MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6b316f65e74058405d7c1399b9f7293a5c6f6817ab9e1930fa7c6c9eb321c19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	b6b316f65e74058405d7c1399b9f7293a5c6f6817ab9e1930fa7c6c9eb321c19
SHA3-384 hash:	46c36a05f70eb43720313277c15ea96692e93b9d360fe681e95025ee4c520a6ab17659b1a106321410cf8ec0c31e0f9c
SHA1 hash:	551f7afb46f712a2c024f38ae7304a855c8f2f37
MD5 hash:	37e15bf85f3ec8ba286f69d6f05d7525
humanhash:	foxtrot-south-orange-lithium
File name:	Payment Swift Copy.zip
Download:	download sample
Signature	Loki Create hunting rule
File size:	278'556 bytes
First seen:	2021-11-02 06:51:05 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	6144:BBOgCoX2FDx8GDC/MSCOkJybzuEewYJujRl8lZDJ:BBO627M/qOkIbzLewYcVl2Z1
TLSH	T1644423F4260FE55A5670D777F862A412C88E5030DD1C6C9B193E5A8A6EFFA71CA360C1
Reporter	cocaman
Tags:	Loki SWIFT zip

cocaman

Malicious email (T1566.001)
From: "S.J.A. GROUP OF COMPANIES <Neeta.Mhatre@cvarvon.bar>" (likely spoofed)
Received: "from hp0.cvarvon.bar (unknown [159.65.41.195]) "
Date: "02 Nov 2021 00:02:48 +0100"
Subject: "Ref: Swift Transfer - Failure /Outstanding payment"
Attachment: "Payment Swift Copy.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

100

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_fn112.UNOFFICIAL

SecuriteInfo.com.Trojan.GenericKD.47300229.15364.UNOFFICIAL

Sanesecurity.Malware.22043.ZipHeur.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

67%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6180e016bf51178dbe47dee3/reports/0503424f-987e-4ff1-b4bf-cf2a9b7e205c/overview

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/b6b316f65e74058405d7c1399b9f7293a5c6f6817ab9e1930fa7c6c9eb321c19

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b6b316f65e74058405d7c1399b9f7293a5c6f6817ab9e1930fa7c6c9eb321c19/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-11-02 01:44:10 UTC

AV detection:

11 of 44 (25.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=w2zrn5s6oqcyiboxye4zxh3ssos4n5ubpk46deypu7dmt2zsdqmq._file

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/211102-hm3rcsbhb7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://secure01-redirect.net/ga24/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/b6b316f65e74058405d7c1399b9f7293a5c6f6817ab9e1930fa7c6c9eb321c19