MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd36c2fd2964a7c6a5c20dbf905e4e1bd28aa8e168f2fa50ff2891adcd5d1825. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd36c2fd2964a7c6a5c20dbf905e4e1bd28aa8e168f2fa50ff2891adcd5d1825
SHA3-384 hash: 3650eb4c213581955f52f2cef3dad7a269359ee864ac4d9b4cf866a603de3205edb1d5a66a19aa89e9293dc84a662f75
SHA1 hash: a8e75364d85c7fc255f3dfa235ad391a750fc069
MD5 hash: c292df12ee6067765db8d94b81c7ce2b
humanhash: uranus-foxtrot-carolina-fish
File name:견적서건 - NEOBLACK_RFQ074.exe
Download: download sample
Signature Loki
Create hunting rule
File size:832'512 bytes
First seen:2021-07-19 02:18:52 UTC
Last seen:2021-07-19 02:47:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:r1AyvUIZbVlBPI2VBPJHRU+GYb2Gs+JrwZ+lvR7KCK+DE6UQr:dvDBlBPIOBP9qYSOrwZ+tR7Kvl6U
Threatray 3'674 similar samples on MalwareBazaar
TLSH T1CB05E0663227A218CC3883F55C65D2B07BFE6C1A662DC2782EC8AD7F3D736785AC0545
Reporter Anonymous
Tags:exe Loki

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://192.236.179.121/new/smick/fre.php https://threatfox.abuse.ch/ioc/161492/

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
견적서건 - NEOBLACK_RFQ074.exe
Verdict:
Malicious activity
Analysis date:
2021-07-19 02:14:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/90ef8a17-f60f-4b1f-8dfc-c4d50bbaee04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172456/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.DZG.genEldorado.29830.13100.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/94ae9314-6192-47dd-b393-841cd4a84711
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818005
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cd36c2fd2964a7c6a5c20dbf905e4e1bd28aa8e168f2fa50ff2891adcd5d1825/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-07-19 02:19:03 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zu3mf7jjmst4njocbw7zaxsodpjivkhbndzpuuh7fci23tk5dasq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0d3d14fdccf5dc0a3e9454fecfe7dbec05448d00d221f9b0628f556f915530bc
Loki
2070d6f358d9a25cce07e2179d7a4625bca289e433a74718bc9300350f1d3e1c
Loki
61c61db5ebc4d0c1bea4504adc9462abd0d100e3b3e468a3e5381193d1d6aae0
Loki
89f35e6df8747241c1c7afa4f66b071c795b89d86225e201261f385f880f7599
Loki
a130cf9df18f1ae304826c98d4e7cfd2e75043b126a1df0c0a36f98a64cde5c2
Loki
ad2be9cf672a906a4e35b84210c95c3f2b0ebf1e55be6e2006498575b8871865
Loki
b05d4c847f6c158729a1d150d30c75319e6e238044928baaa631ecd053335463
Loki
b08aa6db43d35f2ce53c58391b78bae7f47093ffce3637e32d420e35e9efcef5
Loki
b0ea4256ed6da35b96a40d763e8281f46ff79c78a0c92aca14c69eaf13a3d244
Loki
c068f0de516b706a3f8a2a7f949673f3cc9e3d94a5d130907809959e2c1e5729
Loki
+ 3'664 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210719-2lv1jdw6s6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Unpacked files
SH256 hash:
9e91c4745b5a276d16bb57323ae8a450acedbbf13ad0d2e7b5b93e6ff42ccd81
MD5 hash:
03c779452755af7bfbc3d35a9d3c88dd
SHA1 hash:
c1313d1f0306863e768ec9bb8329e489f25546d8
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/f34872ce-5819-4c64-9fa2-8575d5c86cc1/
Parent samples :
cd36c2fd2964a7c6a5c20dbf905e4e1bd28aa8e168f2fa50ff2891adcd5d1825
bebd5166f4eff3ee60427b7e1d625b4799eb434cea232687a2fb2fe0b784bb53
SH256 hash:
ace041b5234ed603294fd178822a2b993908122814f4196679adbb6f3b510a1c
MD5 hash:
05f5bf2010a67221d9f6f862ba9978fe
SHA1 hash:
afd746d215d776223b8fce28c493a856f54a0f44
Link:
https://www.unpac.me/results/f34872ce-5819-4c64-9fa2-8575d5c86cc1/
SH256 hash:
f82ceff83d1805c7d38897bac1069f200f4db8f2e6c08b4eb5ce722d4f98303d
MD5 hash:
18bc00f9b9b83ffe7065fc24b2020767
SHA1 hash:
57f77ca5d2745f68d2edc7023b5dbcce4b675a13
Link:
https://www.unpac.me/results/f34872ce-5819-4c64-9fa2-8575d5c86cc1/
SH256 hash:
83d9e44d9a311ea6fdbcbd09fdc816a2067806dcacf24beb5ee786191b1a3ea1
MD5 hash:
b1a7b752b6638ee03cffe5a1dde9213e
SHA1 hash:
52d215a173d2f293990f8c12fc7f4a86330a29cb
Link:
https://www.unpac.me/results/f34872ce-5819-4c64-9fa2-8575d5c86cc1/
SH256 hash:
cd36c2fd2964a7c6a5c20dbf905e4e1bd28aa8e168f2fa50ff2891adcd5d1825
MD5 hash:
c292df12ee6067765db8d94b81c7ce2b
SHA1 hash:
a8e75364d85c7fc255f3dfa235ad391a750fc069
Link:
https://www.unpac.me/results/f34872ce-5819-4c64-9fa2-8575d5c86cc1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd36c2fd2964a7c6a5c20dbf905e4e1bd28aa8e168f2fa50ff2891adcd5d1825

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172456/

Comments