MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a969522536954bf8122e7ebe679bc7d881dbb8337906cfd581aec9762f8ffb80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	a969522536954bf8122e7ebe679bc7d881dbb8337906cfd581aec9762f8ffb80
SHA3-384 hash:	893a4aa7a5b46f1111b1fa72017174f7ee33a0bee2f5136a82bef8645adb5185ae6aee4f2a764ac849165046eee56d18
SHA1 hash:	d2706b4cc55da872950c7f25708463981f3e958b
MD5 hash:	01e0bd2d4565ea1d049c6817b0290bf1
humanhash:	oregon-carbon-purple-football
File name:	SecuriteInfo.com.Gen.Variant.Nemesis.24843.17429.1976
Download:	download sample
Signature	Loki Alert Create hunting rule
File size:	517'557 bytes
First seen:	2023-06-29 02:27:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e2a592076b17ef8bfb48b7e03965a3fc (384 x GuLoader, 58 x RemcosRAT, 40 x AgentTesla)
ssdeep	12288:9FKBG73lOUG2H7zS8zjDaKrvOIgGqXa7Xs:BrlMa7zbzPaK6IgZGc
Threatray	1'473 similar samples on MalwareBazaar
TLSH	T169B41240A3D221A6CC5548B75D6701794EC1AC1358C49F438B8D332A7A7BE85FE9FABC
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	04bc8e96aa8e8ef2 (8 x Loki, 4 x GuLoader)
Reporter	SecuriteInfoCom
Tags:	exe Loki

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

343

Origin country :

FR

Vendor Threat Intelligence

ANY.RUN Suspicious

Malware family:

n/a

ID:

1

File name:

SecuriteInfo.com.Gen.Variant.Nemesis.24843.17429.1976

Verdict:

Suspicious activity

Analysis date:

2023-06-29 02:28:40 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b8434fb6-bc5a-47f8-9ab0-2a80ae78c13c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox Guloader

Detection:

Guloader

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/403658/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Gen.Variant.Nemesis.24843.17429.1976.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% subdirectories

Sending a custom TCP request

Creating a file in the %temp% subdirectories

Certego Dragonfly Suspicious

Result

Malware family:

n/a

Score:

  5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/94027/overview

Behaviour

MalwareBazaar

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

control lolbin masquerade overlay packed shell32

Link:

https://www.filescan.io/uploads/649cec34e1b9083ea6dbba97/reports/3ef631e0-5d1c-4a38-9d54-cfb941d78012/overview

Hybrid Analysis Win/malicious_confidence_70%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/a969522536954bf8122e7ebe679bc7d881dbb8337906cfd581aec9762f8ffb80

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Unknown

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/65b73901-c4a6-4b90-991d-322971bdfce4

Joe Sandbox GuLoader, Lokibot

Result

Threat name:

GuLoader, Lokibot

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1263004

Signature

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected GuLoader

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a969522536954bf8122e7ebe679bc7d881dbb8337906cfd581aec9762f8ffb80/

ReversingLabs TitaniumCloud Win32.Trojan.Guloader

Threat name:

Win32.Trojan.Guloader

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-06-29 02:28:06 UTC

File Type:

PE (Exe)

Extracted files:

5

AV detection:

20 of 24 (83.33%)

Threat level:

  5/5

Spamhaus Hash Blocklist Malicious file

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vfuvejjwsvf7qerop27gpg6h3ca5xobtpedm7vmbv3exml4p7oaa._file

Threatray cloudeye

Verdict:

malicious

Label(s):

cloudeye

Alert

Create hunting rule

Similar samples:

2afb072fe81c319cbe4cee6d2c660a16a833b4243c8e5ea0aa041b2b974c3ef5

Loki

30c31a99eda4daca4085458968e8d09f450f1ed7170f76b95cf7694acb0c7f02

Loki

49f8ea644b5a69f7e8569c513168fa892922cc8e3e56617d7d225c9a85e3d520

Loki

79e1fc85396ae65e8431f8ceb92fefb5ec396381840d830c415ea2d81cb78a49

Loki

b3aef47ce44656fbea5139d6bd03d8847f633199b00462aefebe43ac6c91e352

Loki

b689885667b1f8a29bafedff5fc69526534732ebb7731d98bbc06f7005b245d5

Loki

e4a8a88bffaf744487df4bfd56f975542f59efb4aabe037f2ce5baea61875f98

Loki

ef66ea0bcee19ccd3d2771a170ff218a3e43b27f1b18f24e08685cb4d3fe053a

Loki

+ 1'463 additional samples on MalwareBazaar

Hatching Triage lokibot

Result

Malware family:

lokibot

Alert

Create hunting rule

Score:

  10/10

Tags:

family:guloader family:lokibot collection discovery downloader spyware stealer trojan

Link:

https://tria.ge/reports/230629-cx1f4acf61/

Behaviour

Modifies system certificate store

Suspicious behavior: MapViewOfSection

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks installed software on the system

Checks QEMU agent file

Loads dropped DLL

Reads user/profile data of web browsers

Guloader,Cloudeye

Lokibot

UnpacMe 2

Unpacked files

SH256 hash:

2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

MD5 hash:

a4dd044bcd94e9b3370ccf095b31f896

SHA1 hash:

17c78201323ab2095bc53184aa8267c9187d5173

Link:

https://www.unpac.me/results/478c6f1a-8a6b-4dfe-ab25-85a72bb89201/

SH256 hash:

a969522536954bf8122e7ebe679bc7d881dbb8337906cfd581aec9762f8ffb80

MD5 hash:

01e0bd2d4565ea1d049c6817b0290bf1

SHA1 hash:

d2706b4cc55da872950c7f25708463981f3e958b

Link:

https://www.unpac.me/results/478c6f1a-8a6b-4dfe-ab25-85a72bb89201/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a969522536954bf8122e7ebe679bc7d881dbb8337906cfd581aec9762f8ffb80

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

exe a969522536954bf8122e7ebe679bc7d881dbb8337906cfd581aec9762f8ffb80

(this sample)

  

URLhaus

https://urlhaus.abuse.ch/url/2673414/

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/403658/