MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8926f2c51db03fda181f7b020c07b72627f8348c1d9b73d22eefd05ac4a0983f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8926f2c51db03fda181f7b020c07b72627f8348c1d9b73d22eefd05ac4a0983f
SHA3-384 hash: 6b2d52c46ad3973d7e5c8fac06a01202e86597b633dc83efcdfafae2fa8c9d8225b80708bed1828f88a7e1b22c525b50
SHA1 hash: 9777d98556ef004559dc67cd4a600e5b16ceb9be
MD5 hash: 6d4b2188167e36105b407dac8185bf10
humanhash: spaghetti-two-equal-mexico
File name:DHL doc.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'429'504 bytes
First seen:2023-05-30 07:45:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:pPLaVUH999wnomY9hpGlpO3FvAcZ7CXCXBEfgP2xRyfmSOKC7R4EAzFSC4E/Yzwf:xBH9qomY9hglpcqCXBEfgZfmSOKC7R45
Threatray 2'004 similar samples on MalwareBazaar
TLSH T1CF6523A4E6DF813FD1C317300C0067B461EE83CABA7BD71B1C9BA5E4AA12E7DA104795
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0060696969714410 (13 x AgentTesla, 7 x SnakeKeylogger, 7 x Loki)
Reporter abuse_ch
Tags:DHL exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
DHL doc.exe
Verdict:
Malicious activity
Analysis date:
2023-05-30 07:52:42 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/c3d83792-3093-4871-aaff-43fb9a8105de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/393377/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2060.11162.14637.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6475a9bf6dd70dc931d859de/reports/3cd3e4c8-4834-4ba6-8c31-809ed1de1f1a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/8926f2c51db03fda181f7b020c07b72627f8348c1d9b73d22eefd05ac4a0983f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/659e0ac4-ffb9-48e4-b295-a1d38c1e4f1c
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1245089
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 878094 Sample: DHL_doc.exe Startdate: 30/05/2023 Architecture: WINDOWS Score: 100 69 Snort IDS alert for network traffic 2->69 71 Multi AV Scanner detection for domain / URL 2->71 73 Found malware configuration 2->73 75 17 other signatures 2->75 9 DHL_doc.exe 3 2->9         started        12 Synaptics.exe 2 2->12         started        14 EXCEL.EXE 2->14         started        process3 file4 57 C:\Users\user\AppData\...\DHL_doc.exe.log, ASCII 9->57 dropped 16 DHL_doc.exe 1 5 9->16         started        19 DHL_doc.exe 9->19         started        21 Synaptics.exe 12->21         started        process5 file6 41 C:\Users\user\Desktop\._cache_DHL_doc.exe, PE32 16->41 dropped 43 C:\ProgramData\Synaptics\Synaptics.exe, PE32 16->43 dropped 45 C:\...\Synaptics.exe:Zone.Identifier, ASCII 16->45 dropped 23 Synaptics.exe 3 16->23         started        26 ._cache_DHL_doc.exe 54 16->26         started        47 C:\ProgramData\...\._cache_Synaptics.exe, PE32 21->47 dropped 30 ._cache_Synaptics.exe 21->30         started        process7 dnsIp8 83 Multi AV Scanner detection for dropped file 23->83 85 Drops PE files to the document folder of the user 23->85 87 Machine Learning detection for dropped file 23->87 32 Synaptics.exe 44 23->32         started        67 161.35.102.56, 49684, 49685, 49686 DIGITALOCEAN-ASNUS United States 26->67 59 C:\Users\user\AppData\...\B52B3F.exe (copy), PE32 26->59 dropped 89 Antivirus detection for dropped file 26->89 91 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->91 93 Tries to steal Mail credentials (via file registry) 26->93 95 Tries to steal Mail credentials (via file / registry access) 30->95 97 Tries to harvest and steal ftp login credentials 30->97 99 Tries to harvest and steal browser information (history, passwords, etc) 30->99 file9 signatures10 process11 dnsIp12 61 freedns.afraid.org 174.128.246.100, 49694, 80 ST-BGPUS United States 32->61 63 docs.google.com 172.217.168.14, 443, 49689, 49690 GOOGLEUS United States 32->63 65 xred.mooo.com 32->65 49 C:\Users\user\Downloads\ChromeSetup.exe, PE32 32->49 dropped 51 C:\Users\user\Documents\~$cache1, PE32 32->51 dropped 53 C:\Users\user\Desktop\._cache_Synaptics.exe, PE32 32->53 dropped 55 9 other malicious files 32->55 dropped 36 ._cache_Synaptics.exe 32->36         started        39 WerFault.exe 32->39         started        file13 process14 signatures15 77 Antivirus detection for dropped file 36->77 79 Multi AV Scanner detection for dropped file 36->79 81 Machine Learning detection for dropped file 36->81
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8926f2c51db03fda181f7b020c07b72627f8348c1d9b73d22eefd05ac4a0983f/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-05-30 07:46:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=retpfri5wa75uga7pmbayb5xeyt7qnemdwnxhuro57ifvrfata7q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
069d0eb7f3e3d5bda86b1b2782d6a0cbf16da50a28b2738c0e91252a3ed34eba
Loki
4969ef4af9004baaf340293cb7b7a4b46289d2648105c840997a961b19f7d846
Loki
4f250e4c6d12fc351a9e0cfae8036b78a88c409e6c6c88a45aa6b659d8c4901e
Loki
62f1922f673fdb34aea18eac783649154f1bdc646410052e3b72c4ebe6c78f37
Loki
97f4b5ad674795f80179444016df17a455ed6ecfdea1639550a1bba5a1ffaab8
Loki
a5fb447c2992f48abd863452bcd6934032cf29bef1f0907bd9344a31a41e0edb
Loki
b2fb5fa4aab3329297f4f06a3596a9f640826252f473cc0f62b21c8f1a8b0cfa
Loki
c7b06e2840e703c98fbe1fbfd9f33f5478e58840112d85c1e94c27a34474c95f
Loki
ed5ba1279fc7507c374a5efe1af24535962d5fd72626be44d7842146c032dc48
Loki
fcc9e86561e2eef4cb3d9be190882d9ce1596c5d673acf67a54a0f54f3722f1d
Loki
+ 1'994 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection persistence spyware stealer trojan
Link:
https://tria.ge/reports/230530-jlzhzsgc57/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://161.35.102.56/~nikol/?p=4479137330
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/b137b81d-cd6f-4b73-83a2-8f45de264b34/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/b137b81d-cd6f-4b73-83a2-8f45de264b34/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
e17c72d80c47b69de339dabcea2cb93ebb9a7a98f7f8f78c233d4cec02471aee
MD5 hash:
3d81dc8162f2c97463d9b4487c2a1308
SHA1 hash:
98ba9509e131f36742200cd116733c338b4b1971
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/b137b81d-cd6f-4b73-83a2-8f45de264b34/
Parent samples :
52a13a4d61a25202abe50d85c42d4b3aac7e364af1100233c28cf06e4598882e
fcc9e86561e2eef4cb3d9be190882d9ce1596c5d673acf67a54a0f54f3722f1d
8926f2c51db03fda181f7b020c07b72627f8348c1d9b73d22eefd05ac4a0983f
SH256 hash:
4f95124102497e91b7a587cbc509e473001a355b84cf85a3fd52d2e80d2076d0
MD5 hash:
b52ff0889ce0c7243416742666f9e325
SHA1 hash:
8a8f021bf3fd12e1719f80094af5740a30b41664
Link:
https://www.unpac.me/results/b137b81d-cd6f-4b73-83a2-8f45de264b34/
SH256 hash:
5d0ce1536d18045d0e31c7e410b3a87a731287d6733d880ab60e97d3de47ee09
MD5 hash:
c5e93f7db669af6cf2a3715070e8540f
SHA1 hash:
850760f0079cd0deee19311b00cf0bf6488e17cb
Link:
https://www.unpac.me/results/b137b81d-cd6f-4b73-83a2-8f45de264b34/
SH256 hash:
beaf9886206a3902aa8dc0d484720bd230214c22151d88528f4145926d82486b
MD5 hash:
7a2534a911ae61f5873e33d20388b65f
SHA1 hash:
6e9917e8241ddcd00a1dbfdd97d2c871a9bc6df9
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/b137b81d-cd6f-4b73-83a2-8f45de264b34/
SH256 hash:
f65d6c87102a18d7897c08ba82697e0b4808a8307b584d25a42aea016a41e7f8
MD5 hash:
7299310139d8fd6d9f2c067d13b3824e
SHA1 hash:
3bbc1160b82f289b5e8683d790a2ec1263998930
Link:
https://www.unpac.me/results/b137b81d-cd6f-4b73-83a2-8f45de264b34/
SH256 hash:
8926f2c51db03fda181f7b020c07b72627f8348c1d9b73d22eefd05ac4a0983f
MD5 hash:
6d4b2188167e36105b407dac8185bf10
SHA1 hash:
9777d98556ef004559dc67cd4a600e5b16ceb9be
Link:
https://www.unpac.me/results/b137b81d-cd6f-4b73-83a2-8f45de264b34/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8926f2c51db0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/8926f2c51db03fda181f7b020c07b72627f8348c1d9b73d22eefd05ac4a0983f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 8926f2c51db03fda181f7b020c07b72627f8348c1d9b73d22eefd05ac4a0983f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/393377/

Comments