MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc455bbac9ab070aa72fb73ea9dea1215cae08f8d14fb45b9f86468e27a3a20b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc455bbac9ab070aa72fb73ea9dea1215cae08f8d14fb45b9f86468e27a3a20b
SHA3-384 hash: 13adcdf76065007841af710ab0891fafbb4b8719c9675132daa9680be5ecea06d53a7a7db9d012117047d9bd7164274a
SHA1 hash: 17e294578086237eff446be5ae4a6187f50c7ac7
MD5 hash: a8cca2cfe0fc8a9f177e19116db504ee
humanhash: april-winner-kitten-yankee
File name:Factura_comercial_de_envio_de_DHL.exe
Download: download sample
Signature Loki
Create hunting rule
File size:838'144 bytes
First seen:2022-02-08 17:36:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4aa9a3b6508cd1bdfd52bfaa237855fc (2 x Loki, 2 x Formbook)
ssdeep 24576:eLRrWBV/skQ9A9bzoWl5Iit6jeThkB0tVSn52+zSXtS7vP:eL+sWPT+cSn52+mXtSL
Threatray 6'178 similar samples on MalwareBazaar
TLSH T16305C062F3908437C0771A394C1A5A74EA397E002D54EC867BE5AE0C9FFE3517A262D7
File icon (PE):PE icon
dhash icon e0e4a3a6a4b8b8a8 (37 x Formbook, 9 x AZORult, 9 x Loki)
Reporter abuse_ch
Tags:DHL exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/238451/
Detection(s):
SecuriteInfo.com.Trojan7000000f1.30775.4539.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Reading critical registry keys
Changing a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6389/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6202aa4a4077c8b9a0226c80/reports/07a52390-ea82-4237-99f7-dea1c299e962/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd17f629-d714-4dc2-9261-4239aa7ba9d8
Result
Threat name:
DBatLoader Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/936249
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc455bbac9ab070aa72fb73ea9dea1215cae08f8d14fb45b9f86468e27a3a20b/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-02-08 17:37:11 UTC
File Type:
PE (Exe)
Extracted files:
30
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zrcvxowjvmdqvjzpw47ktxvbefok4chy2fh3iw47qzdi4j5duifq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
011fa3e9cea288e556de0f2f018b2f57ce66114a1fbc8bc6cda7edd110641906
Loki
09be7801c1d01256f48f6c72beb080dc5947487b3e54260a2d5b16ad127e5091
Loki
50c658d55284216936130f61b68e8c3f2d16b711878e038b0d8fe9343de4521b
Loki
84252477cc98f1d08f4c8304713a9dfe3a5718fd1b6bde1e6f7a5f17ce4b2a0f
Loki
86878e85917c3e68a46b1ca8225b72bdbd46d1586b9e55eb879ef7c018e30ca1
Loki
878702b9fa51d353b5d7ca62f6e94ee21f5375fe2bd565244e27148e816ad594
Loki
c66cfde57cb65190f4df3c66970202ad22f5e6da94e0af705810cdda8c43d646
Loki
cc6f7015178099ed4fe5f69d58b2000450229beffa9947398aa7f454f01680fb
Loki
+ 6'168 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection persistence spyware stealer trojan
Link:
https://tria.ge/reports/220208-v6lneacbg4/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://remoitiluteriver.zapto.org/qopjhhgpop/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
d56dcedfe9f4d0a030a551f94424ce1948fb419d114429019e2c0b769b7bfcf7
MD5 hash:
0c0de81954d7c4ac102c28514739efb7
SHA1 hash:
1820e2812b38be4bdbe40349d05e65c9f81f4a60
Detections:
win_dbatloader_w0
Create hunting rule
Link:
https://www.unpac.me/results/67c4b885-a97e-48d1-b43d-d354abda595e/
Parent samples :
074991cefc03a7683cb3c81e83c383010f45c130fdc6dafa13469bfffaf87867
15697b64ded63ae55e1a224cb4309a49a9cc475ae98f0ddfa951804afc3ee32e
ac24ac478aaa88087714b8249c93d92d5edbc511bdb04c6b623479ed8fc6c8de
527036f9e449de86dc23ca03f80ea7da2d0ee7d7752203bbfad4ffb9237a19a8
b054b0a613909898688c3a25ebc355d1e62289641b1103fa4d1defb1c04aa9a2
69142989b11074332c57d4f64b2ce684dbc998af67928c3f38a2f7a6b05644c0
28562d1e97597dbe302d550277e91bd4aa6869bd3d356668bc7c48b2b6eaa3d1
aac09011a3c3e7adce5c2fa1672b428d6a565993641bf350dd65f8c0319dbfd8
09effc5108b5ca6e852a9712180ad493ad2e4aa5e3693056953583fbce18cf92
fcdf1e07c91a675bb415f4406e709795964d3a177e6c6afc68437be8f6013d6a
8dcd0243ce72784ad2782b0021d6692133fe314cdd1cf7b44ded3ac7c04b36b0
b324d1babd989b4a671dff38634d8eaba21673730315b40f2005b28c4732a5b6
799ad611c58e732adb2d296f4f4050b9d7b869ab34272ae51fc2c1c818be33f1
e576b18c7eb5581bb16e0e0f9e69b2f1462b491669a2a82d0fb6df7e55f7b3cc
1108f751687ce7947a548233e2c57fc9d2bdc71df78fb757d3d8c7820ddbbe90
3245f88de02600ae1053fa8260fa02a63e46bf9d8f50aeba8ceea66b7b6488a5
4877dd469af0e1ac31efa295325a3024d10abdc0a7eeaf74fe5b4eb9d0518bd9
c180bb8451472fc5931d0dc3aac6ef18ca417665b958d1480dd0787ba3de238a
09be7801c1d01256f48f6c72beb080dc5947487b3e54260a2d5b16ad127e5091
b1d4e3af02c434b479ff7305d57cb5d1e64a6411fe4cc5d5335cc4eb5e7cf8f4
568cfb6f770f6fbec1f18595bb78183e1fb5d2e7086f747230f2706ce29ed381
cc455bbac9ab070aa72fb73ea9dea1215cae08f8d14fb45b9f86468e27a3a20b
51673b1856a0e3342e6ecb4dabdddbeb84ae4323de1e1f8b9da92eab74cc2758
23d09e266528b3ffbd4fc656743303461b9c8a5780d02e28b666243406915401
a75badb1c9ed280cc239b0d7659799d31cf2c63c609667c69a0e5d9d06d53896
74d2b78e8ac7268cf8c0c1b97aa0ea37fde7945cd1867587f3c9de7a898d7f74
8b7ae9f195b075a789d6d8277d500d27754bfa3c53ecca8db7beac8ccd07884f
f677570815857242b83340d50410dfbc9da7d77b87dff3ce887b0cf47b16095e
0f93f8bfa92a0387d3076d636200ce5a4f474a1bfaf591d17c40111816c4de8b
5f079a7612eb05e8574d8604154ea233b8da905cc59ba6fbaa4485c99fc2933e
31fa37041b3f218ac8e44e16ae4bc549e962ce1cda58a1df870179ee94ed1753
60bf53eb4a1c93e2956fb3bb5f60a18579aeb270206ce6c4a3b32c6c4e9165d2
3de53b4ea3e4c8c8522ca9fc9d38a1556cf645298b0fe18c937b0f307dba129f
36d637499adcbc01c5783e66b5d9a2678426c7e8265087b8db47a002816d6fd4
2179647ebf96503deb5fae78827c5d99757f2926f0226cb5a6e4181e2f0c1a07
98e33ebe79b9c93602af7b79bb4f3f63c2f3c1417b1c41be6e814a9930e43b3e
faa817223ef389f3ee864d27cf1ec44f2c09b51686b0957cd344fe18e5144635
ee66580c236649c4fa02f530ea8c5bd2eecc290e46d5a562bae98858ba1bc893
ea222f4ca18d4bd57e605742a68c0f6b40436d9219700a75ade966e9488db34e
177b480007813a30ee6c8e267b76848fe9f66b11557eb3e7422e680b46368b03
aa38c8327df5d1755de504ea0eccf988a34c786d80f0becb3e99491527289089
edae9d57ca54a66ec71baef31fff690098c5196b44f1140f897f3bc02caeef1c
5c8973990d63bf969c6fca63d2856c35641d63774d3b362123059fbb5a74a578
be910ed7df930a3d74f01ac74e72f8c3ed89d791f29b731cb2076d632b6ce9cd
10b8fbcea2f59c78bdbf498297dbbe4c8156f80b371bf1bee8cedd196e911d27
a0c5d20304a9b2339bd9ed8ec0eca757bb7f69fecc7167857600cf4853f7b2c2
SH256 hash:
cc455bbac9ab070aa72fb73ea9dea1215cae08f8d14fb45b9f86468e27a3a20b
MD5 hash:
a8cca2cfe0fc8a9f177e19116db504ee
SHA1 hash:
17e294578086237eff446be5ae4a6187f50c7ac7
Link:
https://www.unpac.me/results/67c4b885-a97e-48d1-b43d-d354abda595e/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe cc455bbac9ab070aa72fb73ea9dea1215cae08f8d14fb45b9f86468e27a3a20b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/238451/

Comments