MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0
SHA3-384 hash: 305a0c7e8297cf354d86facf74e44e4b032e2f682857793bbc68e10fa241fc0e35fb8a740ef666752098c642daf2c5f9
SHA1 hash: cbc890a816e9b7e993c90fb63d51526a76616323
MD5 hash: 4ce3b0e612e1968b6c491ab1ab818884
humanhash: jig-whiskey-mississippi-golf
File name:greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta
Download: download sample
Signature Loki
Create hunting rule
File size:182'352 bytes
First seen:2024-11-20 07:05:57 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 96:4vCl17HUofTaTGoHTapZR3CyYaMJhS1i3hTaNopQ:4vCldHULTG3pZLYKi3gN2Q
Threatray 4'419 similar samples on MalwareBazaar
TLSH T1A9044AA59A3448D8BBCD4E9BBEFCB7AC3178435F96D61E92434B7481CD2420D949052E
Magika txt
Reporter abuse_ch
Tags:hta Loki

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://94.156.177.41/simple/five/fre.php https://threatfox.abuse.ch/ioc/1346202/

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.JS.Obfus-95.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673d8b9cebd8decee51f316f
Tags:
infosteal gumen
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/673d8a5da99242316c493cf5/reports/36d72525-015e-4592-b782-fd20c8c8c014/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0
Result
Threat name:
Cobalt Strike, HTMLPhisher, Lokibot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1559141
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Cobalt Strike Beacon
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected HtmlPhish44
Yara detected Lokibot
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1559141 Sample: greetingwithgreatthignsgive... Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 79 Suricata IDS alerts for network traffic 2->79 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 18 other signatures 2->85 9 mshta.exe 1 2->9         started        12 rrwscqkDSNwLK.exe 2->12         started        14 svchost.exe 1 1 2->14         started        process3 dnsIp4 101 Detected Cobalt Strike Beacon 9->101 103 Suspicious powershell command line found 9->103 105 PowerShell case anomaly found 9->105 17 powershell.exe 36 9->17         started        107 Antivirus detection for dropped file 12->107 109 Multi AV Scanner detection for dropped file 12->109 111 Tries to steal Mail credentials (via file registry) 12->111 113 Machine Learning detection for dropped file 12->113 22 schtasks.exe 12->22         started        24 rrwscqkDSNwLK.exe 12->24         started        77 127.0.0.1 unknown unknown 14->77 signatures5 process6 dnsIp7 73 192.3.243.136, 49706, 80 AS-COLOCROSSINGUS United States 17->73 59 C:\Users\user\AppData\Roaming\caspol.exe, PE32 17->59 dropped 61 C:\Users\user\AppData\Local\...\caspol[1].exe, PE32 17->61 dropped 63 C:\Users\user\AppData\...\q4e1refv.cmdline, Unicode 17->63 dropped 87 Detected Cobalt Strike Beacon 17->87 89 Powershell drops PE file 17->89 26 caspol.exe 6 17->26         started        30 powershell.exe 21 17->30         started        32 csc.exe 3 17->32         started        34 conhost.exe 17->34         started        36 conhost.exe 22->36         started        file8 signatures9 process10 file11 67 C:\Users\user\AppData\...\rrwscqkDSNwLK.exe, PE32 26->67 dropped 69 C:\Users\user\AppData\Local\...\tmpB7C8.tmp, XML 26->69 dropped 115 Antivirus detection for dropped file 26->115 117 Multi AV Scanner detection for dropped file 26->117 119 Detected Cobalt Strike Beacon 26->119 123 4 other signatures 26->123 38 caspol.exe 26->38         started        43 powershell.exe 26->43         started        45 powershell.exe 23 26->45         started        49 2 other processes 26->49 121 Loading BitLocker PowerShell Module 30->121 71 C:\Users\user\AppData\Local\...\q4e1refv.dll, PE32 32->71 dropped 47 cvtres.exe 1 32->47         started        signatures12 process13 dnsIp14 75 94.156.177.41, 49710, 49711, 49713 NET1-ASBG Bulgaria 38->75 65 C:\Users\user\AppData\...\31437F.exe (copy), PE32 38->65 dropped 91 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 38->91 93 Tries to steal Mail credentials (via file / registry access) 38->93 95 Tries to harvest and steal ftp login credentials 38->95 97 Tries to harvest and steal browser information (history, passwords, etc) 38->97 99 Loading BitLocker PowerShell Module 43->99 51 conhost.exe 43->51         started        53 WmiPrvSE.exe 43->53         started        55 conhost.exe 45->55         started        57 conhost.exe 49->57         started        file15 signatures16 process17
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0/
Threat name:
Script-JS.Trojan.Acsogenixx
Create hunting rule
Status:
Malicious
First seen:
2024-11-20 07:01:58 UTC
File Type:
Text
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u6dmwkxa3sarpy57yb54vc5q4xkfiwvy6w2kubbmt3uf3st3ioqa._file
Verdict:
malicious
Label(s):
lokibot
Create hunting rule
lokipasswordstealer(pws)
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
11f9aa994a349d0b21caacb75e8b7198f1f52828628efd891aa7116b261e2182
Loki
89bf888148eae2caabdc6d3fff98054127b197b402493581894a3104ed6b6f1c
Loki
b32a47004e6134879604cb3246c89b351bc5fb2547b1d87070846c5719951727
Loki
d4c86776bcf1dc4ffd2f51538f3e342216314b76cdba2c2864193350654a9aca
Loki
dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21
Loki
error
Loki
f3246d0ca5ca8e69f98ca33b2c17813d5d862049dcfa9931dbcbaaaf7543a1f7
Loki
fc05c8cd30f572b0db13bc5189c99ce499f133f7b65167c06518638c26623a81
Loki
+ 4'409 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection defense_evasion discovery execution spyware stealer trojan
Link:
https://tria.ge/reports/241120-hw3gysshmf/
Behaviour
Modifies Internet Explorer settings
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Evasion via Device Credential Deployment
Lokibot
Lokibot family
Malware Config
C2 Extraction:
http://94.156.177.41/simple/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

HTML Application (hta) hta a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3296942/
  
Delivery method
Distributed via web download

Comments