MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9
SHA3-384 hash: 81071b31905fe456f2a5328352d2f659a833d637647b0d6edb675225294805d10b69e062f14a25b4d3a6ecbf46163998
SHA1 hash: a3ed922ee5d0f1eca5f44ec35310600334ce89e4
MD5 hash: 9a1b6f469ae1ed4f63973d0d681bf203
humanhash: pennsylvania-network-echo-bravo
File name:TNT Original Invoice PDF.exe
Download: download sample
Signature Loki
Create hunting rule
File size:23'552 bytes
First seen:2021-01-18 07:50:47 UTC
Last seen:2021-01-18 12:17:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 384:KlOunI/Fx+7DsxlfVT0Vf/AIqkbWibT7dKiPM/js3D5c907W5+ionW5MVRVOUni7:KlUdT0B/19/T7oBjf67WLXeJM5ApAbBJ
Threatray 2'297 similar samples on MalwareBazaar
TLSH AFB25F3C7DD41A33EA7BA67AD9E605C7FB62358332524C1E668B83411C03B963D89A1D
Reporter abuse_ch
Tags:exe Loki TNT


Avatar
abuse_ch
Malspam distributing Loki:

HELO: mageneet.com
Sending IP: 45.145.185.72
From: TNT eInvoicing <service@tnt.com>
Reply-To: TNT eInvoicing <mamart_fendi@yahoo.com>
Subject: TNT Shipment Arrival Notification Consignment No. 20211801579206
Attachment: TNT Original Invoice PDF.zip (contains "TNT Original Invoice PDF.exe")

Loki C2:
http://51.195.53.221/p.php

Intelligence

File Origin
# of uploads :
3
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TNT Original Invoice PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-01-18 08:00:51 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/91374903-fb8d-447a-8ef6-3b32e897c1ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112422/
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.113.24485.25198.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Sending a UDP request
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/583771
Signature
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell adding suspicious path to exclusion list
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 340924 Sample: TNT Original Invoice PDF.exe Startdate: 18/01/2021 Architecture: WINDOWS Score: 100 83 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 Multi AV Scanner detection for dropped file 2->87 89 15 other signatures 2->89 7 TNT Original Invoice PDF.exe 24 7 2->7         started        12 TNT Original Invoice PDF.exe 2->12         started        14 TNT Original Invoice PDF.exe 2->14         started        process3 dnsIp4 63 pastebin.com 104.23.98.190, 443, 49714 CLOUDFLARENETUS United States 7->63 65 135.125.27.253, 49713, 49751, 80 AVAYAUS United States 7->65 53 C:\Users\...\TNT Original Invoice PDF.exe, PE32 7->53 dropped 55 TNT Original Invoi...exe:Zone.Identifier, ASCII 7->55 dropped 57 C:\Users\...\TNT Original Invoice PDF.exe.log, ASCII 7->57 dropped 91 Creates an undocumented autostart registry key 7->91 93 Adds a directory exclusion to Windows Defender 7->93 95 Hides threads from debuggers 7->95 16 TNT Original Invoice PDF.exe 7->16         started        20 powershell.exe 20 7->20         started        22 powershell.exe 26 7->22         started        34 6 other processes 7->34 67 104.23.99.190, 443, 49759 CLOUDFLARENETUS United States 12->67 97 Creates autostart registry keys with suspicious names 12->97 99 Creates multiple autostart registry keys 12->99 101 Injects a PE file into a foreign processes 12->101 24 powershell.exe 12->24         started        26 powershell.exe 12->26         started        28 powershell.exe 12->28         started        30 powershell.exe 12->30         started        32 iexplore.exe 14->32         started        file5 signatures6 process7 dnsIp8 59 51.195.53.221, 49715, 49716, 49718 OVHFR France 16->59 75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->75 77 Tries to steal Mail credentials (via file access) 16->77 79 Tries to harvest and steal ftp login credentials 16->79 81 Tries to harvest and steal browser information (history, passwords, etc) 16->81 36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        61 192.168.2.1 unknown unknown 32->61 44 iexplore.exe 32->44         started        47 conhost.exe 34->47         started        49 conhost.exe 34->49         started        51 WerFault.exe 34->51         started        signatures9 process10 dnsIp11 69 avatars3.githubusercontent.com 44->69 71 avatars1.githubusercontent.com 44->71 73 2 other IPs or domains 44->73
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-18 07:51:08 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vgk3wenvct4gdfwrycbg77ohze62gers2l3iwkay4lzjhnmsj7uq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
091147efcc092211dd85bac1a51be26bb3f1c87545dbe3d6f5a9d3486cfb04e4
Loki
22dcfba741c1520791b89cc96a2b81c32b125d3035c8da71cf956c07aceee138
Loki
5703a2c4b9de691d7acbb7faa076945e75a0cb39fcf904576ece19e596a2d48c
Loki
6e3d560223931665e1ace60fb4f095f84525306e399d16c1cca7fa0a7555e7ea
Loki
77777da436f12d38fe7834a137bc2bf51c1f09324a1e274d22e51c2ee0b4b8c3
Loki
7880e819461fdc72eb551b9cdcbd6d0e8417c685d62efb649caca31307009a66
Loki
be64654bb507094ad7ace4a1da27dfe42dd6451d9dadb24b8310aa50e8ff5f34
Loki
d3fe0091ab7aa340ca46bb92d48453fea9a6a9d778ff6d7e8a7a4861850173e7
Loki
e4ae2cb5ba91a9b7a87cb5d79158e07f8252e8c3ad0649fca573a0d73bbbdc62
Loki
f834e2059da963db70d88af267f09807a69fb3edfaefc344e5ab542911835be3
Loki
+ 2'287 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/210118-chdm9n5qz2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Windows security modification
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Suspicious use of NtCreateProcessExOtherParentProcess
Turns off Windows Defender SpyNet reporting
Lokibot
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Malware Config
C2 Extraction:
http://51.195.53.221/p.php/cfOoZYb0LXPms
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9
MD5 hash:
9a1b6f469ae1ed4f63973d0d681bf203
SHA1 hash:
a3ed922ee5d0f1eca5f44ec35310600334ce89e4
Link:
https://www.unpac.me/results/a2e57209-a0f8-427c-ba31-2d0339c03446/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many file transfer clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifcats observed in infostealers
Rule name:infostealer_loki
Create hunting rule
Rule name:infostealer_xor_patterns
Create hunting rule
Author:jeFF0Falltrades
Description:The XOR and string patterns shown here appear to be unique to certain information-stealing malware families, namely LokiBot and Pony/Fareit. The XOR patterns were observed in a several loaders and payloads for LokiBot, but have also appeared (less frequently) in Pony/Fareit loaders and samples. The two accompanying rules below can be used to further classify the final payloads.
Rule name:Loki
Create hunting rule
Author:kevoreilly
Description:Loki Payload
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

tar 6a3d26f0fa90c527a5946ccefe1c638a84345619809fb30c8b1a9b6b60ab553c

Loki

Executable exe a995bb11b514f86196d1c0826ffdc7c93da31232d2f68b2818e2f293b5924fe9

(this sample)

  
Dropped by
MD5 aa61b458d18c533dc35966749d6ac976
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112422/
  
Dropped by
SHA256 6a3d26f0fa90c527a5946ccefe1c638a84345619809fb30c8b1a9b6b60ab553c

Comments