MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97e20a8b0bef654fd20528c20efdb227a31b7e923213fc5e09eead2c71c3da5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 2 File information Comments

SHA256 hash:	97e20a8b0bef654fd20528c20efdb227a31b7e923213fc5e09eead2c71c3da5e
SHA3-384 hash:	6175b640b14e7e8db4e971f293024203806f56aa4f20b1a5fca755787ed16e3845df7b9b581249f4bd3a7e57c0cf4177
SHA1 hash:	6893b872ff26a79852895741fafe7a56c103df16
MD5 hash:	9847df5577eb0955b669ddf69d17c3c5
humanhash:	edward-hawaii-sweet-friend
File name:	DHL 6657406324.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	877'056 bytes
First seen:	2022-04-04 07:40:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:t/C2iNf0uyCoVyWfji2Euv/0Y2uoa3D5K0UedyhefzzmNaNAezfemoDVbNUH7:E1GuyRzCuXo69dyheEGEDVbN6
Threatray	7'221 similar samples on MalwareBazaar
TLSH	T16E15125D769860BADBFBA7B508B904916B3DAD0F3969C40A39F0EC5979773C0408C7A3
File icon (PE):
dhash icon	cc963355553396cc (4 x AgentTesla, 1 x SnakeKeylogger, 1 x Loki)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://164.90.194.235/?id=11697289214026050

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://164.90.194.235/?id=11697289214026050	https://threatfox.abuse.ch/ioc/488449/

Intelligence

File Origin

# of uploads :

# of downloads :

246

Origin country :

n/a

Vendor Threat Intelligence

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/260390/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed update.exe

Link:

https://www.filescan.io/uploads/624aa10eaa7e43c6a6b54d49/reports/61db7139-1e68-4858-a928-fe54e0de2333/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/827e45fe-75fb-45f9-b16f-2da23bacedf7

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/969794

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/97e20a8b0bef654fd20528c20efdb227a31b7e923213fc5e09eead2c71c3da5e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-04-04 07:41:12 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=s7ravcyl55su7uqffdba57nse6rrw7usgij7yxqj52wsy4od3jpa._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

20dde0ac9cfe41a1b3b1d6b7cb58008cb95a76b4876ca823d1b5f6a5ebf03bcc

Loki

4896dda29c782a97640157ea008a9438707258e179b05b0a62cb04b4598830ba

Loki

ad3af06a00760b7a7db8fe0261a373b706eb23b12f415ae3bb0c6327e18a0558

Loki

c6c5c9422bed0bb1ca5bbbdab573b59d53b6d3699f3d9b843b5e30b79964a79f

Loki

f6d0dff73d9ce1016095bd9f8ab244b8a651e96ef43dfc4581d0e9c7b442ed56

Loki

+ 7'211 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer suricata trojan

Link:

https://tria.ge/reports/220404-jh321aggcm/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://164.90.194.235/?id=11697289214026050
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

717470e065044142ab26927f1b77a5d300d4d0e013117cf8213e808ee938ab93

MD5 hash:

8ae31c871be03c3646076c1fa7a36a4f

SHA1 hash:

eed843342ed43ef6c6190ceaf9d12c3568ed62f4

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/e6d44c8e-43e6-49f2-bd01-a494811c634c/

Parent samples :

118047694add7eb6954dc573ae6626ba47b92db9f12a579210d6f9e6403a5e6b
97e20a8b0bef654fd20528c20efdb227a31b7e923213fc5e09eead2c71c3da5e

SH256 hash:

e42ce33fea8a19f6aa7678745e5ca43e9c40d553c83d89c8e73d8fb5434dec99

MD5 hash:

957970571e2085fb26e75946152fe652

SHA1 hash:

205ac566c01a64c4654b379478da57bdf151ebec

Link:

https://www.unpac.me/results/e6d44c8e-43e6-49f2-bd01-a494811c634c/

SH256 hash:

e05a948c61470d35db4d64aafa3390a0eebcb6ced04c390ee08fb9c12f21619a

MD5 hash:

91ea8c2636b152a50add3e623c6bad39

SHA1 hash:

345422b24da559f6c3c22a13147a84a05c0066c6

Link:

https://www.unpac.me/results/e6d44c8e-43e6-49f2-bd01-a494811c634c/

SH256 hash:

71764eb60a83a17343af4a26bf3ec546c5ee08454722233fd5cf59693327b1a4

MD5 hash:

bfcf754fb9acba752f79f44817b7be23

SHA1 hash:

01af19456b6f97790973d0d67a97ecc362ab7aed

Link:

https://www.unpac.me/results/e6d44c8e-43e6-49f2-bd01-a494811c634c/

SH256 hash:

97e20a8b0bef654fd20528c20efdb227a31b7e923213fc5e09eead2c71c3da5e

MD5 hash:

9847df5577eb0955b669ddf69d17c3c5

SHA1 hash:

6893b872ff26a79852895741fafe7a56c103df16

Link:

https://www.unpac.me/results/e6d44c8e-43e6-49f2-bd01-a494811c634c/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/97e20a8b0bef/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/97e20a8b0bef654fd20528c20efdb227a31b7e923213fc5e09eead2c71c3da5e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/260390/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample