MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac3f8b19b1d29525dddb1d48e4fcf7aec60ea5d93bcf9b874f9a61adde4ca13c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac3f8b19b1d29525dddb1d48e4fcf7aec60ea5d93bcf9b874f9a61adde4ca13c
SHA3-384 hash: 9ed00d0c66df881d17b6893b3b88309ae645d47c562a0996dcf2e002b004fbc6cae4fc8bff3d8873b9c8a5d3e7c7cd77
SHA1 hash: fb44ba8de7862e644239d29343550eb879b25dd8
MD5 hash: 8d03a09d0f5d5f2c196be0657d169636
humanhash: spring-batman-helium-black
File name:Statement Of Account.exe
Download: download sample
Signature Loki
Create hunting rule
File size:576'269 bytes
First seen:2024-10-27 07:48:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 77b2e5e9b52fbef7638f64ab65f0c58c (12 x Formbook, 2 x Loki, 2 x AgentTesla)
ssdeep 12288:V9BvctM85t35JPNJj2WzoRLQYRYzmYxU6sDuo88OQQkpG:VD0tM85tbNJjldeYiYxmuo8PWG
Threatray 1'091 similar samples on MalwareBazaar
TLSH T1A5C42346F184A0FADCEA45B15CD375491ABBDE32393793970339AACFAC78D1060274DA
TrID 87.0% (.EXE) AutoIt3 compiled script executable (510622/80/67)
4.6% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.5% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
1.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
File icon (PE):PE icon
dhash icon b150b26869b2d471 (468 x Formbook, 101 x RedLineStealer, 94 x AgentTesla)
Reporter threatcat_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
404
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
StatementOfAccount.exe
Verdict:
No threats detected
Analysis date:
2024-10-27 07:52:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1682df89-5e26-499b-bb67-dfb6604b1565

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27594.18136.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=671df1b6a75e41aa67222994
Tags:
Infosteal Nymeria Autoit Buzus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Connection attempt
Creating a file in the %AppData% subdirectories
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit buzus compiled-script lokibot lolbin masquerade microsoft_visual_cc nymeria overlay packed packed packed packer_detected shell32 upx
Link:
https://www.filescan.io/uploads/671df06eb9dd804e948bedbe/reports/eeacc76c-1a86-443c-b631-95eb15d0e101/overview
Verdict:
Malicious
Labled as:
AIT:Trojan.Nymeria.6441;AIT:Trojan.Nymeria
Link:
https://www.hybrid-analysis.com/sample/ac3f8b19b1d29525dddb1d48e4fcf7aec60ea5d93bcf9b874f9a61adde4ca13c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/364646a3-b2d5-48d1-8ff1-2da82ce2756c
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1543094
Signature
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543094 Sample: Statement Of Account.exe Startdate: 27/10/2024 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for domain / URL 2->36 38 Suricata IDS alerts for network traffic 2->38 40 Found malware configuration 2->40 42 9 other signatures 2->42 10 Statement Of Account.exe 1 2->10         started        process3 process4 12 Statement Of Account.exe 10->12         started        14 svchost.exe 10->14         started        signatures5 17 Statement Of Account.exe 12->17         started        19 svchost.exe 12->19         started        48 Tries to steal Mail credentials (via file registry) 14->48 process6 process7 21 Statement Of Account.exe 17->21         started        23 svchost.exe 17->23         started        process8 25 Statement Of Account.exe 21->25         started        28 svchost.exe 21->28         started        signatures9 44 Writes to foreign memory regions 25->44 46 Maps a DLL or memory area into another process 25->46 30 svchost.exe 165 25->30         started        process10 dnsIp11 34 94.156.177.220, 49704, 49705, 49706 NET1-ASBG Bulgaria 30->34 50 System process connects to network (likely due to code injection or exploit) 30->50 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 30->52 54 Tries to steal Mail credentials (via file / registry access) 30->54 56 2 other signatures 30->56 signatures12
Score:
71%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ac3f8b19b1d29525dddb1d48e4fcf7aec60ea5d93bcf9b874f9a61adde4ca13c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac3f8b19b1d29525dddb1d48e4fcf7aec60ea5d93bcf9b874f9a61adde4ca13c/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2024-10-24 13:01:00 UTC
File Type:
PE (Exe)
Extracted files:
54
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vq7ywgnr2kkslxo3dveoj7hxv3da5jozhphzxb2ptjq23xsmue6a._file
Verdict:
malicious
Label(s):
unknown_loader_036
Create hunting rule
lokipasswordstealer(pws)
Create hunting rule
lokibot
Create hunting rule
admintool_powerrun
Create hunting rule
Similar samples:
0fde9e8fc25981ecfa8b50415b78ed0b61daa5b224bfcc2f0afea6e9c40097f1
Loki
15582393b01b6c64d16d7c573cec24dc00954c1faede0dc69777a1caa9757f7d
Loki
310cb005c21c57556ce727e947b156d61715adea6d73c342902c8620f287643d
Loki
31607008c03354cf7b6b21d8d3ecc31186e39a92dca54c0c26c30ecd85957cec
Loki
e20cf5c319fe815eb1845556289e56f8c3241019a907adb6f4a33e8dc9ecab59
Loki
+ 1'081 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection discovery spyware stealer trojan upx
Link:
https://tria.ge/reports/241027-jnnt9swglj/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
UPX packed file
Accesses Microsoft Outlook profiles
Lokibot
Lokibot family
Malware Config
C2 Extraction:
http://94.156.177.220/skipo/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Malicious
Tags:
loki
YARA:
n/a
Link:
https://app.threat.zone/submission/72d5880e-4630-4290-8737-15824165d7e7
Unpacked files
SH256 hash:
132ba4ce6af88fa3690551febf72f6cfe526477bd12692fd31753aaec62ddd25
MD5 hash:
2af98d46b7a3d59d5fc8a97b4c5a0819
SHA1 hash:
25304c72be70f0322c0bd95f19ed5c6c1325c8b6
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
Create hunting rule
Lokibot
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
STEALER_Lokibot
Create hunting rule
Link:
https://www.unpac.me/results/97724978-c44e-453c-bbe3-b8106efd7795/
Parent samples :
15582393b01b6c64d16d7c573cec24dc00954c1faede0dc69777a1caa9757f7d
ac3f8b19b1d29525dddb1d48e4fcf7aec60ea5d93bcf9b874f9a61adde4ca13c
SH256 hash:
726a4de089658aa9845aaafdb43cf9b821606e8c497c3baa33b329c97b953c44
MD5 hash:
2694b7e8192e4ad5b5f48f9c074d4c31
SHA1 hash:
7b072bda81de2e4ed3c8acd9870ee471e8631763
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/97724978-c44e-453c-bbe3-b8106efd7795/
SH256 hash:
ac3f8b19b1d29525dddb1d48e4fcf7aec60ea5d93bcf9b874f9a61adde4ca13c
MD5 hash:
8d03a09d0f5d5f2c196be0657d169636
SHA1 hash:
fb44ba8de7862e644239d29343550eb879b25dd8
Link:
https://www.unpac.me/results/97724978-c44e-453c-bbe3-b8106efd7795/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ac3f8b19b1d2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/ac3f8b19b1d29525dddb1d48e4fcf7aec60ea5d93bcf9b874f9a61adde4ca13c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe ac3f8b19b1d29525dddb1d48e4fcf7aec60ea5d93bcf9b874f9a61adde4ca13c

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetAce
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments