MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d65712c07c5f14c0c4be8d3f67fb71db5e80c1ac41832ba018304f3b73dec719. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d65712c07c5f14c0c4be8d3f67fb71db5e80c1ac41832ba018304f3b73dec719
SHA3-384 hash: 62d4f8bead6cee04e3bc13ee0fbcc1ef7b2c56b9faf4d6fefe05d8720c2aebd0842e0ddf142decb6834f043b5fb900ba
SHA1 hash: 3b96fe2de99c840253b641c6bf7172a7ccc810cc
MD5 hash: e310d720d6ea9ef7e6fb0920772f3eef
humanhash: one-zebra-wyoming-dakota
File name:DHLINVOICE542298.exe
Download: download sample
Signature Loki
Create hunting rule
File size:423'936 bytes
First seen:2022-04-06 16:25:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'658 x Formbook, 12'249 x SnakeKeylogger)
ssdeep 12288:T+5B6iGVeENxUPaLky03kq0uPexpqZ6DSXYJq0F:UB6iGzDUPaskqP2N80
Threatray 7'439 similar samples on MalwareBazaar
TLSH T17F94124533E81B11DCBEA7FBB868658003B095272991FB94CCE274CF28627A49653FD7
File icon (PE):PE icon
dhash icon f8e4f239d9b8f8e0 (21 x SnakeKeylogger, 20 x AgentTesla, 11 x Formbook)
Reporter abuse_ch
Tags:DHL exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/261424/
Detection(s):
Win.Dropper.LokiBot-9943279-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Reading critical registry keys
Enabling the 'hidden' option for analyzed file
Stealing user critical data
Moving of the original file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/624dbf32aa7e43c6a6c36087/reports/700a11ca-14f7-4941-a534-96c82f9097af/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9b987eab-af57-43ec-a29a-39f4c6a837af
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/971736
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d65712c07c5f14c0c4be8d3f67fb71db5e80c1ac41832ba018304f3b73dec719/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-06 12:36:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2zlrfqd4l4kmbrf6ru7wp63r3npibqnmigbsxiaygbhtw466y4mq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
2d4db38cf9cb9e42160b40381f4f053326b6cfae1dcaa5bc0607f5e382c1a8ee
Loki
36e21f851c6c8cf553b80c7e5cd9010ff393265bb594cf4f03f25a94393266c2
Loki
4896dda29c782a97640157ea008a9438707258e179b05b0a62cb04b4598830ba
Loki
d88a68b1ab516aa6ef3bdf0f5eb025ebd2da3201e2cd4afe049ca5fd3dfe05cd
Loki
eb37e33c7d29b68f41dca837935a62603662baffa38698711715b754df184d13
Loki
+ 7'429 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/220406-txjl1sfbg2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://164.90.194.235/?id=6403718288508888
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
c935caf17f5a87ed689640866ad23586fd13eea0bce8727e7ce99d7bdfe72a01
MD5 hash:
bc08afc77824b17f65639c0d36e81700
SHA1 hash:
4c17987a1563c20e555a098edf2b55fd7c8802a5
Link:
https://www.unpac.me/results/4b82626e-11ad-4435-96a2-43d62f332152/
SH256 hash:
314bb82a217ab5dafdafc855bbb980a2a751d1583b9a563e6e843621e4a85158
MD5 hash:
9e165d54d74ee9fc6763e2f4b5a0ae57
SHA1 hash:
67daa1fa6200fda79fe163b7f697c9967917b987
Link:
https://www.unpac.me/results/4b82626e-11ad-4435-96a2-43d62f332152/
SH256 hash:
fe58122a2dc9f6b7c57eb945796affbcaa214b940cc31ea78bb3a93ec99b78bd
MD5 hash:
d4be86e94d2483566e3b788be1cf4658
SHA1 hash:
9e859c78492536bbcb13ce9a1efdebf5b73a6316
Link:
https://www.unpac.me/results/4b82626e-11ad-4435-96a2-43d62f332152/
SH256 hash:
3bcfbba728f5b147066f1d723b6b8d3194a85e2ddb2d1a4267fb73671e68dc74
MD5 hash:
2db055ea93e99f6178f1159e51d3624f
SHA1 hash:
fb0f1a4c56413ef7e91ef7859b675cad03a8b920
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/4b82626e-11ad-4435-96a2-43d62f332152/
Parent samples :
b972adad8526307d59a135849e8db3767c69cad11887eed10d82d435544e6dc9
d65712c07c5f14c0c4be8d3f67fb71db5e80c1ac41832ba018304f3b73dec719
94807f7cc3c29e865c07cda8465499fbc8e419d2d7f171f0c0838c62a8453aba
SH256 hash:
d65712c07c5f14c0c4be8d3f67fb71db5e80c1ac41832ba018304f3b73dec719
MD5 hash:
e310d720d6ea9ef7e6fb0920772f3eef
SHA1 hash:
3b96fe2de99c840253b641c6bf7172a7ccc810cc
Link:
https://www.unpac.me/results/4b82626e-11ad-4435-96a2-43d62f332152/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d65712c07c5f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/261424/

Comments