MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf0e1a66f5e4e2277f8860afbc082395b7a3d452d24eeb0631c8f34dae047a45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf0e1a66f5e4e2277f8860afbc082395b7a3d452d24eeb0631c8f34dae047a45
SHA3-384 hash: 5e88b7a0e3561924f1a873c216d71ee5b90a58867abe2ccf71eb37b6ec763d8a7edfea8ec9838f190742ea4faadcce7c
SHA1 hash: c05f0d0be379aec2db64f44f8d13cb9233186c97
MD5 hash: b6e8a1cedb6c4c352c40965041a70b0c
humanhash: jersey-edward-twenty-spring
File name:additional order_pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:366'179 bytes
First seen:2022-12-14 14:05:57 UTC
Last seen:2022-12-14 15:35:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 97318da386948415d08cef4a9006d669 (71 x Formbook, 35 x SnakeKeylogger, 26 x AgentTesla)
ssdeep 6144:vEbMnl6tA5xFHr3nh9MpO4pvs1j2orO3wQpzz:55rr3nh9MRCj2m6pn
Threatray 9'638 similar samples on MalwareBazaar
TLSH T1537439A1F2A5C8DFE86552B08C9EF92031936D6D9461560F31967F2EA8B3353106FB0F
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 79e0c4ccccc4c4c0 (11 x Loki, 4 x AgentTesla, 3 x SnakeKeylogger)
Reporter malwarelabnet
Tags:exe Loki Lokibot

Intelligence

File Origin
# of uploads :
3
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
additional order_pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-12-14 14:06:37 UTC
Tags:
installer trojan lokibot
Link:
https://app.any.run/tasks/2a1f6a22-0e9c-444f-b10c-412881bdfefa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/346272/
Detection(s):
SecuriteInfo.com.Variant.Jaik.77520.19740.21070.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Reading critical registry keys
Changing a file
DNS request
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6399d84ca2c2485912c83435/reports/1892c4d8-3bd2-4655-9739-284433c5f2d4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d156327a-7140-4329-a274-68d935574525
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1134271
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf0e1a66f5e4e2277f8860afbc082395b7a3d452d24eeb0631c8f34dae047a45/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-12-14 01:54:06 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z4hbuzxv4trco74imcx3ycbdsw32hvcs2jhowbrrzdzu3lqepjcq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
04322d8af3fe7d7ba8c91fd9c076c7b7a71f216859cf6a33cbfda968cfaf6581
Loki
381689aa52129bc94e5b821684bf9c00e91af0ef9a56b4490ee071e0cae08c58
Loki
5b51a7e451c70c0271f21acf38747c5af235c18394585c4470f127c343b6ff8c
Loki
5c7c2a90ed8fa653a406566c7224c8b0e0b3a93b8fb3aaef9881d492828fcc8c
Loki
893a4410c9f5b1e2f6d60186615cbffadeb932f55c60b199e9ffdd0aabd83e1e
Loki
a512d074556e9c5f7fe2fbb2ac63088adbaf8b4011a1629cc71cede78bdb2f19
Loki
a5d6e92e8d795d49e69b5f095b8cd864182ed00499985a0efa85d013edb966d7
Loki
+ 9'628 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/221214-red8gada2t/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Lokibot
Malware Config
C2 Extraction:
http://drinz.us/FILAZ/QU/coosaza.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dd59b8cd-04a3-4c19-8f5d-cfedf94719b6
Unpacked files
SH256 hash:
43cec2db0e28a09baca0fe29b69c7382d25473ac146d21a6f84763bb7e8b9e98
MD5 hash:
4c4c9da4f262cb66ed53b99f53c78e14
SHA1 hash:
d7ee962528e07da7b66aa8dabea98804c36502a4
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/382b1dc3-b079-4ed5-bd94-340152a2878a/
Parent samples :
34cb99613940f2408bc3ca05b9fef7b8d490cd8cada151b65251a1f76fdddc81
e1f1a46473b3ace74c79e93e2b14e01855107c183ef4859f23fef8c9c0f18508
1c98eba313c5786fc35259e16cf96053540a5e36b875b490b3f2fbf0cca43645
1052cd8feba9809abbd2cc008e37420a6b287c423b4df5b0a1385a1ce34fcb11
cf0e1a66f5e4e2277f8860afbc082395b7a3d452d24eeb0631c8f34dae047a45
45cb5b5cb3f89017758190e83cf28cdca801f84bba07aa0217606430cb13e16a
SH256 hash:
97ffe6106c771ca67de55a9852d88384a6c5ac6e8fe6f8d635bcf051899501f0
MD5 hash:
db27131e75a7bf474a7dc4c479bd1359
SHA1 hash:
19584a4ed3909d9a3845592a1b6f2de1e4fe350c
Link:
https://www.unpac.me/results/382b1dc3-b079-4ed5-bd94-340152a2878a/
SH256 hash:
cf0e1a66f5e4e2277f8860afbc082395b7a3d452d24eeb0631c8f34dae047a45
MD5 hash:
b6e8a1cedb6c4c352c40965041a70b0c
SHA1 hash:
c05f0d0be379aec2db64f44f8d13cb9233186c97
Link:
https://www.unpac.me/results/382b1dc3-b079-4ed5-bd94-340152a2878a/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cf0e1a66f5e4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/cf0e1a66f5e4e2277f8860afbc082395b7a3d452d24eeb0631c8f34dae047a45

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/346272/

Comments