MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8bcf863b8af5d3a0622ab2fe468752219a1e80e85ccb1e7d29608cb49350f46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	d8bcf863b8af5d3a0622ab2fe468752219a1e80e85ccb1e7d29608cb49350f46
SHA3-384 hash:	7d6f072ec45b16f6b08a1e993a2a7e1e1d1898f13a5dd6e7dd68b2bf1f182ced47840189fe4f5420c8d16165558be354
SHA1 hash:	0ca91ef01e929c91cd5aff5d1623623a0d21eb76
MD5 hash:	de6fc7d0e2f09392c8cb71f654630a24
humanhash:	mobile-lithium-failed-potato
File name:	Fedex Invoice-XXXXX4210-02032023073135894221.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	734'208 bytes
First seen:	2023-03-21 10:09:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:jEJnFe40pox9o4+QYa80uAg9P5/iEta/66briG23oEf5WNRtuDZNmLIIjMOLE4XP:I4jIzuAIrgfBEoSWYDjmUIjMe
Threatray	3'984 similar samples on MalwareBazaar
TLSH	T1FEF4011A37A99917C34A5470C1E345181371A9836B73D7883ECE13961E0E7EA9D8AFCF
TrID	66.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.5% (.EXE) Win64 Executable (generic) (10523/12/4) 5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe FedEx Loki

Intelligence

File Origin

# of uploads :

# of downloads :

233

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

Fedex Invoice-XXXXX4210-02032023073135894221.exe

Verdict:

Malicious activity

Analysis date:

2023-03-21 10:27:20 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/5ed16c3a-5c51-4f28-9784-60924ed45bc2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/376190/

Detection(s):

Win.Trojan.NanoCore-9993885-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm packed

Link:

https://www.filescan.io/uploads/64198282e6d26a096f574ae2/reports/bbf65a2d-7600-42ce-b62a-7bd8c4c68772/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/d8bcf863b8af5d3a0622ab2fe468752219a1e80e85ccb1e7d29608cb49350f46

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8f46e02d-c655-4d07-ad45-74a46c959d7c

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1198413

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/d8bcf863b8af5d3a0622ab2fe468752219a1e80e85ccb1e7d29608cb49350f46/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2023-03-21 03:44:40 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 37 (43.24%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3c6pqy5yv5otubrcvmx6i2dveim2d2aoqxgldz6ssyemwsjvb5da._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

78a5a0b0bed684217ba65ee4f92daebaa0ef82c9f95d9a5999e0b3755e2ba823

Loki

7e44c6fb6963620960fe0f8574af42ec032aaff7238bf470cba2c4af3a9da77d

Loki

823a3ef9755e5c604c26746462e5c3edd55b21951918ff458ba283f3679d8911

Loki

93b0d7f44fe52ecc63fc27d48da7876ee50872e2471591c0304ca21d0ccc68d6

Loki

9f2bf9f08f9bf9ec6e6043a7de37093c1b2e64667b87cbff6e4bdee5f994f9fb

Loki

aa5db1e76d992d81c9b6f368bc705f4240512bc4aa193cc23fa3ba50ce48d1fc

Loki

b29c32eaed48b900408cb17dbf66d4f120229bdd76f9ec66ec2d43fd5ad61c18

Loki

cbeb5d319e3a34043bd299b9615a76867f9a94372dc9cf46de82da74a07009c3

Loki

+ 3'974 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230321-l7dvhsbf8s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://64.227.48.212/?page_id=6303
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

b7a55faa337a2cc95c8fa1905caa1accdfece0f6c43f57bc94383ad503ed83c7

MD5 hash:

e5b34f597009bffe9c727d720e1521ac

SHA1 hash:

da8081e2305b17cfac57e764925eed91f41f96a1

Link:

https://www.unpac.me/results/4f42c96a-fbe5-48b3-92ea-e444c53cc7f2/

SH256 hash:

30780f2a50e90cd2774acd886918d8d92ea624a05b12d0e1faf7cec64a426edd

MD5 hash:

8d4982d22e42360c6097abdcf0ed79dd

SHA1 hash:

d7df2a1af071b636182c8f77affb9bcd9dc8c88e

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/4f42c96a-fbe5-48b3-92ea-e444c53cc7f2/

Parent samples :

93c302b6c6f9186edb01c0192fccec2b77274a243e3eb049ae8c99679f57c9f1
8e8f0ef7fe5176d9ca580c127a9476ca505c4990c317ebd7b18b92129eac4bb2
c013ec7ffc307a96a83494d9c838f60be692507aede1a0b5d7288a3993ccc57b
d8bcf863b8af5d3a0622ab2fe468752219a1e80e85ccb1e7d29608cb49350f46
a4d692bd2c6bc99530e231e63c93ee24629894b4f9391debdafcc0c161ec972d
b3a40483ab494f036bce8494672fcabc9719ac985979446135ca2625de80056d
3a7511034e72aa8874f3763cb01604464c74571237bc08906578ed9dcf2c137f
453b2c84056cde325f4e314ecb272996714901ced897e8605658d25f1036aee6

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/4f42c96a-fbe5-48b3-92ea-e444c53cc7f2/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

000c0889c2d93807781cb5e2c212d07bd38c6fed9b738530f2515640306b5f44

MD5 hash:

8d369299a047f228593293887092e43d

SHA1 hash:

7e38cd87127c3ea59ddba80f7ddf35fb105a7f6c

Link:

https://www.unpac.me/results/4f42c96a-fbe5-48b3-92ea-e444c53cc7f2/

SH256 hash:

f5456a92d081562d53accc9c5647fa782aac16e32a133111ddbd764cd489c897

MD5 hash:

37f2b6232e4071a6ff084463707718f8

SHA1 hash:

14b4724f78869c37dedc01621e16e64c9e255153

Link:

https://www.unpac.me/results/4f42c96a-fbe5-48b3-92ea-e444c53cc7f2/

SH256 hash:

2f5d8de06437f2e24dbe6642bf49af028f22b9a594d9302b12bddb680722aa58

MD5 hash:

68d7da9acb5b42b3aa5dd992edcd1c85

SHA1 hash:

11f8a2a5ae9f22f3c83ea3ccd8c1799322dd0141

Link:

https://www.unpac.me/results/4f42c96a-fbe5-48b3-92ea-e444c53cc7f2/

SH256 hash:

d8bcf863b8af5d3a0622ab2fe468752219a1e80e85ccb1e7d29608cb49350f46

MD5 hash:

de6fc7d0e2f09392c8cb71f654630a24

SHA1 hash:

0ca91ef01e929c91cd5aff5d1623623a0d21eb76

Link:

https://www.unpac.me/results/4f42c96a-fbe5-48b3-92ea-e444c53cc7f2/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d8bcf863b8af/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Nanocore

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d8bcf863b8af5d3a0622ab2fe468752219a1e80e85ccb1e7d29608cb49350f46

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/376190/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample