MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b65be761d8472895c8fad23dbe82c6e3068bf1ac2548ddd6a09ef7274f26d04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b65be761d8472895c8fad23dbe82c6e3068bf1ac2548ddd6a09ef7274f26d04
SHA3-384 hash: c8124f0f38809d947d173f12cf2c28da4c0ce2b0b6ec212aeff4dc3310cae55d225bc4762de558d6f16f602986d24668
SHA1 hash: c90f011e9001bcbccd23a4446f34672fddcf41be
MD5 hash: cce09107ce9a2bd00204e1e66c367eb3
humanhash: fillet-connecticut-eight-bakerloo
File name:DHL EXPRESSS.exe
Download: download sample
Signature Loki
Create hunting rule
File size:500'224 bytes
First seen:2022-02-03 19:39:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 6144:FJP9V8p7vXK3TkaJ47yTa6Y/YSvKCxmkySUisRgFB4pXMzRcFPpnPtiFwL+z2dgp:uMrJmYSvKAyIsRUBG/PtiYNd4J
TLSH T19DB4BF27FA8BCA81D455513210FFB44103B23EDBAAD3D6063B5CB3580FB26664F9A54B
File icon (PE):PE icon
dhash icon 96d4acda6cb4dc0c (25 x AgentTesla, 12 x Formbook, 10 x Loki)
Reporter abuse_ch
Tags:DHL exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL EXPRESSS.exe
Verdict:
Malicious activity
Analysis date:
2022-02-03 19:46:21 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/e0b1f771-4ef5-4117-b4c5-f3e9b0797f3c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/232704/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Launching a process
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Stealing user critical data
Query of malicious DNS domain
Unauthorized injection to a system process
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/61fc33e418d1bfdde4ef3284/reports/d8d090e1-0731-4f74-ae22-d5210c0ee5c2/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8929a68a-0204-4d40-a7c8-93d2c51f490e
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/933708
Behaviour
Behavior Graph:
n/a
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8b65be761d8472895c8fad23dbe82c6e3068bf1ac2548ddd6a09ef7274f26d04/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-02-03 11:30:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rns345q5qrzisxepvur5x2bmnyygrpy2yjki3xlkbhxxe5hsnuca._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/220203-ydjvwsdah6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Lokibot
Malware Config
C2 Extraction:
http://secure01-redirect.net/gc21/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
cbd2c500810b9f81a4f6fbc49ba2ec50ec29fa78eddba30f86fbb01391f98172
MD5 hash:
89b045d47c79ff2d83ec739ed56bb0ff
SHA1 hash:
b9e327ac9c1d10a60bcde617fe6cadb7eca30ecb
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/235f28a3-5ac1-4aad-9dec-1093ad2a870f/
Parent samples :
fdcb72c5ba8ad0aedb04be098c76741d040630b91578ca8b693469e21caf2699
8b65be761d8472895c8fad23dbe82c6e3068bf1ac2548ddd6a09ef7274f26d04
dec44075aecbe3a36660f6fabce5b7893101922b5e17181d62fccbe84050b235
SH256 hash:
0cc119786b104cf0aa261a208bf38802b339774ff3d7a42afcd8329d2d7d21c9
MD5 hash:
263b5190f7ac42d83c756dcdf38147bb
SHA1 hash:
78f419fe3936ed7d603706c47230cd3e6ff79ffe
Link:
https://www.unpac.me/results/235f28a3-5ac1-4aad-9dec-1093ad2a870f/
SH256 hash:
c304e47a1ca00a7ff4d07b4e62f414e1e712bfcd3385bf5dc5583327255a701f
MD5 hash:
874262732c2732588c76ee058bc4d694
SHA1 hash:
2d96151488ad3da4bd629bcfcb4cfd69ca6c3940
Link:
https://www.unpac.me/results/235f28a3-5ac1-4aad-9dec-1093ad2a870f/
SH256 hash:
8b65be761d8472895c8fad23dbe82c6e3068bf1ac2548ddd6a09ef7274f26d04
MD5 hash:
cce09107ce9a2bd00204e1e66c367eb3
SHA1 hash:
c90f011e9001bcbccd23a4446f34672fddcf41be
Link:
https://www.unpac.me/results/235f28a3-5ac1-4aad-9dec-1093ad2a870f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/8b65be761d8472895c8fad23dbe82c6e3068bf1ac2548ddd6a09ef7274f26d04

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 8b65be761d8472895c8fad23dbe82c6e3068bf1ac2548ddd6a09ef7274f26d04

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/232704/

Comments