MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd154726027d8a7b2d859462ae41a555e7f457a7a280ce337f006cda68c79292. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Maldoc score: 2


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd154726027d8a7b2d859462ae41a555e7f457a7a280ce337f006cda68c79292
SHA3-384 hash: 1fbda593371e67a765356b91efab536c0e63c72a4585ff807ef5eed522883e37ca0eaa09cfb65675d802032ecd881daa
SHA1 hash: 558b44b82ec62ef8c80d88a4dc25fbd95c1cd208
MD5 hash: eb08dce7b777d06893a3b74c3c148391
humanhash: earth-failed-eighteen-iowa
File name:Arrival notice & delivery certificate.xls
Download: download sample
Signature Loki
Create hunting rule
File size:1'334'784 bytes
First seen:2023-11-28 06:57:37 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 24576:Pw6/UZyaCfg8Wjw6/3ZyPCfg8WD/L8coQ4xvTcqJvv427zM6waTX:46/Gv/E6/JM/j/YrQeIYvv42746h
TLSH T12B55F0039804DB83D50D87F9BE434EE91F0A6F19E89569DF20667FCF3A31A620D9A11D
TrID 46.5% (.XLS) Microsoft Excel sheet (alternate) (56500/1/4)
26.7% (.XLS) Microsoft Excel sheet (32500/1/3)
20.1% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
6.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:CVE-2017-11882 CVE-2018-0802 Loki xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 2
OLE dump

MalwareBazaar was able to identify 33 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
2244 bytesDocumentSummaryInformation
3120200 bytesSummaryInformation
494 bytesMBD002E3149/CompObj
562 bytesMBD002E3149/Ole
620409 bytesMBD002E3149/CONTENTS
794 bytesMBD002E314A/CompObj
862 bytesMBD002E314A/Ole
964830 bytesMBD002E314A/CONTENTS
1093 bytesMBD002E314B/CompObj
1164 bytesMBD002E314B/Ole
12124841 bytesMBD002E314B/CONTENTS
1399 bytesMBD002E314C/CompObj
14187496 bytesMBD002E314C/Package
1594 bytesMBD002E314D/CompObj
1662 bytesMBD002E314D/Ole
1764830 bytesMBD002E314D/CONTENTS
1893 bytesMBD002E314E/CompObj
1964 bytesMBD002E314E/Ole
20124841 bytesMBD002E314E/CONTENTS
2199 bytesMBD002E314F/CompObj
22187472 bytesMBD002E314F/Package
2320 bytesMBD002E3150/Ole
241699 bytesMBD002E3150/oLE10NaTivE
25408434 bytesWorkbook
26529 bytes_VBA_PROJECT_CUR/PROJECT
27104 bytes_VBA_PROJECT_CUR/PROJECTwm
28977 bytes_VBA_PROJECT_CUR/VBA/Sheet1
29977 bytes_VBA_PROJECT_CUR/VBA/Sheet2
30977 bytes_VBA_PROJECT_CUR/VBA/Sheet3
31985 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
322644 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
33553 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
363
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Legit
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
False
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460860/
Detection(s):
SecuriteInfo.com.Other.Malware-gen.19728.9505.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Heur.1282.16692.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Other.Malware-gen.25106.3990.UNOFFICIAL
Create hunting rule

Sanesecurity.Shelter.Malware.BadMacro.BadOleNatEquat.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.EQAndMisCasedOleNativeWasTheCaseThatTheyGaveMe.20200215.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for synchronization primitives
Launching a process
Creating a file in the %AppData% directory
Сreating synchronization primitives
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Sending an HTTP GET request
Stealing user critical data
Query of malicious DNS domain
Sending an HTTP POST request to an infection source
Creating a process from a recently created file
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/cd154726027d8a7b2d859462ae41a555e7f457a7a280ce337f006cda68c79292/results/dashboard
Behaviour
BlacklistAPI detected
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control embedequation exploit exploit fareit greyware lolbin macros packed shellcode
Link:
https://www.filescan.io/uploads/65658f7a97dc047c4b9467a6/reports/defc7882-1ac0-42e5-8961-f7da9838a4f0/overview
Verdict:
Malicious
Labled as:
CVE-2018-0802
Link:
https://www.hybrid-analysis.com/sample/cd154726027d8a7b2d859462ae41a555e7f457a7a280ce337f006cda68c79292
Label:
Benign
Suspicious Score:
4.7/10
Score Malicious:
47%
Score Benign:
53%
Link:
https://www.malware.ai/gui/files/?id=d2ac91a7-2d61-458a-852c-f134bd494cfb
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/cd154726027d8a7b2d859462ae41a555e7f457a7a280ce337f006cda68c79292
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1349077
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Excel sheet contains many unusual embedded objects
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Shellcode detected
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1349077 Sample: Arrival_notice_&_delivery_c... Startdate: 28/11/2023 Architecture: WINDOWS Score: 100 32 sempersim.su 2->32 40 Snort IDS alert for network traffic 2->40 42 Multi AV Scanner detection for domain / URL 2->42 44 Found malware configuration 2->44 46 16 other signatures 2->46 7 EQNEDT32.EXE 12 2->7         started        12 EQNEDT32.EXE 12 2->12         started        14 AcroRd32.exe 33 2->14         started        16 EXCEL.EXE 58 62 2->16         started        signatures3 process4 dnsIp5 38 146.70.35.211, 49164, 49193, 80 TENET-1ZA United Kingdom 7->38 26 C:\Users\user\AppData\Roaming\wlanext.exe, PE32 7->26 dropped 28 C:\Users\user\AppData\Local\...\kung[1].exe, PE32 7->28 dropped 56 Office equation editor establishes network connection 7->56 58 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->58 18 wlanext.exe 54 7->18         started        30 C:\Users\user\AppData\Local\...\kung[1].exe, PE32 12->30 dropped 22 wlanext.exe 12->22         started        24 RdrCEF.exe 2 14->24         started        file6 signatures7 process8 dnsIp9 34 sempersim.su 104.237.252.65, 49166, 49167, 49168 DEDICATED-FIBER-COMMUNICATIONSUS United States 18->34 48 Antivirus detection for dropped file 18->48 50 Detected unpacking (changes PE section rights) 18->50 52 Detected unpacking (overwrites its own PE header) 18->52 54 6 other signatures 18->54 36 192.168.2.255, 137, 138 unknown unknown 24->36 signatures10
Detection:
cve-2017-11882-shellcode
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cd154726027d8a7b2d859462ae41a555e7f457a7a280ce337f006cda68c79292/
Threat name:
Win32.Exploit.CVE-2018-0802
Create hunting rule
Status:
Malicious
First seen:
2023-11-27 21:33:24 UTC
File Type:
Document
Extracted files:
118
AV detection:
13 of 36 (36.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zukuojqcpwfhwlmfsrrk4qnfkxt7iv5hukam4m37abwnu2ghskja._file
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/231128-hrgppafh34/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Launches Equation Editor
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Lokibot
Malware Config
C2 Extraction:
https://sempersim.su/a16/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cd154726027d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd154726027d8a7b2d859462ae41a555e7f457a7a280ce337f006cda68c79292

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_OLE_EXPLOIT_CVE_2017_11882_1
Create hunting rule
Author:ditekSHen
Description:detects OLE documents potentially exploiting CVE-2017-11882
Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:office_document_vba
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Office document with embedded VBA
Reference:https://github.com/jipegit/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Excel file xls cd154726027d8a7b2d859462ae41a555e7f457a7a280ce337f006cda68c79292

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/460860/

Comments