MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d806178b62d3f7a92aa7024510ef9fe8b40b9d0d0505df7f606936bc814b9e02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d806178b62d3f7a92aa7024510ef9fe8b40b9d0d0505df7f606936bc814b9e02
SHA3-384 hash: 00cf87e3490040a2e0388e354ff9b827d54c350ce47ee154cb565a824cda0b6aa5bf1cca73fe2a2cb36414708220f540
SHA1 hash: df63d84ca2f28a52c8b5e34babfcadd3d8cabf49
MD5 hash: 56d864a348c49020d928084623dd2395
humanhash: pasta-fanta-mobile-stream
File name:DHL INVOICE.exe
Download: download sample
Signature Loki
Create hunting rule
File size:985'600 bytes
First seen:2022-09-29 15:57:22 UTC
Last seen:2022-09-29 16:48:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'646 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:ziHs/gxD02iNT61uTYxzQ7IekbsRFADqjJ5n7P7r9r/+ppppppppppppppppppp/:eH01V6YTIQ7+YHjr71q
Threatray 140 similar samples on MalwareBazaar
TLSH T1FE25291465EA512CF8BA8BB45FE4F8F6491BFEB5253960BE20E43B436B73A41CC91035
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0cc (241 x AgentTesla, 65 x Loki, 41 x Formbook)
Reporter abuse_ch
Tags:DHL exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
332
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314882/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Searching for synchronization primitives
Launching a service
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6335c090d089a0c15dd2c353/reports/b53a9200-2993-44c6-bb6e-24beb7860333/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f9433662-bc4b-4e26-a959-86a3cf7d3de4
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1080267
Signature
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d806178b62d3f7a92aa7024510ef9fe8b40b9d0d0505df7f606936bc814b9e02/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-09-29 10:15:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
45
AV detection:
22 of 40 (55.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3adbpc3c2p32skvhajcrb3475c2axhinauc5673ane3lzakltyba._file
Verdict:
malicious
Similar samples:
087637191c81af5aa71843de168971c8cd48ba5f300b824cf4b9e39249f4bba5
Loki
1d54c7f11bb2f8ac095bf334f0d8025ae7b8299c483c62ad9604f22b92204814
Loki
34ff7d92c1c335d251ad12780ccc8fb3a10430fc20cfbb0ff55c40128ffe9a81
Loki
4b8c422424da67396c509a69146fea0c028e4a85994413205ae933c4a9a5bd5d
Loki
4fdbb565cacf8d38c63c42c2afeaaf59e6b5bf226709cde754219c96fee3aff9
Loki
bed584b2fd812270f30bffea36dec6db7a464f353f06bbf06252300e51ac4f76
Loki
ffc51f2ef0542e31be26668f49bf65a719ea827188707a83ca5421d2ad8b6fbc
Loki
+ 130 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/220929-teha8sbch6/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://162.0.223.13/?lBuyxTvjLklmk
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/75c52506-ed1d-4f32-8a73-16b46c41b102
Unpacked files
SH256 hash:
23566ac18ad1163a7f4467298c41ee764d2b66e60096b8648b03486817011221
MD5 hash:
6b2801f04bc3a42a8e5a90f3e86b71fb
SHA1 hash:
795361e1314befd87c0c18a8f53090955fbe70dc
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/5d1720f1-61b3-4418-a027-3602dec92116/
Parent samples :
cbeb5d319e3a34043bd299b9615a76867f9a94372dc9cf46de82da74a07009c3
d806178b62d3f7a92aa7024510ef9fe8b40b9d0d0505df7f606936bc814b9e02
SH256 hash:
4f80ddfe49b270f801ab44aa899153bbe2a0fb93abed0f9fc992f74ff6ab4fde
MD5 hash:
f4ba8570299eabf8fe2d02cc1dc0606a
SHA1 hash:
5d7add32313074f5a1e9b4ab379298dee8b6217e
Link:
https://www.unpac.me/results/5d1720f1-61b3-4418-a027-3602dec92116/
SH256 hash:
8b35d0c5afc637637cbf9d8029951ac0ac768b99e94f0d883d8f946fdfde18aa
MD5 hash:
7c0086d1a4d281206942298a962fca03
SHA1 hash:
32e854f4ad0d0274a3d11b8b03ac81fbe670fbc2
Link:
https://www.unpac.me/results/5d1720f1-61b3-4418-a027-3602dec92116/
SH256 hash:
d806178b62d3f7a92aa7024510ef9fe8b40b9d0d0505df7f606936bc814b9e02
MD5 hash:
56d864a348c49020d928084623dd2395
SHA1 hash:
df63d84ca2f28a52c8b5e34babfcadd3d8cabf49
Link:
https://www.unpac.me/results/5d1720f1-61b3-4418-a027-3602dec92116/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/d806178b62d3f7a92aa7024510ef9fe8b40b9d0d0505df7f606936bc814b9e02

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe d806178b62d3f7a92aa7024510ef9fe8b40b9d0d0505df7f606936bc814b9e02

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/314882/

Comments