MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac39c17f070f097e41f41579a26b8e381963fbd103e56cbdfdf5d25205c2e167. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac39c17f070f097e41f41579a26b8e381963fbd103e56cbdfdf5d25205c2e167
SHA3-384 hash: 40c258d750891dc72bf4523822ad84620b7018003a45fc6b973c3280920f83e95f96faeed016f3ed9f153f24664fdc59
SHA1 hash: 0b61936edf30ccd23f6b70ee6cd79cc61fc712c5
MD5 hash: f1674ed05c13b5833fcdb769c1b1ed89
humanhash: glucose-oranges-island-sixteen
File name:SalesContract_pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:798'720 bytes
First seen:2023-05-02 05:38:13 UTC
Last seen:2023-05-13 22:56:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:WWK2iNvMAdT8DDItkBIe/5uUgIZd/DtfLh5:E1tVT8DDXWeA7IZd/
Threatray 4'305 similar samples on MalwareBazaar
TLSH T178059D917174CE9FF87597F04C59F90023F2B86B90E0D11D2DA67ADAE8B2B02055AB4F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 79e0c4ccccc4c4c0 (11 x Loki, 4 x AgentTesla, 3 x SnakeKeylogger)
Reporter lowmal3
Tags:exe Loki

Intelligence

File Origin
# of uploads :
3
# of downloads :
230
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
SalesContract_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-02 05:41:33 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/c6dd7c66-1390-4c2d-a033-bafdbd7c1496

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/385917/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys comodo lokibot packed
Link:
https://www.filescan.io/uploads/6450a1f795c50aca147c4c97/reports/8c760db9-01cf-4718-a48c-eddefb13ad3a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ac39c17f070f097e41f41579a26b8e381963fbd103e56cbdfdf5d25205c2e167
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed795d8d-b36d-424a-a827-7edb1ebb98d7
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1224336
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 857289 Sample: SalesContract_pdf.exe Startdate: 02/05/2023 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 9 other signatures 2->49 7 SalesContract_pdf.exe 7 2->7         started        11 JxXJnszG.exe 5 2->11         started        process3 file4 33 C:\Users\user\AppData\Roaming\JxXJnszG.exe, PE32 7->33 dropped 35 C:\Users\...\JxXJnszG.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp304C.tmp, XML 7->37 dropped 39 C:\Users\user\...\SalesContract_pdf.exe.log, ASCII 7->39 dropped 51 Uses schtasks.exe or at.exe to add and modify task schedules 7->51 53 Adds a directory exclusion to Windows Defender 7->53 55 Injects a PE file into a foreign processes 7->55 13 SalesContract_pdf.exe 54 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        21 SalesContract_pdf.exe 7->21         started        57 Multi AV Scanner detection for dropped file 11->57 23 schtasks.exe 1 11->23         started        25 JxXJnszG.exe 11->25         started        signatures5 process6 dnsIp7 41 185.246.220.85, 49696, 49697, 49698 LVLT-10753US Germany 13->41 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->59 61 Tries to steal Mail credentials (via file / registry access) 13->61 63 Tries to harvest and steal ftp login credentials 13->63 65 Tries to harvest and steal browser information (history, passwords, etc) 13->65 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 23->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac39c17f070f097e41f41579a26b8e381963fbd103e56cbdfdf5d25205c2e167/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2023-05-01 07:14:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
43
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vq44c7yhb4ex4qpucv42e24ohamwh66rapswzpp56xjfeboc4ftq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
018c0b80b1914e2cbaf2de5b0e41a86e391fa88187fed25346adbec1eb5e3c45
Loki
1c50b01cbeaf831465322319b5697cea9f857dc113127439230c86c68ebb6698
Loki
54ce28992dff46801741011c4bc6f2f893dd21cb5cabe7d59214e584279a7fda
Loki
5a9397f2ec2a6609708ad1bbbff41e1d6d099d863d0714003d35070be9786edd
Loki
74c836dfe668140a6936e71347ac8eafd517ec914d7201666081f99c2a6ae846
Loki
cc6eac2e2359b08c5e5c37cafac26d252ca8f22992168fbf5c70a5471ed86ad6
Loki
cfe9a5c61a337677133e024d05f571e038c970fac99e7a9c4c96a6f13d1d0d84
Loki
d54151c230934c4d85c69c1b0e9f8dacd60104fde0d2036a7752f49293d25c5b
Loki
e446bfc6a1d4e343f6840965abf9d010f5c32e06b188d3d076fd2e3e0b0bab79
Loki
fe5c1951ae2974e208a94346ba859a9ed7a30393880d4041315f35a3dd90bf38
Loki
+ 4'295 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230502-gcar6abf4z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://185.246.220.85/blair/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
21f0154b51a09767f94922b81f5fcd15cf4a6390ab7314e40d0e17b2dcdfe6ba
MD5 hash:
c926563698de3a89ad20474c85122f73
SHA1 hash:
ed1a3b2527ace111e6f39880c7ee3965f301330d
Link:
https://www.unpac.me/results/864a6481-abda-4501-91d5-b1b2a1399db7/
SH256 hash:
91041f1f33f1338cd03a8c06a6604a9a4563f5da91881e732a37a82cd207d6a3
MD5 hash:
677302595e188b4367b0318031867a3c
SHA1 hash:
89f67045107ba9fcc8b2b9f253f038c9fba068ea
Link:
https://www.unpac.me/results/864a6481-abda-4501-91d5-b1b2a1399db7/
SH256 hash:
8517d0a054c9a93bc2141c026e03ffb61a2a9fd2df8c5c5dc027f8ca169f8f55
MD5 hash:
663fba1c58d922cc93a1785bc22ac454
SHA1 hash:
37580311be534efb8d4ad3c7a2219110d00a36e1
Link:
https://www.unpac.me/results/864a6481-abda-4501-91d5-b1b2a1399db7/
SH256 hash:
8362a107d309eb065d84b5780573c9fd37827ff8f975eaa758b6cec1091172fc
MD5 hash:
c23099f8f63823b69870bfbf7749ecef
SHA1 hash:
2651b69408237d6854e68fc610ea8bb12acae4fd
Link:
https://www.unpac.me/results/864a6481-abda-4501-91d5-b1b2a1399db7/
SH256 hash:
e3c9c30badebb3313c557c1f9c9838bbedf0cc3039d72ea77e608f676069740c
MD5 hash:
868a56b4856375ee3aa846b606c33239
SHA1 hash:
07fa86b2fcb7df96e056d0b2b4876080714b3cba
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/864a6481-abda-4501-91d5-b1b2a1399db7/
Parent samples :
9889a91e24a729669aa276f27617f5169fd9d8f0358be427ed4e4cd9bb8e5dab
ac39c17f070f097e41f41579a26b8e381963fbd103e56cbdfdf5d25205c2e167
2071a487cad8b16b69b9951410d61564b4cfcc0bcf7c45108d10135bee256337
8e6cde38df37ec19a97ac003f47a15629fb425b19ed6e869f108512555fc4f95
fccd7eaee0eeecb3beab4005e428887eb9d25549d1c26d1efb50abe078202894
84404319135e2e1cc2bced7f56c99a81c1b19dc442966d3f0b1fa21756ee94b8
29fb5b111ae1c20a4b6a0e74b8df0748b1ccea58aa9d07a80f0bd1bb4577db56
SH256 hash:
ac39c17f070f097e41f41579a26b8e381963fbd103e56cbdfdf5d25205c2e167
MD5 hash:
f1674ed05c13b5833fcdb769c1b1ed89
SHA1 hash:
0b61936edf30ccd23f6b70ee6cd79cc61fc712c5
Link:
https://www.unpac.me/results/864a6481-abda-4501-91d5-b1b2a1399db7/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ac39c17f070f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/ac39c17f070f097e41f41579a26b8e381963fbd103e56cbdfdf5d25205c2e167

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe ac39c17f070f097e41f41579a26b8e381963fbd103e56cbdfdf5d25205c2e167

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/385917/

Comments