MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1c7c7eb0ee2cada6ee4193a967c1c3c3f15a0fb73c9e5d0ff576088553737ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 19


Intelligence 19 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1c7c7eb0ee2cada6ee4193a967c1c3c3f15a0fb73c9e5d0ff576088553737ae
SHA3-384 hash: 70e18711a7c86d77f98edbad287d4ca94e48c087363861b4e27d183ba14b50c13240eb72f8be24dc5edf0ceb06315025
SHA1 hash: 49ff847840f0326b0ea63577af4ad4502da98b19
MD5 hash: 291a5f3ce37ff799aeae444a25b533a6
humanhash: single-india-zebra-robin
File name:Dekont 1001929 11102023.pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:633'344 bytes
First seen:2023-10-12 13:03:31 UTC
Last seen:2023-10-12 23:09:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:ejPtd2epEFbMkbNZG46Xz3kFE0bFd+m0de2fcRMBLEFx11Hiv2MN+NFh8jG7QwAI:ejBjkbNNhNHG+96+NFh8HWVqB0
Threatray 2 similar samples on MalwareBazaar
TLSH T1CBD4C71A286A110DF662AD3C6BBCB472915EEFF616365C770CF7340612329F08B9D627
TrID 28.5% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.2% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 068f0b2a2b363f06 (19 x SnakeKeylogger, 8 x AgentTesla, 8 x MassLogger)
Reporter lowmal3
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
364
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
Dekont 1001929 11102023.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-10-12 13:05:05 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/1537c438-0772-4e04-ab04-dbe95f6c746c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/453833/
Detection(s):
PUA.Win.Packed.ConfuserEx-6391397-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
Reading critical registry keys
Changing a file
DNS request
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
confuser confuserex lokibot lolbin masquerade packed packed replace
Link:
https://www.filescan.io/uploads/6527eec3c51de9263e592287/reports/88220d67-835a-4b30-8f71-4b4967e5eff6/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/d1c7c7eb0ee2cada6ee4193a967c1c3c3f15a0fb73c9e5d0ff576088553737ae
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cfe0b779-e3ef-46c5-abd2-51aa5a660940
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1324691
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d1c7c7eb0ee2cada6ee4193a967c1c3c3f15a0fb73c9e5d0ff576088553737ae
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d1c7c7eb0ee2cada6ee4193a967c1c3c3f15a0fb73c9e5d0ff576088553737ae/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-10-12 13:04:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 22 (90.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2hd4p2yo4lfnu3xede5jm7a4hq7rlih3ope6luh7k5qiqvjxg6xa._file
Verdict:
malicious
Similar samples:
91bff23f123fb307a7baebb69281c6d17f65fc7d3c7891bbbe7df3b486e4d10c
Loki
92a24f21d3606ea93a6c26db85a9053d3d542fe185a301a78ff55b2863bedc04
Loki
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/231012-qaxzcadb73/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Lokibot
Malware Config
C2 Extraction:
http://ugopounds.caesarsgroup.top/_errorpages/ugopounds/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
b52c0b999b03fa299a3758e1718601a5b44ca68286b5b2eba34820e475f722d5
MD5 hash:
729ea390c8ebea7d979df587d9a1e8b2
SHA1 hash:
5bd020bcbe39aa1d0012a75b0173ca193ecd43fc
Link:
https://www.unpac.me/results/c00518ad-bc51-4eab-8cd9-cdff041534aa/
SH256 hash:
0db00dd6f1294a550bf4367c3d36e1b3c6f36253ecf9983dcba052f1ed50e355
MD5 hash:
d9fda807135b4925d69b847f8c9ab849
SHA1 hash:
1cbfb68f9f2d3d50d792e46e03c3015879308501
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/c00518ad-bc51-4eab-8cd9-cdff041534aa/
Parent samples :
1138eda5d851ed987bd7631c9a12c8b463b577fa42b2602539574a586a5a90a1
6648d6be85d4611f71fb27b7598df56516c433bfe8fd51a1069bfbf1c8be0c29
b06c31ca5664c7f9142039d5a2e4f5201404d08e4d233b594e6e69cb4e1219a5
bdd8bc8cc85047d7ea0a4086a3fcfc1bd9f2f98794d50be234249b1a7e8ee1a6
03541ffcb574dd73c84c4c3b3522225f03862123877b278e97e7a508586382b2
d678f42c6c3a37927a20a466df089d70ea6e97e19888bf75db2a1da1a28710ed
91bff23f123fb307a7baebb69281c6d17f65fc7d3c7891bbbe7df3b486e4d10c
d1c7c7eb0ee2cada6ee4193a967c1c3c3f15a0fb73c9e5d0ff576088553737ae
SH256 hash:
d1c7c7eb0ee2cada6ee4193a967c1c3c3f15a0fb73c9e5d0ff576088553737ae
MD5 hash:
291a5f3ce37ff799aeae444a25b533a6
SHA1 hash:
49ff847840f0326b0ea63577af4ad4502da98b19
Link:
https://www.unpac.me/results/c00518ad-bc51-4eab-8cd9-cdff041534aa/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d1c7c7eb0ee2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/d1c7c7eb0ee2cada6ee4193a967c1c3c3f15a0fb73c9e5d0ff576088553737ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe d1c7c7eb0ee2cada6ee4193a967c1c3c3f15a0fb73c9e5d0ff576088553737ae

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/453833/

Comments