac3ac632382b8fb10cbc49
MD5 hash:	9711076738ca42d16799cd2acc580fde
humanhash:	fourteen-sodium-zulu-helium
File name:	Payment Request Form_pdf.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	210'991 bytes
First seen:	2022-11-17 17:17:44 UTC
Last seen:	2022-11-21 11:21:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep	6144:1Ea0YjNykZ7NqUQ0s8onasv+1yv00kVJJ:fjNtpNqp30NVJJ
Threatray	9'461 similar samples on MalwareBazaar
TLSH	T17B240223E1C8B4F3F9065BB44E71767AC73AA17954181D434F946E1D0A23243AB3BE9E
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	e2ceaeaeb2968eaa (11 x Formbook, 5 x AgentTesla, 5 x AveMariaRAT)
Reporter	Anonymous
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

215

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

Payment Request Form_pdf.exe

Verdict:

Malicious activity

Analysis date:

2022-11-17 17:21:20 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/f647b730-3a9a-48fb-bf9c-961a48ee6cc6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/335500/

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.12699.3753.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% directory

Creating a process from a recently created file

Сreating synchronization primitives

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Enabling the 'hidden' option for recently created files

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Sending an HTTP POST request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63766ccbbde1d4a13243e153/reports/a69ebd18-fef2-483c-8bb1-ea18b00ab78f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5c9935b3-9978-4545-9fd5-55e7f4a359ca

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1115978

Signature

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Executable has a suspicious name (potential lure to open the executable)

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8316cf1ff4d3efc0b0718d3f517fa9392bd68c456c3d0c96306793e210f48b15/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2022-11-17 02:20:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 40 (65.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qmlm6h7u2px4bmdrru7vc75jhev5ndcfnq6qzfrqm6j6eehurmkq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

381689aa52129bc94e5b821684bf9c00e91af0ef9a56b4490ee071e0cae08c58

Loki

5b51a7e451c70c0271f21acf38747c5af235c18394585c4470f127c343b6ff8c

Loki

a512d074556e9c5f7fe2fbb2ac63088adbaf8b4011a1629cc71cede78bdb2f19

Loki

a5d6e92e8d795d49e69b5f095b8cd864182ed00499985a0efa85d013edb966d7

Loki

b4fd188ef7836ae52efeb16712d088dd2cd21d09e37b19cc645b0f8b8762424c

Loki

e4680e26cc89886c7bcfcc9145902d92c5232f3572970d8d0b60ee3ff2e9d89a

Loki

+ 9'451 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/221117-vt9jpsfa88/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Lokibot

Malware Config

C2 Extraction:

http://171.22.30.164/kin/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/76e91ac6-276c-4bfe-b57c-408faf708fb3

Unpacked files

SH256 hash:

a99d516fcf57e3cb4bf59e5a4cb89ef1fb0b92c680c230105bca7027447988d1

MD5 hash:

125fa2b5e94e237397f86ea752f2bc37

SHA1 hash:

3d8b3166f02ef668a3f1daaecefca04573c38abf

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/f2d3bf5d-4923-4d9d-af53-dbcc331a1d52/

Parent samples :

b4fd188ef7836ae52efeb16712d088dd2cd21d09e37b19cc645b0f8b8762424c
a512d074556e9c5f7fe2fbb2ac63088adbaf8b4011a1629cc71cede78bdb2f19
8316cf1ff4d3efc0b0718d3f517fa9392bd68c456c3d0c96306793e210f48b15

SH256 hash:

560837c596525709bece20cbabdc53995535e5d7cff70a43d6887795809942f5

MD5 hash:

4956915d4f1fca15018c6286f857f31c

SHA1 hash:

474c21f5bfc966c3abdf99b59a12cb0c83583516

Link:

https://www.unpac.me/results/f2d3bf5d-4923-4d9d-af53-dbcc331a1d52/

SH256 hash:

8316cf1ff4d3efc0b0718d3f517fa9392bd68c456c3d0c96306793e210f48b15

MD5 hash:

9711076738ca42d16799cd2acc580fde

SHA1 hash:

27981aa015340cf83cac3ac632382b8fb10cbc49

Link:

https://www.unpac.me/results/f2d3bf5d-4923-4d9d-af53-dbcc331a1d52/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8316cf1ff4d3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

exe 8316cf1ff4d3efc0b0718d3f517fa9392bd68c456c3d0c96306793e210f48b15

(this sample)

Dropped by

loki

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/335500/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample