MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b32a47004e6134879604cb3246c89b351bc5fb2547b1d87070846c5719951727. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b32a47004e6134879604cb3246c89b351bc5fb2547b1d87070846c5719951727
SHA3-384 hash: d46fff281cfdac44fcbcdd94c3d4ee6ce9e59bbb6570d3e9f677c6ef292eaf3bf7f6f2452cffd2ff5bc25ccae2bd1631
SHA1 hash: 5a67dd2a7f6e75324129678af99b09936bc5e2e9
MD5 hash: 51ff32b18625da8e57f2b01773842cfe
humanhash: fanta-football-hot-kitten
File name:seemybestbeautifulgirlwhowantbestthignsenitrelifetimethingstobe.hta
Download: download sample
Signature Loki
Create hunting rule
File size:182'394 bytes
First seen:2024-11-18 17:35:44 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 96:4vCl17nf2iLZ62iLqG4SPwYNf6hzhs2iL0Y5Q:4vCldnf2iLZ62iLISWs2iL0Y5Q
Threatray 4'410 similar samples on MalwareBazaar
TLSH T14C044BA5EA3048D9B7CC5E9BBEFCB79C3878835F4AD60E92935B3001DEA034D848556D
Magika txt
Reporter abuse_ch
Tags:hta Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.JS.Obfus-95.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673b7c6a80d21948b032953d
Tags:
infosteal gumen
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/b32a47004e6134879604cb3246c89b351bc5fb2547b1d87070846c5719951727/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/673b7b0973d2ce344bca6f30/reports/305b7c40-45b4-487c-a88e-b110c89c8d77/overview
Verdict:
Malicious
Labled as:
GT:JS.Acsogenixx.855
Link:
https://www.hybrid-analysis.com/sample/b32a47004e6134879604cb3246c89b351bc5fb2547b1d87070846c5719951727
Result
Threat name:
Cobalt Strike, HTMLPhisher, Lokibot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1557929
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Cobalt Strike Beacon
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected HtmlPhish44
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1557929 Sample: seemybestbeautifulgirlwhowa... Startdate: 18/11/2024 Architecture: WINDOWS Score: 100 81 Suricata IDS alerts for network traffic 2->81 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 16 other signatures 2->87 9 mshta.exe 1 2->9         started        12 bdWEysRwjYwmy.exe 2->12         started        14 svchost.exe 1 1 2->14         started        process3 dnsIp4 93 Detected Cobalt Strike Beacon 9->93 95 Suspicious powershell command line found 9->95 97 PowerShell case anomaly found 9->97 17 powershell.exe 36 9->17         started        99 Multi AV Scanner detection for dropped file 12->99 101 Tries to steal Mail credentials (via file registry) 12->101 103 Machine Learning detection for dropped file 12->103 22 schtasks.exe 12->22         started        24 bdWEysRwjYwmy.exe 12->24         started        26 bdWEysRwjYwmy.exe 12->26         started        79 127.0.0.1 unknown unknown 14->79 signatures5 process6 dnsIp7 75 192.3.243.136, 49707, 80 AS-COLOCROSSINGUS United States 17->75 61 C:\Users\user\AppData\Roaming\caspol.exe, PE32 17->61 dropped 63 C:\Users\user\AppData\Local\...\caspol[1].exe, PE32 17->63 dropped 65 C:\Users\user\AppData\...\ekywlzot.cmdline, Unicode 17->65 dropped 89 Detected Cobalt Strike Beacon 17->89 91 Powershell drops PE file 17->91 28 caspol.exe 6 17->28         started        32 powershell.exe 21 17->32         started        34 csc.exe 3 17->34         started        36 conhost.exe 17->36         started        38 conhost.exe 22->38         started        file8 signatures9 process10 file11 69 C:\Users\user\AppData\...\bdWEysRwjYwmy.exe, PE32 28->69 dropped 71 C:\Users\user\AppData\Local\...\tmp3CBC.tmp, XML 28->71 dropped 115 Multi AV Scanner detection for dropped file 28->115 117 Detected Cobalt Strike Beacon 28->117 119 Machine Learning detection for dropped file 28->119 123 3 other signatures 28->123 40 caspol.exe 28->40         started        45 powershell.exe 23 28->45         started        47 powershell.exe 28->47         started        49 schtasks.exe 28->49         started        121 Loading BitLocker PowerShell Module 32->121 73 C:\Users\user\AppData\Local\...\ekywlzot.dll, PE32 34->73 dropped 51 cvtres.exe 1 34->51         started        signatures12 process13 dnsIp14 77 94.156.177.95, 49711, 49717, 49718 NET1-ASBG Bulgaria 40->77 67 C:\Users\user\AppData\...\31437F.exe (copy), PE32 40->67 dropped 105 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->105 107 Tries to steal Mail credentials (via file / registry access) 40->107 109 Tries to harvest and steal ftp login credentials 40->109 111 Tries to harvest and steal browser information (history, passwords, etc) 40->111 113 Loading BitLocker PowerShell Module 45->113 53 conhost.exe 45->53         started        55 WmiPrvSE.exe 45->55         started        57 conhost.exe 47->57         started        59 conhost.exe 49->59         started        file15 signatures16 process17
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b32a47004e6134879604cb3246c89b351bc5fb2547b1d87070846c5719951727
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b32a47004e6134879604cb3246c89b351bc5fb2547b1d87070846c5719951727/
Threat name:
Script-JS.Trojan.Acsogenixx
Create hunting rule
Status:
Malicious
First seen:
2024-11-18 07:40:52 UTC
File Type:
Text
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wmveoacome2ipfqezmzense3gun4l6zfi6y5q4dqqrwfogmvc4tq._file
Verdict:
malicious
Label(s):
lokibot
Create hunting rule
lokipasswordstealer(pws)
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
0dc69e491c783527c6465e25b8b33447391ae9d7ace6e4c1c20db8047aa1918a
Loki
0f6a0c8f4c9d3fa419bd22b2687328e7a721ad0b1ef504a64166b1c630997cee
Loki
594a574211cffc47d78817221315092ab978403b71e1ff43922286ec9f60e188
Loki
63703694c54d43f82c63cb2f61964b693a73bcf6f013cda7e226d29a77d0c82b
Loki
79866667d5cd578a1c6eda54a748ff9d316fff39064eecd282bc2a9ad8a5ac7d
Loki
a1f8dd874a1d63dfbd2cc504fbe6d5784eb00610b02fef44b606b7a127f41bc4
Loki
dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21
Loki
error
Loki
fc05c8cd30f572b0db13bc5189c99ce499f133f7b65167c06518638c26623a81
Loki
+ 4'400 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection defense_evasion discovery execution spyware stealer trojan
Link:
https://tria.ge/reports/241118-v6j5kssbqk/
Behaviour
Modifies Internet Explorer settings
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Evasion via Device Credential Deployment
Lokibot
Lokibot family
Malware Config
C2 Extraction:
http://94.156.177.95/simple/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b32a47004e61/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/b32a47004e6134879604cb3246c89b351bc5fb2547b1d87070846c5719951727

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

HTML Application (hta) hta b32a47004e6134879604cb3246c89b351bc5fb2547b1d87070846c5719951727

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3295143/
  
Delivery method
Distributed via web download

Comments