MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aeed4e9127eaad96d4b7f7e556f405317b337457d723d693ac988e7199c323fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aeed4e9127eaad96d4b7f7e556f405317b337457d723d693ac988e7199c323fc
SHA3-384 hash: 748a38e3e7d93c6af493bebc84fd7b5a89069c896fc6dfc21777206d399bd99910f24dbd60277395f6aa7fb6602345b5
SHA1 hash: 8fec121968d10edfe95b7a6dbf7339cac667a8a3
MD5 hash: e6ff8ae9da0da128c45568745f654de8
humanhash: jig-uniform-ten-foxtrot
File name:Final payment WO202308004.exe
Download: download sample
Signature Loki
Create hunting rule
File size:670'208 bytes
First seen:2023-09-04 00:55:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:EUOPypIzufOUmJZeCBd1lGH+fM7+L1if5ZYDA01H21wO:EUOPypIzuWUgZxBdvwaMuMaBN21wO
Threatray 3'771 similar samples on MalwareBazaar
TLSH T1F6E4CE416254C716E574B7F3D025A7F40BB6EE2AE5F6D20B1C827CDA36B3B400A52E27
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://pelsotin.buzz/moore/_errorpages/five/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
Final payment WO202308004.exe
Verdict:
Malicious activity
Analysis date:
2023-09-04 00:57:40 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/db572067-4421-4b19-b9d5-4b6867711987

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/445890/
Detection(s):
Porcupine.Malware.58887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Enabling the 'hidden' option for analyzed file
Moving of the original file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64f52b24b7dd6394f7105662/reports/435b9073-c96a-4347-a13f-4fe605640136/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/aeed4e9127eaad96d4b7f7e556f405317b337457d723d693ac988e7199c323fc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b777315-4223-4102-a48c-e614d1e45e58
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1302508
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1302508 Sample: Final_payment_WO202308004.exe Startdate: 04/09/2023 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 10 other signatures 2->53 7 Final_payment_WO202308004.exe 7 2->7         started        11 AUAqafpj.exe 5 2->11         started        process3 file4 37 C:\Users\user\AppData\Roaming\AUAqafpj.exe, PE32 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmp9E96.tmp, XML 7->39 dropped 55 Uses schtasks.exe or at.exe to add and modify task schedules 7->55 57 Adds a directory exclusion to Windows Defender 7->57 59 Injects a PE file into a foreign processes 7->59 13 Final_payment_WO202308004.exe 54 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 21 7->19         started        21 schtasks.exe 1 7->21         started        61 Multi AV Scanner detection for dropped file 11->61 63 Tries to steal Mail credentials (via file registry) 11->63 65 Machine Learning detection for dropped file 11->65 23 schtasks.exe 11->23         started        25 AUAqafpj.exe 11->25         started        27 AUAqafpj.exe 11->27         started        signatures5 process6 dnsIp7 41 104.21.33.209, 49710, 49714, 49716 CLOUDFLARENETUS United States 13->41 43 pelsotin.buzz 172.67.166.216, 49706, 49707, 49708 CLOUDFLARENETUS United States 13->43 45 192.168.2.1 unknown unknown 13->45 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->67 69 Tries to steal Mail credentials (via file / registry access) 13->69 71 Tries to harvest and steal ftp login credentials 13->71 73 Tries to harvest and steal browser information (history, passwords, etc) 13->73 29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        signatures8 process9
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/aeed4e9127eaad96d4b7f7e556f405317b337457d723d693ac988e7199c323fc/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-03 20:01:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v3wu5ejh5kwznvfx67svn5afgf5tg5cx24r5ne5mtchhdgodep6a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
17c15779e354a3ab07ababa6df6eea95a31d04dbebd7f981424995d4194b9eaf
Loki
51f462cfff7cce2803c70069e302a86c66f43cec35602171a4752a997013ca87
Loki
6bd5bbea9b02d99f157e191dbdfe2d772498c3443496738e2c8d92a9617a099e
Loki
6c09fd67d2c7eb94431138da2180c52e3e868d8ddf026f03fd86b0548fb0a3ef
Loki
705ed1e1f8bad8d0a099a90f3e4d782ce65bf336f2360137edf5ed03527ce9e9
Loki
763b9ddb8670835d34e5ecbd031c8077ad8c1e1572e43f558fa664a8d6b0c4d5
Loki
830f74bfd54c88a3f3959a2b9a22f71f7fa85986137687184f993ddbe02433ac
Loki
ab58dcfff4c29d6f6f4d6088c46007a8aba87bb950aedda3a6a5bb0c9d688cc8
Loki
bbe65b794bbd8e5950100994809d8744331b943035f93572b73830b97e59eed0
Loki
cd36c2fd2964a7c6a5c20dbf905e4e1bd28aa8e168f2fa50ff2891adcd5d1825
Loki
+ 3'761 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230904-back3sdb75/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://pelsotin.buzz/moore/_errorpages/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
2ac2f55e15fd8da559f99925ceee9166ca978e94cbc53a5cb29bf02d0a76ac7f
MD5 hash:
1081db0b25581c7958e6fbff4d9aa64a
SHA1 hash:
bcb0e0fe844884a5b0d05cd3b0cc5fd7a5ff53b9
Link:
https://www.unpac.me/results/b187e7ad-f912-4894-86c0-dfb1c50cbaf6/
SH256 hash:
c094444932babf732e788625413d66665af54fa789015decb7e2da3d3ab25dc3
MD5 hash:
49204dbac9267797c9f6679a4bac06ec
SHA1 hash:
5590f19a53f6e6a88d14adfbc83ea1cd7ae002c7
Link:
https://www.unpac.me/results/b187e7ad-f912-4894-86c0-dfb1c50cbaf6/
SH256 hash:
3fe6ed4489cb011e4f93b051e32299784de585732e08eb52c07c30aff83d667c
MD5 hash:
975844a8364fd5b02c48210bec9d8185
SHA1 hash:
45979366ab9034379c5e92337339a76cd4397e7f
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/b187e7ad-f912-4894-86c0-dfb1c50cbaf6/
Parent samples :
aeed4e9127eaad96d4b7f7e556f405317b337457d723d693ac988e7199c323fc
f35387c5477d345aa5ea3828aac9cc176d09e833d40307387bf023f47fdbf446
SH256 hash:
62c7e06854e7520ce44f0857ed20cef9f699d93b77160e77de338431c8d9d0bb
MD5 hash:
d4859359660b0864709d5c5dce6ee903
SHA1 hash:
103e0f71efc29210d34aa7ecbcda658a68a9a399
Link:
https://www.unpac.me/results/b187e7ad-f912-4894-86c0-dfb1c50cbaf6/
SH256 hash:
aeed4e9127eaad96d4b7f7e556f405317b337457d723d693ac988e7199c323fc
MD5 hash:
e6ff8ae9da0da128c45568745f654de8
SHA1 hash:
8fec121968d10edfe95b7a6dbf7339cac667a8a3
Link:
https://www.unpac.me/results/b187e7ad-f912-4894-86c0-dfb1c50cbaf6/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aeed4e9127ea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aeed4e9127eaad96d4b7f7e556f405317b337457d723d693ac988e7199c323fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/445890/

Comments