MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc78351177d3f5c8044dc5fd912c94c0149ac90af40f62ca059ce78f96fc9ab0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc78351177d3f5c8044dc5fd912c94c0149ac90af40f62ca059ce78f96fc9ab0
SHA3-384 hash: ec8ea02acb64f38f2bc3bb4b0b14f88fbb53c3e847626c9cc62fea5d00edfbacd0e7e0c87124de31a69cb0c041f4a2fa
SHA1 hash: f6e7d042ba9d81548e5cc34a4e716429ae64ba16
MD5 hash: aa2079c97f01161455170da935ff6530
humanhash: arkansas-neptune-california-pluto
File name:Payment_Slip_Pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:612'352 bytes
First seen:2023-09-14 07:14:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Qam9Y1PYyVFh/I1K5uodK+F9SWwsukeF7xUajIKkdd2ag3HIs7qmDr:Qam9Y1g+FoYuC9SJsukeF7x3ML
Threatray 4'037 similar samples on MalwareBazaar
TLSH T1A8D4BE9E760076EFC827C976AD545C20DA11AC7B970BC203905732A99D3D997CF286F3
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
380
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
Payment_Slip_Pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-09-14 07:17:40 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/e10fc2c8-4b90-4bf2-8ec2-4731c79af24c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/448572/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.31238.19195.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Launching a process
Restart of the analyzed sample
Enabling the 'hidden' option for analyzed file
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Moving of the original file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6502b2fe69c1cf3b6ab594dd/reports/fb7af844-ebd5-4308-9373-72826a728066/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/cc78351177d3f5c8044dc5fd912c94c0149ac90af40f62ca059ce78f96fc9ab0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/262fc45d-4ba0-425d-bacd-9fc776fe1c4a
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1307659
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1307659 Sample: Payment_Slip_Pdf.exe Startdate: 14/09/2023 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Multi AV Scanner detection for domain / URL 2->47 49 Found malware configuration 2->49 51 13 other signatures 2->51 7 Payment_Slip_Pdf.exe 7 2->7         started        11 aRlzylgJ.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\Roaming\aRlzylgJ.exe, PE32 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmpDC16.tmp, XML 7->37 dropped 53 Detected unpacking (changes PE section rights) 7->53 55 Detected unpacking (overwrites its own PE header) 7->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 67 2 other signatures 7->67 13 Payment_Slip_Pdf.exe 54 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 20 7->19         started        21 schtasks.exe 1 7->21         started        59 Antivirus detection for dropped file 11->59 61 Multi AV Scanner detection for dropped file 11->61 63 Tries to steal Mail credentials (via file registry) 11->63 65 Machine Learning detection for dropped file 11->65 23 schtasks.exe 11->23         started        25 aRlzylgJ.exe 11->25         started        signatures5 process6 dnsIp7 39 moore.meyervanderwalt.top 104.21.31.243, 49723, 49726, 49727 CLOUDFLARENETUS United States 13->39 41 172.67.180.247, 49724, 49725, 49731 CLOUDFLARENETUS United States 13->41 43 192.168.2.1 unknown unknown 13->43 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->69 71 Tries to steal Mail credentials (via file / registry access) 13->71 73 Tries to harvest and steal ftp login credentials 13->73 75 Tries to harvest and steal browser information (history, passwords, etc) 13->75 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        signatures8 process9
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cc78351177d3f5c8044dc5fd912c94c0149ac90af40f62ca059ce78f96fc9ab0/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-09-12 06:51:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zr4dkelx2p24qbcnyx6zcleuyakjvsik6qhwfsqfttty7fx4tkya._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0b3086effd8f6fba603ce006970a17242a05c79e30acc38b61b50600558e27d6
Loki
29dbebeec58981c106716f9c9db0137f7ff0e808f60577a9e1a29050d036861d
Loki
3de5721129e50c9573655c4ae31b46034ed39728ef5cab7430f85e4fd72bc5ed
Loki
446701e7736c00e2c322ca98d6aede83902a30ecbc1499e4910ce5d491f6edf3
Loki
714019a91e02fadaeb6d80aefde39056f633a88bc6a933e809a52ec1ff56a666
Loki
99ec1975dce682ac02bbaa13b9452e73fd5f454da62e1760c749d6777a346d17
Loki
e2357821cf4c5c1991d7751e1ddad32d833979c37dcb9c51013b9bf403f615bf
Loki
+ 4'027 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230914-h287pach37/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://moore.meyervanderwalt.top/_errorpages/moore/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
eda3c705ee7d1d8eaa247ccd985227a38e8658512c3c7b1a723ef8eb17608dfe
MD5 hash:
05f84d8c6d59cb31fa1c378fbb034295
SHA1 hash:
53437fa9c25766f8eb8ea4c89df14a2075502f33
Link:
https://www.unpac.me/results/021dd9ae-d88d-4e14-a9ae-377f04629d94/
SH256 hash:
90d05de22d370244a60624a95b17ea400116906f7791a1fcdf4f6efa57afedf1
MD5 hash:
9c32e3c7c7b6fafab1095d26b341dd5d
SHA1 hash:
2d613f623acb8634e2f4283087872a27fad3ebdc
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/021dd9ae-d88d-4e14-a9ae-377f04629d94/
Parent samples :
cc78351177d3f5c8044dc5fd912c94c0149ac90af40f62ca059ce78f96fc9ab0
16cb8d68c27acf7882ac19e88947994d1d4029d2548a50bc5af6aadb78540f59
994dc036815301e1dc941170900f527cea3db5a51ccbbcdd58863a9914d5d1f7
987bb2748cb98b169046adc19157f2225896231e547d55298efaea4cc19331ab
SH256 hash:
784d4e0af30bcca58d54f86b6966e1c147bcc194a99126ebe79538e9084f6d80
MD5 hash:
5caf74e6818e40e82651781613a42425
SHA1 hash:
2a182b1552373e0907bfd03db31120596df994d0
Link:
https://www.unpac.me/results/021dd9ae-d88d-4e14-a9ae-377f04629d94/
SH256 hash:
324c1b8f91c198e82a5d0c9c9d6a9eb2e2962276685d2180c39aa50440a7f88d
MD5 hash:
a28f8ce2d1b2fd4ab214f102567d5afc
SHA1 hash:
2448ee23c1766cae91717ddcaf2e2395fce1779b
Link:
https://www.unpac.me/results/021dd9ae-d88d-4e14-a9ae-377f04629d94/
SH256 hash:
cc78351177d3f5c8044dc5fd912c94c0149ac90af40f62ca059ce78f96fc9ab0
MD5 hash:
aa2079c97f01161455170da935ff6530
SHA1 hash:
f6e7d042ba9d81548e5cc34a4e716429ae64ba16
Link:
https://www.unpac.me/results/021dd9ae-d88d-4e14-a9ae-377f04629d94/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cc78351177d3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc78351177d3f5c8044dc5fd912c94c0149ac90af40f62ca059ce78f96fc9ab0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe cc78351177d3f5c8044dc5fd912c94c0149ac90af40f62ca059ce78f96fc9ab0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/448572/

Comments