MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d509c4f1ddd6e950b6dd0937275519234c856d7b75e16c6d3a9d1ac2434da345. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d509c4f1ddd6e950b6dd0937275519234c856d7b75e16c6d3a9d1ac2434da345
SHA3-384 hash: 7334cc922a364d90fe307cb2fa71cc768618223a1cf4a25caa086fe92fa14210b6ec36b142683607ed185c531f7127db
SHA1 hash: 39984742479582109c98eca42b6c94ef694f3e37
MD5 hash: de397189fe82a4ebe1598831d5cd01cf
humanhash: hawaii-butter-florida-nebraska
File name:Fk2R8VvodKESjNz.exe
Download: download sample
Signature Loki
Create hunting rule
File size:864'256 bytes
First seen:2021-02-18 15:30:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:Fv0A/gEFKsIHLJ+lyMziSR9De65ASncRoLoXTerDsFJTO187DuyNsKOOmIKsXhii:RFKLriziS1NtoqrgTO8yKDDsluiH
Threatray 10 similar samples on MalwareBazaar
TLSH 8605E02362C82FD6E17F87B89D20301093F5BA1BD722EE8E3E9525DD1571E405A72B1E
Reporter c_APT_ure
Tags:Loki pwd-protected


Avatar
c_APT_ure
Date: Thu, 18 Feb 2021 21:34:19 +0700
From: Norbert Streicher <pnh@kagumhotel.net>
To: undisclosed-recipients:;
Subject: Fw: Aw: PURCHASE ORDER
Reply-To: Norbert Streicher <N.Streicher@erdwich.de>
User-Agent: Roundcube Webmail/1.4.10
Message-ID: <48f01055d0fad1095abdc139cb99456f@kagumhotel.net>
X-Sender: pnh@kagumhotel.net

attach:
ab783e0a4e1080817f4145f30cd24426 PO-02182021 pdf.gz

contains pwd-protected zip
2111fb9404cbce8180364e618cd15143 PO-02182021 pdf.zip

pwd = filename without ext. ("Fk2R8VvodKESjNz")

contains exe:
Fk2R8VvodKESjNz.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d509c4f1ddd6e950b6dd0937275519234c856d7b75e16c6d3a9d1ac2434da345.zip
Verdict:
Malicious activity
Analysis date:
2021-02-18 18:53:21 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/56a5486d-d539-4433-859d-42152262ac58

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/117808/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.545.23032.12859.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/611742
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d509c4f1ddd6e950b6dd0937275519234c856d7b75e16c6d3a9d1ac2434da345/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-02-18 15:31:06 UTC
AV detection:
6 of 47 (12.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ue4j4o523uvbnw5be3sovizengik3l3oxqwy3j2tunmeq2nuncq._file
Verdict:
unknown
Similar samples:
0c10d7fbab534bfee1ca3408fa01a956c99ae6c52d565bbb584c486eff2eaa2c
Loki
190125119b36f51385b347e64c4a679c67b0ae754a6032f04f2f9988cce6f6e0
Loki
4328e4ac330339d884b95d99128404d4f8b5d6b695a9f583ff4c3f3a61ac4ff8
Loki
4923efabccafed3267ca2ebcbca5a233aa67997f6f47dc279f97917b0fecd248
Loki
7432ea3b561da4e75f3e81b511b0a2b4d9f9d63e293fd1babd22b20c1b27db3c
Loki
75a02ca03fa09ee68ee93a059aa86f14d66276985514c4b3597f9f62a36708b1
Loki
81274d23515440feac07a591db64f946640ab3a4350bbfaa0d955ced83175fb0
Loki
8f8895201b402c68eedad4364d4a087076599a0ff617199d91b1591f111269c8
Loki
aeb1aab3be5b90cb85bfe28f0e092c83fee4a742a9cda7b0d8a6e464e6fa7342
Loki
c717b4f3c2f893a8f09d76e534da3febfc671eac69b807670bedfc78adcb86c2
Loki
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210218-zzvlph5je6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://51.195.53.221/p.php/kdPYBLiWHt5e8
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
b2f91d1427c7b60a3ad485bed04ba75636560783c9265a8f26542d5f6aa5d8a9
MD5 hash:
5ad6dc03137fc80e4e691f4b409d9120
SHA1 hash:
edb38e49ce79ecce33ce9a891df56468c3a4016e
Link:
https://www.unpac.me/results/e5de9119-bcfe-465b-80ce-dbfb1b6347e0/
SH256 hash:
d509c4f1ddd6e950b6dd0937275519234c856d7b75e16c6d3a9d1ac2434da345
MD5 hash:
de397189fe82a4ebe1598831d5cd01cf
SHA1 hash:
39984742479582109c98eca42b6c94ef694f3e37
Link:
https://www.unpac.me/results/e5de9119-bcfe-465b-80ce-dbfb1b6347e0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d509c4f1ddd6e950b6dd0937275519234c856d7b75e16c6d3a9d1ac2434da345

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

gz add0326ef48ecb886fa2512f2d092ee8432066cb44787ec1bde6421051471c86

Loki

zip 95174e5cf3ee5084d34ed48e5a4660f996d7f04555af426cffdc91fe193a0c69

Loki

Executable exe d509c4f1ddd6e950b6dd0937275519234c856d7b75e16c6d3a9d1ac2434da345

(this sample)

  
Dropped by
MD5 2111fb9404cbce8180364e618cd15143
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/117808/
  
Dropped by
SHA256 95174e5cf3ee5084d34ed48e5a4660f996d7f04555af426cffdc91fe193a0c69

Comments