MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6edba98646efecccc2f9e35c537d8a08f986bef694efdc8cdc0301f80fba616. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6edba98646efecccc2f9e35c537d8a08f986bef694efdc8cdc0301f80fba616
SHA3-384 hash: 5f170ec57d56742aa22d396726087e429403af39250f0c580e902783f37c3330e22b6c950943a25d0cd8d190e346a1e5
SHA1 hash: 3ea5c54ed5882eb657fe86e4877c8e54063bc7b0
MD5 hash: fc8f3e9da2f2d9811bb88b5f7ee41dce
humanhash: carolina-seven-maine-utah
File name:Purchase Inquiry Daxparker 03062023 files.exe
Download: download sample
Signature Loki
Create hunting rule
File size:902'656 bytes
First seen:2023-03-06 04:35:25 UTC
Last seen:2023-03-06 06:37:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:OgWAwb3cOQ7IZLYMLDM5fmVyUrQ3/xOyEY3yHwkI+R8EAakuO3S2:EAA3cOQkSM4+VM3/QyaHxI+eEAaOC
Threatray 111 similar samples on MalwareBazaar
TLSH T132155A7371BC90AFF58A003750387B882B3CA453A6D5A20776F6758C95C18BAFE94ED1
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 6cd0d0ccc4ccf4d4 (1 x Loki)
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://68.183.13.128/?page_id=4136377

Intelligence

File Origin
# of uploads :
2
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
Purchase Inquiry Daxparker 03062023 files.exe
Verdict:
Malicious activity
Analysis date:
2023-03-06 04:35:54 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/bbb7f4e7-b4cf-4c53-9778-9a8684af1a50

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/371764/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lokibot packed
Link:
https://www.filescan.io/uploads/64056db4bfec0852a68f8ed1/reports/27257a18-c3d7-4c34-b8a4-6052978429b4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d6edba98646efecccc2f9e35c537d8a08f986bef694efdc8cdc0301f80fba616
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1187499
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6edba98646efecccc2f9e35c537d8a08f986bef694efdc8cdc0301f80fba616/
Threat name:
Win32.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2023-03-06 04:40:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
14 of 25 (56.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=23w3vgden37mztbpty24kn6yuchzq27pnfhp3sgnyayb7ah3uyla._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0c69a178d45b450afee622418a4a5294599de3aba419cc8b92ab4b08c28ab493
Loki
30effb0aff6fa76c3ad8a5cbce7fda55b0cb0ab823e2d5aabb8a804c29137c01
Loki
63ca930143e890d08ed3b8b8e0804350795ce6b053ac57621602743562f199f7
Loki
70be751106b253c90ed4d19a828dbf3505f1d3dd322c2220c4856157f8297b09
Loki
8b5d2f25a3b2c3ca76ff1815a0a45442bd4e1e8b74709af37670208f397f4ad5
Loki
9235e70ae950a3b47729b9cd33bd38b37a0f89b855f4d171ff04a907815b3c65
Loki
99e2a2ff576947884f1b3019b01893b5e1df07e20187c9de9f274bbb971118db
Loki
fccebf9b597398ab3e46b9f50076f8a3bcdb24cd4f3786e1c4540637cf32d96b
Loki
+ 101 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230306-e7874aab6t/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Lokibot
Malware Config
C2 Extraction:
http://68.183.13.128/?page_id=4136377
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f
MD5 hash:
f4e7e91d4fdda2d3feb401b5b1d53abf
SHA1 hash:
cf9e76e6418850ac853bd9c6ce82a0be7920fc1d
Link:
https://www.unpac.me/results/bbd39ce3-2628-42bc-84ab-44b0da74cd73/
SH256 hash:
36327d9a70459c61240d719f852c8d4c3eafe8c2abf4891a5646e4cedd41b03a
MD5 hash:
fca8eaa0d10ae39d32e74a03a40152b3
SHA1 hash:
b19ea1758a47910a1c4a0c2d99dee13d65183447
Link:
https://www.unpac.me/results/bbd39ce3-2628-42bc-84ab-44b0da74cd73/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/bbd39ce3-2628-42bc-84ab-44b0da74cd73/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
ad2a36f03c2ae5ebcb42d293eff48e34b17e6594d13c359c93621f754cb9ae70
MD5 hash:
0ed86064346b6dc5140b44e69a499c71
SHA1 hash:
5e4417d338d6604dcceb7bb3413c1aa149aba794
Detections:
lokibot
Create hunting rule
Link:
https://www.unpac.me/results/bbd39ce3-2628-42bc-84ab-44b0da74cd73/
SH256 hash:
11d023325f99b8ea727359780bb58d68bdd5b948ca2ba3e9fc13b36ab2fb005c
MD5 hash:
a53c9a40bca8d343700294aaba3b9978
SHA1 hash:
3dcfd33aa1ea390079dc91ed52c640f4e7149cd9
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/bbd39ce3-2628-42bc-84ab-44b0da74cd73/
Parent samples :
89c9935b305ddc218ccce08c0676176e0c8be511b15f9fa9af9a7560c76560c7
d6edba98646efecccc2f9e35c537d8a08f986bef694efdc8cdc0301f80fba616
06460ceaf5a16fcd4d69720ff95097e3980c319b3d30184a7f79de52c15a8384
SH256 hash:
d6edba98646efecccc2f9e35c537d8a08f986bef694efdc8cdc0301f80fba616
MD5 hash:
fc8f3e9da2f2d9811bb88b5f7ee41dce
SHA1 hash:
3ea5c54ed5882eb657fe86e4877c8e54063bc7b0
Link:
https://www.unpac.me/results/bbd39ce3-2628-42bc-84ab-44b0da74cd73/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d6edba98646e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/d6edba98646efecccc2f9e35c537d8a08f986bef694efdc8cdc0301f80fba616

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/371764/

Comments