MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8610287a5203fb11083b5911f48b591b573616ebda0ad43b2cabf1ddb98f3e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	c8610287a5203fb11083b5911f48b591b573616ebda0ad43b2cabf1ddb98f3e8
SHA3-384 hash:	672628e46eec208df1b6c7ef97cd97069450de790931606df95a47c99b1e93493e9c9bef20de121a5d11f63340fcd825
SHA1 hash:	2bab0d563953a26b5672c21e7b1aeb895437a9a4
MD5 hash:	f7311c95fefc8168d64c1c7fe0137599
humanhash:	coffee-shade-edward-mango
File name:	DHL Express Commercial_Invoice.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	743'424 bytes
First seen:	2022-02-09 15:01:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:sAm2j94+/jua7RLwW9bzAV7cf+lLIJ6q/bIz0+Sea9:skxjh/u7J+XbIMea9
Threatray	7'358 similar samples on MalwareBazaar
TLSH	T1A7F49D2F087E123AC5BCCB715984DE1FB5A2DD663533A91D29963AC915367F230C222F
Reporter	abuse_ch
Tags:	DHL exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

201

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/239643/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.25375.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Creating a file

Reading critical registry keys

Enabling the 'hidden' option for analyzed file

Stealing user critical data

Moving of the original file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/6203d7734077c8b9a02738d6/reports/8ca1479f-7773-4762-b4ca-065a19dfa99d/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4ee0b632-aae7-469a-b3ab-e2a7b73f1ad2

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/937124

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Adds a directory exclusion to Windows Defender

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Defender Exclusion

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/c8610287a5203fb11083b5911f48b591b573616ebda0ad43b2cabf1ddb98f3e8/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-02-09 15:02:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=zbqqfb5fea73ceedwwir6sfvsg2xgyloxwqk2q5szk7r3w4y6pua._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

4f4e2371c3a52e1ed316343e2bdec94a832793794c820da4be035e865fd15931

Loki

68f3c6392d7796a95c120279edc9506fc547c994d89a004bfc07e96ec8f9636b

Loki

b93757300c2662e468ae2a0059154c75f1360bf28f788d5a74e4a39e54c68285

Loki

c41264da7b425a18800febf92233bd5009c34d604ca3f3ba1ad3853f1b77948c

Loki

eab9fbffb011f0acbbed9032c2f11bf6252fc6d5b7dce607223f64c24aa43470

Loki

f1d850ad09aaeca300c16b8a5e0fc096ea010df778f18eef0610adbfa192c337

Loki

+ 7'348 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection evasion spyware stealer suricata trojan

Link:

https://tria.ge/reports/220209-sdwlssahcp/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Maps connected drives based on registry

Checks BIOS information in registry

Checks computer location settings

Reads user/profile data of web browsers

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

Lokibot

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://63.250.35.245/image.php?view=43033095327722773
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

af886e9b73c81fcaee9a5edae9b01c79d0087ac42317d55e805c54146afcbd84

MD5 hash:

d251d4c7044b9c6366e278e64879b9cc

SHA1 hash:

bfc7205eabbb93004426614bcfacbe467e8cccc2

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/d276f170-f398-43d5-83c6-a3e4ca328e04/

Parent samples :

7a03b50a7e61d6b9a6a18b3ffc18bff1f86627062e9cee004638d9acec13bbfb
c8610287a5203fb11083b5911f48b591b573616ebda0ad43b2cabf1ddb98f3e8
557a40a6f2538708cf4daa70de86bf5cf50a460d33925a47e82ed33bb5f6c177
8b2da3a6197bb1a6d978a1470cab471249f1e70f0ec589b6ff1e1d480ab7ffc4
f92ed4b914d93884de367cf9e7878d68bf45f7ab2b6c46abb425c029e791208f
7b4a5e40c0d2a550f9abf4e676b30c69d07d9f95fabcd6275a4aa4594071026f
0df7366bf6c0dcf5e7cf039b751534007dbc547b2cf4a6bfd083b7e4f471cf7a
3f3435544aa72603a00556a6f897b95e7c061ace58227cfc8c464cc1a2cb1c89

SH256 hash:

0cc119786b104cf0aa261a208bf38802b339774ff3d7a42afcd8329d2d7d21c9

MD5 hash:

263b5190f7ac42d83c756dcdf38147bb

SHA1 hash:

78f419fe3936ed7d603706c47230cd3e6ff79ffe

Link:

https://www.unpac.me/results/d276f170-f398-43d5-83c6-a3e4ca328e04/

SH256 hash:

bcd244168561497d5a64ca88a3d9463bdd248bf3b50c2b8a26b16d34b0eef911

MD5 hash:

29f7fea24ac79d45ccc202f94cec700b

SHA1 hash:

5d789c9c77f466837384f206e81131c45a7c8a89

Link:

https://www.unpac.me/results/d276f170-f398-43d5-83c6-a3e4ca328e04/

SH256 hash:

c8610287a5203fb11083b5911f48b591b573616ebda0ad43b2cabf1ddb98f3e8

MD5 hash:

f7311c95fefc8168d64c1c7fe0137599

SHA1 hash:

2bab0d563953a26b5672c21e7b1aeb895437a9a4

Link:

https://www.unpac.me/results/d276f170-f398-43d5-83c6-a3e4ca328e04/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

exe c8610287a5203fb11083b5911f48b591b573616ebda0ad43b2cabf1ddb98f3e8

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/239643/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample