MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c10da7caa9351f34bb277a3e497904079c32fe1338ffa5c43faff0d12800d5a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	c10da7caa9351f34bb277a3e497904079c32fe1338ffa5c43faff0d12800d5a7
SHA3-384 hash:	7e499767c1498075a38db0a0a9d31bde60b0d23dbd7b2b1919f3b70e32ffcd8ce1cffb882d097bbd1553f7e2a9e9317e
SHA1 hash:	11fca0a6c15e1e42feccde36074bc29269b626ae
MD5 hash:	ee150cb4cfc81fe4c6ca971553839775
humanhash:	black-venus-uncle-venus
File name:	NEW ORDER INQUIRY_B9020289.pdf.7z
Download:	download sample
Signature	Loki Create hunting rule
File size:	315'625 bytes
First seen:	2021-11-03 13:05:02 UTC
Last seen:	2021-11-03 15:23:01 UTC
File type:	7z
MIME type:	application/x-rar
ssdeep	6144:e7UBpqTg/Yn9fea6KVPCKUDY3sJgkjBQ3biwgebBsnvYwjin:eQBpMgAn9ZJgnMcJFimwRbtwun
TLSH	T15B6423B136D3F2D3DEEDD12170531C9E9E008A1BCAB4DADBC98C81BA17295506F185DE
Reporter	cocaman
Tags:	7z Loki

cocaman

Malicious email (T1566.001)
From: "Murray Millson <sales@devilletechnologies.com>" (likely spoofed)
Received: "from devilletechnologies.com (unknown [45.137.22.150]) "
Date: "03 Nov 2021 16:12:43 +0100"
Subject: "NEW ORDER INQUIRY_B9020289"
Attachment: "NEW ORDER INQUIRY_B9020289.pdf.7z"

Intelligence

File Origin

# of uploads :

# of downloads :

148

Origin country :

n/a

Vendor Threat Intelligence

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61828902bf51178dbe4c76f8/reports/a8611791-324f-49b3-9aba-1fd5d2cd3c9e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c10da7caa9351f34bb277a3e497904079c32fe1338ffa5c43faff0d12800d5a7/

Threat name:

Win32.Infostealer.PrimaryPass

Status:

Malicious

First seen:

2021-11-03 09:32:35 UTC

AV detection:

15 of 28 (53.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yeg2psvjguptjozhpi7es6iea6odf7qthd72lrb7v7ynckaa2wtq._file

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/211103-qbhwtadha5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://akiwinds.duckdns.org/chats/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/c10da7caa9351f34bb277a3e497904079c32fe1338ffa5c43faff0d12800d5a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_RAR_with_PDF_Script_Obfuscation Create hunting rule
Author:	Florian Roth
Description:	Detects RAR file with suspicious .pdf extension prefix to trick users
Reference:	Internal Research

Rule name:	SUSP_RAR_with_PDF_Script_Obfuscation_RID34A4 Create hunting rule
Author:	Florian Roth
Description:	Detects RAR file with suspicious .pdf extension prefix to trick users
Reference:	Internal Research