MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d378f6971357840b8cf71b654d7ff91eb0edb08b1415fcba5b8d9aedaebcebb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d378f6971357840b8cf71b654d7ff91eb0edb08b1415fcba5b8d9aedaebcebb5
SHA3-384 hash: 864a2b5bff8ea11064d028bfda42a11fd6ab35124804e32bd28f34d5b6c209824082e2ccda7839c258568151f2744e0d
SHA1 hash: 96aff2be18c043fd8245da46aa5280fd948ad4b5
MD5 hash: c42f3be4be422a95f184037d4006a761
humanhash: alabama-spaghetti-carolina-victor
File name:Comprobante_de_pago.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'192'570 bytes
First seen:2021-05-26 17:39:23 UTC
Last seen:2021-05-27 01:56:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f537b216fd1d228d82b4c032326b2d86 (2 x Loki, 1 x RemcosRAT, 1 x BitRAT)
ssdeep 12288:X4rDy/HJMbgSSxbAQ3LkDJ1iqZ6egzItpFSofPv01jHvfbQOpwYNsh:X4qmjSxbL4DJ19AegzItPjc1j7QWsh
Threatray 2'917 similar samples on MalwareBazaar
TLSH 48456C67B3D244F3C1624E38EC179768A866BF31393498567AE13E0D7E7E2413D2D292
Reporter abuse_ch
Tags:ESP exe geo Loki

Intelligence

File Origin
# of uploads :
3
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Comprobante_de_pago.exe
Verdict:
Malicious activity
Analysis date:
2021-05-26 21:16:05 UTC
Tags:
installer
Link:
https://app.any.run/tasks/66b35ff9-43b5-4683-b3c2-2d497583944a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/162541/
Detection(s):
SecuriteInfo.com.Trojan0057af071.8391.4444.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Reading critical registry keys
Launching cmd.exe command interpreter
Launching a process
Changing a file
Replacing files
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Moving of the original file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/792781
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 425177 Sample: Comprobante_de_pago.exe Startdate: 26/05/2021 Architecture: WINDOWS Score: 100 36 sanpauliomkop.sytes.net 2->36 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 5 other signatures 2->48 9 Comprobante_de_pago.exe 1 23 2->9         started        14 Nukxdt.exe 13 2->14         started        16 Nukxdt.exe 13 2->16         started        signatures3 process4 dnsIp5 40 abillamapetroleum.com 192.185.129.69, 443, 49745, 49746 UNIFIEDLAYER-AS-1US United States 9->40 34 C:\Users\Public34ukxdt34ukxdt.exe, PE32 9->34 dropped 58 Detected unpacking (changes PE section rights) 9->58 60 Detected unpacking (overwrites its own PE header) 9->60 62 Tries to steal Mail credentials (via file registry) 9->62 18 Comprobante_de_pago.exe 57 9->18         started        22 cmd.exe 1 9->22         started        64 Multi AV Scanner detection for dropped file 14->64 66 Machine Learning detection for dropped file 14->66 68 Injects a PE file into a foreign processes 14->68 24 Nukxdt.exe 14->24         started        26 Nukxdt.exe 16->26         started        file6 signatures7 process8 dnsIp9 38 sanpauliomkop.sytes.net 41.217.8.163, 80 SpectranetNG Nigeria 18->38 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->50 52 Tries to steal Mail credentials (via file access) 18->52 54 Tries to harvest and steal ftp login credentials 18->54 56 Tries to harvest and steal browser information (history, passwords, etc) 18->56 28 cmd.exe 1 22->28         started        30 conhost.exe 22->30         started        signatures10 process11 process12 32 conhost.exe 28->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d378f6971357840b8cf71b654d7ff91eb0edb08b1415fcba5b8d9aedaebcebb5/
Threat name:
Win32.Backdoor.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-05-26 17:40:12 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2n4pnfytk6caxdhxdnsu277zd2yo3melcqk7zos3rwno3lv45o2q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
03cf03d1cb4fa502ef1992e2aad3f1f7f0d7fbf1f16839d87eaa04f330211bbe
Loki
235602d2819de318cb16c1653d3e2500b64688ad18f8f4e960dff1ab0b7e4b74
Loki
357ab6a0cf97d36af99606bce098c476c4a24085f4d972038b11b3570486d620
Loki
6eee5d1c67a8e34e6d03d64fca1195bf26ceac2a68f454cc37e743ace0483a9f
Loki
9c998b6e088d776bcd603aa78bdbcaf4662c88c6f4ea270933db4ab153e5eea9
Loki
a8889ff384c38b97b5a48ef4e9586df7c281f40e2719fe248b0d252832969521
Loki
ac328fdc21f438733313ebb525a5118799392e49eb3e4d56a8030d618ac370a1
Loki
be2d4c496cf0ef1523ef648817368ef1555e043f9147252c332558515f560691
Loki
d661d0e5f0c691ce7a9602857de9d47e75802967d4375d6e9e01c0d7178b7f7f
Loki
e03954a53253f7f660e3aa933638e57280289b5002288af2b7f0a41e5b921e97
Loki
+ 2'907 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210526-2kh3ze43n2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d378f6971357840b8cf71b654d7ff91eb0edb08b1415fcba5b8d9aedaebcebb5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_56f008e69a7c4c3feb389c66eaf58259
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/162541/

Comments