MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c14a6e9a7632cd3936d74adeb656b0d3147ec5233cc01c59a1e4bbd0e4d49b41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 17


Maldoc score: 23


Intelligence 17 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c14a6e9a7632cd3936d74adeb656b0d3147ec5233cc01c59a1e4bbd0e4d49b41
SHA3-384 hash: 2b538dfd3c49385e69c3abbdf39461e8747279b9dd024e43fd931beb3961c80a3bfccd60ec979781227c7612d0c8a3b8
SHA1 hash: 70820cbb05d2910b0674ee5f01966ac104ee2760
MD5 hash: bac28e6a77c77ce457e4dd46ca5f0aa7
humanhash: south-winner-double-shade
File name:Pago.doc
Download: download sample
Signature Loki
Create hunting rule
File size:48'640 bytes
First seen:2024-12-04 16:20:26 UTC
Last seen:Never
File type:Word file doc
MIME type:application/msword
ssdeep 384:twfFAhRp/6j1dhUsQGlWmxDJzkpiSY5UWFnCRMgAaswgYg71p+Hrct2/ac60j28p:SKhHi3KnCWmHzk7IC9swgB71pMCfLIN
Threatray 4'186 similar samples on MalwareBazaar
TLSH T103231902B291D517F26185B04DDBDBEAB325BD1DAD02830B32D4BB0EBD796B4CE26744
TrID 52.6% (.DOC) Microsoft Word document (30000/1/2)
33.3% (.DOC) Microsoft Word document (old ver.) (19000/1/2)
14.0% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika doc
Reporter abuse_ch
Tags:doc Loki


Avatar
abuse_ch
Loki C2:
http://stipamana.com/redrshyjdft/Panel/five/fre.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://stipamana.com/redrshyjdft/Panel/five/fre.php https://threatfox.abuse.ch/ioc/1352148/

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 23
OLE dump

MalwareBazaar was able to identify 12 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
24096 bytesDocumentSummaryInformation
34096 bytesSummaryInformation
46909 bytes1Table
58018 bytesData
6489 bytesMacros/PROJECT
771 bytesMacros/PROJECTwm
8918 bytesMacros/VBA/NewMacros
99283 bytesMacros/VBA/ThisDocument
104525 bytesMacros/VBA/_VBA_PROJECT
11578 bytesMacros/VBA/dir
124096 bytesWordDocument
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecDocument_OpenRuns when the Word or Publisher document is opened
SuspiciousOpenMay open a file
SuspiciousWriteMay write to a file (if combined with Open)
Suspiciousadodb.streamMay create a text file
SuspiciousSaveToFileMay create a text file
SuspiciousShellMay run an executable file or a system command
SuspiciousWScript.ShellMay run an executable file or a system command
SuspiciousCreateObjectMay create an OLE object
SuspiciousShell.ApplicationMay run an application (if combined with CreateObject)
Suspiciousmicrosoft.xmlhttpMay download files from the Internet
SuspiciousChrMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
499
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
Pago.doc
Verdict:
Malicious activity
Analysis date:
2024-12-04 16:22:36 UTC
Tags:
macros macros-on-open phishing lokibot stealer
Link:
https://app.any.run/tasks/997d66b7-9190-4f3e-aa3f-2132847ad2d6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
MiscreantPunch.EvilMacro.AODBWSRBMS.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.StatusIsLikeAFriend.20210201.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Macro-1.UNOFFICIAL
Create hunting rule

Sanesecurity.Badmacro.XlsM.objshell.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67508274bc8c6beb3075abaf
Tags:
office macro micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Creating a file
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Connection attempt to an infection source
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Query of malicious DNS domain
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Creating a process from a recently created file
Sending an HTTP POST request to an infection source
Result
Verdict:
Malicious
File Type:
Legacy Word File with Macro
Link:
https://app.docguard.net/c14a6e9a7632cd3936d74adeb656b0d3147ec5233cc01c59a1e4bbd0e4d49b41/results/dashboard
Behaviour
BlacklistAPI detected
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Labled as:
Msoffice/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c14a6e9a7632cd3936d74adeb656b0d3147ec5233cc01c59a1e4bbd0e4d49b41
Label:
Malicious
Suspicious Score:
9.6/10
Score Malicious:
96%
Score Benign:
4%
Link:
https://www.malware.ai/gui/files/?id=558739d1-5e3a-4776-8060-32881b849f74
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1568502
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with hexadecimal encoded strings
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Office process drops PE file
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1568502 Sample: Pago.doc Startdate: 04/12/2024 Architecture: WINDOWS Score: 100 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 20 other signatures 2->52 7 WINWORD.EXE 345 41 2->7         started        process3 dnsIp4 34 www.sodiumlaurethsulfatedesyroyer.com 188.114.97.6, 443, 49161 CLOUDFLARENETUS European Union 7->34 26 C:\Users\user\AppData\Roaming\...\FYJFZ.exe, PE32 7->26 dropped 28 C:\Users\user\AppData\...\server1[1].exe, PE32 7->28 dropped 30 C:\Users\...\~WRD0000.tmp:Zone.Identifier, ASCII 7->30 dropped 32 3 other malicious files 7->32 dropped 54 Document exploit detected (creates forbidden files) 7->54 12 FYJFZ.exe 7->12         started        file5 signatures6 process7 signatures8 56 Antivirus detection for dropped file 12->56 58 Tries to steal Mail credentials (via file registry) 12->58 60 Machine Learning detection for dropped file 12->60 62 Injects a PE file into a foreign processes 12->62 15 FYJFZ.exe 112 12->15         started        20 FYJFZ.exe 12->20         started        22 FYJFZ.exe 12->22         started        process9 dnsIp10 36 stipamana.com 45.149.241.168, 49162, 49163, 49164 UUNETUS Germany 15->36 24 C:\Users\user\AppData\...\5879F5.exe (copy), PE32 15->24 dropped 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->38 40 Tries to steal Mail credentials (via file / registry access) 15->40 42 Tries to harvest and steal ftp login credentials 15->42 44 Tries to harvest and steal browser information (history, passwords, etc) 15->44 file11 signatures12
Score:
100%
Verdict:
Malware
File Type:
OFFICE
Link:
https://malprob.io/report/c14a6e9a7632cd3936d74adeb656b0d3147ec5233cc01c59a1e4bbd0e4d49b41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c14a6e9a7632cd3936d74adeb656b0d3147ec5233cc01c59a1e4bbd0e4d49b41/
Threat name:
Win32.Infostealer.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2024-12-04 16:21:04 UTC
File Type:
Document
Extracted files:
19
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yffg5gtwglgtsnwxjlplmvvq2mkh5rjdhtabywnb4s55bzgutnaq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
04f557582bc8b4c4af843d0c837124da73f887ac5b997efdd78f96d45caced85
Loki
0af4bdeb4de3a9f8cac5601c872cd4d9a7e9fb06a4fc0a7ed4fb60d6cb64b957
Loki
0dc69e491c783527c6465e25b8b33447391ae9d7ace6e4c1c20db8047aa1918a
Loki
0f6a0c8f4c9d3fa419bd22b2687328e7a721ad0b1ef504a64166b1c630997cee
Loki
16510508a55e331de91a5e246b4d0174a419203d557d7407861bf24a947ce16c
Loki
594a574211cffc47d78817221315092ab978403b71e1ff43922286ec9f60e188
Loki
79866667d5cd578a1c6eda54a748ff9d316fff39064eecd282bc2a9ad8a5ac7d
Loki
7f0fcb4f3651ec6a3b273322857afe8aa8373f77964afd0bb592378a4a97fe1a
Loki
a1f8dd874a1d63dfbd2cc504fbe6d5784eb00610b02fef44b606b7a127f41bc4
Loki
error
Loki
f3797cb6054ef9d5de1b4ecb2745424ef0481c5cb28ec2f2384d2591019e1650
Loki
+ 4'176 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection discovery macro macro_on_action spyware stealer trojan
Link:
https://tria.ge/reports/241204-ttmt9s1kdz/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Office loads VBA resources, possible macro or embedded object present
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Lokibot
Lokibot family
Malware Config
C2 Extraction:
https://stipamana.com/redrshyjdft/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e0c1f0e6-28fa-440a-8c18-3d45d0c0a9e9
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c14a6e9a7632/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/c14a6e9a7632cd3936d74adeb656b0d3147ec5233cc01c59a1e4bbd0e4d49b41

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments