MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99c37556d4debad09e566c314982ebd1510dd493dbe4bbe9e4ea3857df9ac1e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 17

Intelligence 17 IOCs YARA 2 File information Comments

SHA256 hash:	99c37556d4debad09e566c314982ebd1510dd493dbe4bbe9e4ea3857df9ac1e3
SHA3-384 hash:	249c4cb2b7f642de93ffe1afa2c0ba40a9515f3da7fd4877c8f0fb5be372e4bc37054a82e799cfeb9eccacbf823e018c
SHA1 hash:	5625f808144ce437f4a3003470d659676c7c9ba9
MD5 hash:	2f7d2fa4cb4bcc97e911954d70464160
humanhash:	bluebird-indigo-lamp-apart
File name:	DHL Shipment Documents.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	672'256 bytes
First seen:	2023-03-20 10:26:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:FeimYMUnFW/NBb0Q1bJCpfVgCqQsGJGlZ3OzN0wpZ66aKtN2tvnYqvtgy:FeiUHcp9gCqQ+lqOwpZ6D6gZ
Threatray	240 similar samples on MalwareBazaar
TLSH	T13EE402782BAA5639F53643BE84E43285577E23B22B27C54E00F611CE57A3B035ED066F
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	209488c66eb85922 (14 x AgentTesla, 7 x Loki, 7 x Formbook)
Reporter	abuse_ch
Tags:	DHL exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

222

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

DHL Shipment Documents.exe

Verdict:

Malicious activity

Analysis date:

2023-03-20 10:29:22 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/69f5a97d-a6da-4ae4-a803-79253053d01c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LokiBot

Link:

https://www.capesandbox.com/analysis/375844/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Win.Trojan.EmbeddedDotNetBinary-9940868-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Reading critical registry keys

Changing a file

Sending an HTTP POST request

Enabling the 'hidden' option for analyzed file

Stealing user critical data

Moving of the original file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo formbook packed remcos

Link:

https://www.filescan.io/uploads/641834f728f6cfd59136c779/reports/ff404d00-5a97-4b79-a97e-78c28f83f83b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/99c37556d4debad09e566c314982ebd1510dd493dbe4bbe9e4ea3857df9ac1e3

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fbff5dfa-9d56-4edb-8f40-6631c21ac943

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1197548

Signature

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/99c37556d4debad09e566c314982ebd1510dd493dbe4bbe9e4ea3857df9ac1e3/

Threat name:

ByteCode-MSIL.Trojan.LokiBot

Status:

Malicious

First seen:

2023-03-20 07:33:02 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=thbxkvwu325nbhswnqyutaxl2fiq3vet3pslx2pe5i4fpx42yhrq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

47cf874fe9a2512b9a871e1d2f647c8e299e11fedae62b4075a98861f5488b16

Loki

512c02ea092713ae33b44e5074b6d0e35d934fc9dc3b1c7a6f789ec010d77f71

Loki

66891afe754c3aab6b8fa33af83ed871fc37d7e6668f02b3b0c7ef0e96756b20

Loki

93c302b6c6f9186edb01c0192fccec2b77274a243e3eb049ae8c99679f57c9f1

Loki

d5cb1606ff03d81b9ea9d7c2bc0f5a1edf4111128c3297ced689893bd0ded9ff

Loki

fccebf9b597398ab3e46b9f50076f8a3bcdb24cd4f3786e1c4540637cf32d96b

Loki

fd63f671c5984fd1cd39cf00e35bf5e978b8dedce3e209d29c120325f1984254

Loki

+ 230 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230320-mg376ach83/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://64.227.48.212/?page_id=215360
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

d73596943c09d0230994d310028bef88b0358dcbbdef10775cea23ee3c06249c

MD5 hash:

eef8b98df7ab3f7ef950c2dcfbb44726

SHA1 hash:

f8c3fdb24a1f85a80369ada7395313e2e6d3d639

Link:

https://www.unpac.me/results/82f95968-de8f-49f2-8341-f982484d5965/

SH256 hash:

7d16fd9c11c4a39ec9773b75f121e2375d49a3404fb0fa12050dc49a7345daae

MD5 hash:

ec311985b3a84b0738edb78d02841bcd

SHA1 hash:

e2471a3c33adadac4be81f243172a8385a4c9cf9

Link:

https://www.unpac.me/results/82f95968-de8f-49f2-8341-f982484d5965/

SH256 hash:

8c94dbbc9fa42cb45b8f6ba134df4ec28dd24c5dd93f80d286eff7552d073e11

MD5 hash:

895b9bc06dacb5097757497c4317ae0f

SHA1 hash:

c3f4579fca0325ac3189b6089eeb5d052df66701

Link:

https://www.unpac.me/results/82f95968-de8f-49f2-8341-f982484d5965/

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/82f95968-de8f-49f2-8341-f982484d5965/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

1d69a988f929de8a3a7418c1d95b99f98837a2eeeee4c78fddf5bb6ea2a5f3a7

MD5 hash:

91e860509944f7ab6a535e601787c217

SHA1 hash:

812cadc7759b4ae8fd15ac755afb2a4e61383b81

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/82f95968-de8f-49f2-8341-f982484d5965/

Parent samples :

99c37556d4debad09e566c314982ebd1510dd493dbe4bbe9e4ea3857df9ac1e3
1ebedb652fa27423240c3efa860e7551958811120737ee5d3ea7badf671fbacf
bc8a12bfd7a792586d78f4fac22f22ac9d2dfe31452d2e99b7cd47180bd4b295
5224ad26b096f110856cfa5e9713928ba3704c860b3ea022ff4c8b271c2a6997
7589df135ac8e8da5e6e8bef446256bccbdbb92831e8cf89705bb2a19f5317e2

SH256 hash:

99c37556d4debad09e566c314982ebd1510dd493dbe4bbe9e4ea3857df9ac1e3

MD5 hash:

2f7d2fa4cb4bcc97e911954d70464160

SHA1 hash:

5625f808144ce437f4a3003470d659676c7c9ba9

Link:

https://www.unpac.me/results/82f95968-de8f-49f2-8341-f982484d5965/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/99c37556d4de/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/99c37556d4debad09e566c314982ebd1510dd493dbe4bbe9e4ea3857df9ac1e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/375844/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample