MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 925afe447ef8e9cfc9b7d2378cc6d5407f35dd66b7660a91ff31f096838e61da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 925afe447ef8e9cfc9b7d2378cc6d5407f35dd66b7660a91ff31f096838e61da
SHA3-384 hash: 96c70ef2dd1853081d2d734bb46eabffe788de0389806e4d5a31e2d13bb1562a72de4668af627e297c419d0abfbefe8e
SHA1 hash: 4f780f2b6d43f7eb171652cd6cdebd8f253a61f6
MD5 hash: 6106cfa811939d23a9b2e97d38fc9e5b
humanhash: spring-fillet-robin-california
File name:DHL EXPRESS .exe
Download: download sample
Signature Loki
Create hunting rule
File size:349'696 bytes
First seen:2020-10-26 12:41:25 UTC
Last seen:2020-10-26 15:21:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:dj59vI3at6w9KrkNDuGXYPEWIYxucfuYpljiouy5M803Qgg78Hc7QMlsjrqQ:t59ga0w9ikNyXbXnGmjT03Jq8HcD+jr1
Threatray 1'788 similar samples on MalwareBazaar
TLSH EF74F230B4E23DB7D2E68FF711B8A62073B2255B170BE565D7B876E04AC27E047A0917
Reporter abuse_ch
Tags:DHL exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: mail.energotech.ro
Sending IP: 92.55.147.110
From: DHL EXPRESS<customerservice@dhl.comr>
Reply-To: DHL EXPRESS<tuanhhtp@yahoo.com.hk>
Subject: DHL EXPRESS Delivery Service Notification
Attachment: DHL EXPRESS .zip (contains "DHL EXPRESS .exe")

Loki C2:
http://195.69.140.147/.op/cr.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/79045/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.3913.28330.5683.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Reading critical registry keys
Creating a file
Changing a file
Replacing files
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Connection attempt to an infection source
Moving of the original file
Sending an HTTP POST request to an infection source
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/511727
Signature
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/925afe447ef8e9cfc9b7d2378cc6d5407f35dd66b7660a91ff31f096838e61da/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-26 01:08:39 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sjnp4rd67du47snx2i3yzrwvib7tlxlgw5tavep7ghyjna4omhna._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0237202354dd53b6bea45eb62bfbe0a6cbf5652c259c483eec90501c694b9c4a
Loki
66218c59b90a7b21032d19dc4c622476971a55c9d7bcf90a3d76b10319e121e4
Loki
8f712c89da9b64d0002d5b1a6d666d489d3d648e81468d53bf12aaec3252d187
Loki
aa62a7c119d52e630f4cd8611896a896f9d4f0a9cb413f2c34e42df42b623385
Loki
bd27a7ed5963244a06f89fca7b3cb60b7abe2b5b4f3a37d4a47cf229bbc9f0de
Loki
c42589d2d88a04d7fb74e4e4fa24457d912a2e263ae583c4a1126dec475046b2
Loki
de935b51159e53b284995dc7d2330a16479d7a13f459b56fbfec6d2a0c90e33f
Loki
e229a2989b9e6bc90c114f9e6b7a0cdbeb106ccd7b90c70591ec48dce41aa6ba
Loki
e4eb60286144e5b15e8da0f9e82152e983b9c9db20fe71617d28fc887b4c606d
Loki
f29248ba63854390d06d1e2822772e6364baec857d4ea43d2101c72f16052915
Loki
+ 1'778 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
trojan spyware stealer family:lokibot
Link:
https://tria.ge/reports/201026-yt491egl8j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://195.69.140.147/.op/cr.php/WnitofezlGLsJ
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

zip ad31cbc96c127bce49a52d4357b0b79eb0577329dff4c620260539b028ffdbef

Loki

Executable exe 925afe447ef8e9cfc9b7d2378cc6d5407f35dd66b7660a91ff31f096838e61da

(this sample)

  
Dropped by
MD5 992793dfa9445c0d6f46d9024518c19a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ad31cbc96c127bce49a52d4357b0b79eb0577329dff4c620260539b028ffdbef
Cape
Cape
https://www.capesandbox.com/analysis/79045/

Comments