MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 878702b9fa51d353b5d7ca62f6e94ee21f5375fe2bd565244e27148e816ad594. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 878702b9fa51d353b5d7ca62f6e94ee21f5375fe2bd565244e27148e816ad594
SHA3-384 hash: 5f7bef7f9aeea40758a30896a7350d58abd8e012707b0fbdad8cc2b4e894f198f93d90fa6afc3f165c5c9a614484119d
SHA1 hash: 242bc285a37978de1ad3038bd31752d83b15aa1f
MD5 hash: cf0af6a5966be43c0f1b7535a19f5b38
humanhash: mockingbird-lima-leopard-happy
File name:Factura_comercial_de_envío_de_DHL.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'022'976 bytes
First seen:2022-02-08 01:24:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f8c7cfaca09acfcd15a22a0da4386c8 (1 x OskiStealer, 1 x Loki)
ssdeep 24576:9tIL1yFv+6WXtZZ7jtqlxRxaPV7FNlpr5:9LgRcOVRfF
Threatray 7'093 similar samples on MalwareBazaar
TLSH T183259D63F7A0083ED21316319D5BD678A9167EB03D28EA867FE47D082E34345B526ED3
File icon (PE):PE icon
dhash icon eef2f3969292d42a (18 x Formbook, 4 x Loki, 2 x DBatLoader)
Reporter abuse_ch
Tags:DHL exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/237355/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader.origin.7566.357.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Creating a process from a recently created file
Reading critical registry keys
Changing a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6300/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe keylogger replace.exe
Link:
https://www.filescan.io/uploads/6201c6734077c8b9a01e7c2e/reports/021fc875-c50c-4f98-a34c-fc4b6793b4dd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/04cf232d-fb00-4732-8a9d-7ffd399105a6
Result
Threat name:
DBatLoader Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/935675
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected DBatLoader
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 568154 Sample: Factura_comercial_de_env#U0... Startdate: 08/02/2022 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 7 other signatures 2->57 6 Factura_comercial_de_env#U00edo_de_DHL.exe 1 17 2->6         started        11 Ychhmqom.exe 15 2->11         started        13 Ychhmqom.exe 15 2->13         started        process3 dnsIp4 27 onedrive.live.com 6->27 29 fo95og.am.files.1drv.com 6->29 31 am-files.fe.1drv.com 6->31 23 C:\Users\user\Ychhmqom.exe, PE32 6->23 dropped 25 C:\Users\user\Ychhmqom.exe:Zone.Identifier, ASCII 6->25 dropped 59 Tries to steal Mail credentials (via file registry) 6->59 61 Drops PE files to the user root directory 6->61 63 Injects a PE file into a foreign processes 6->63 15 Factura_comercial_de_env#U00edo_de_DHL.exe 57 6->15         started        33 onedrive.live.com 11->33 37 2 other IPs or domains 11->37 65 Multi AV Scanner detection for dropped file 11->65 19 Ychhmqom.exe 11->19         started        35 onedrive.live.com 13->35 39 2 other IPs or domains 13->39 21 Ychhmqom.exe 13->21         started        file5 signatures6 process7 dnsIp8 41 remoitiluteriver.zapto.org 154.120.77.209, 80 SpectranetNG Nigeria 15->41 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->43 45 Tries to steal Mail credentials (via file / registry access) 15->45 47 Tries to harvest and steal ftp login credentials 15->47 49 Tries to harvest and steal browser information (history, passwords, etc) 15->49 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/878702b9fa51d353b5d7ca62f6e94ee21f5375fe2bd565244e27148e816ad594/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2022-02-08 01:25:10 UTC
File Type:
PE (Exe)
Extracted files:
121
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q6dqfop2khjvhnoxzjrpn2ko4ipvg5p6fpkwkjcoe4ki5alk2wka._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
011fa3e9cea288e556de0f2f018b2f57ce66114a1fbc8bc6cda7edd110641906
Loki
0b7ca3280540f9648f1ea4ca26bc51e079b65523339881b9fa75e220850ecbb2
Loki
50c658d55284216936130f61b68e8c3f2d16b711878e038b0d8fe9343de4521b
Loki
84252477cc98f1d08f4c8304713a9dfe3a5718fd1b6bde1e6f7a5f17ce4b2a0f
Loki
86878e85917c3e68a46b1ca8225b72bdbd46d1586b9e55eb879ef7c018e30ca1
Loki
c66cfde57cb65190f4df3c66970202ad22f5e6da94e0af705810cdda8c43d646
Loki
cc6f7015178099ed4fe5f69d58b2000450229beffa9947398aa7f454f01680fb
Loki
+ 7'083 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection persistence spyware stealer trojan
Link:
https://tria.ge/reports/220208-bsyw2abfd6/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://remoitiluteriver.zapto.org/qopjhhgpop/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
878702b9fa51d353b5d7ca62f6e94ee21f5375fe2bd565244e27148e816ad594
MD5 hash:
cf0af6a5966be43c0f1b7535a19f5b38
SHA1 hash:
242bc285a37978de1ad3038bd31752d83b15aa1f
Link:
https://www.unpac.me/results/220cf81d-58e0-43f7-be39-dbde9e5aba07/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 878702b9fa51d353b5d7ca62f6e94ee21f5375fe2bd565244e27148e816ad594

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/237355/

Comments