MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8c75bc438ec5aced7b348cbb95cc0e1da4da409ad464d1ebe9fbae9f8a21a3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8c75bc438ec5aced7b348cbb95cc0e1da4da409ad464d1ebe9fbae9f8a21a3c
SHA3-384 hash: ae850c893054b3186bb569659f96301d34dbe2b90288fed95ca7101684df7b941a82755c4fa1a3b70cd359362a64e359
SHA1 hash: b95debc166afcbf9d165b25838416248c5398eae
MD5 hash: ff230eb127d1958ab5e4caa3d44f783e
humanhash: saturn-cat-mango-autumn
File name:TNT Delivery Report Notification.exe
Download: download sample
Signature Loki
Create hunting rule
File size:671'232 bytes
First seen:2021-01-11 08:52:02 UTC
Last seen:2021-01-11 14:16:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'796 x AgentTesla, 19'698 x Formbook, 12'276 x SnakeKeylogger)
ssdeep 12288:XJnbs/bJkaNqVs7bUcwvuyeDmbZJj8hVyRd9scBFRY+HB4zINn:XJovk4Dy1ZvztHBuIN
Threatray 3 similar samples on MalwareBazaar
TLSH 19E4F0402ABA2F22FD3D47F4153D484417F6382BB566E75D4CDAE0EA3426F064A62F27
Reporter abuse_ch
Tags:exe Loki TNT


Avatar
abuse_ch
Malspam distributing Loki:

HELO: sdk0.507.gdxox.ml
Sending IP: 167.99.171.216
From: TNT Shipment Notification <tnt@507.gdxox.ml>
Subject: TNT EXPRESS NOTIFICATION **Waybill number: 132797239
Attachment: TNT Delivery Report Notification.gz (contains "TNT Delivery Report Notification.exe")

Loki C2:
http://51.195.53.221/p.php/dUQz9bwGRLNK7

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TNT Delivery Report Notification.exe
Verdict:
Malicious activity
Analysis date:
2021-01-11 08:53:11 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/87ed2f05-b7c8-45f3-89e5-9f4fd7ec3ad6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111242/
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.57608.9631.29480.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/577710
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d8c75bc438ec5aced7b348cbb95cc0e1da4da409ad464d1ebe9fbae9f8a21a3c/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ddvxrby5rnm5v5tjdf3sxga4hne3jajvvde2hv6t65ot6fcdi6a._file
Verdict:
unknown
Similar samples:
32518775226efb9813e62e4fe5d66050bc7118ac804c8d08aeace793bd9ef635
Loki
622cb2307249d677ec2bfe0781c5870e9882097c6f20e79741e1c552b259b428
Loki
dea38651b06aab617e93bdb343fd28587bdc0e113a4fc957571a06988491ade7
Loki
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot evasion spyware stealer trojan
Link:
https://tria.ge/reports/210111-ed7x788hrs/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Lokibot
Malware Config
C2 Extraction:
http://51.195.53.221/p.php/dUQz9bwGRLNK7
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
d8c75bc438ec5aced7b348cbb95cc0e1da4da409ad464d1ebe9fbae9f8a21a3c
MD5 hash:
ff230eb127d1958ab5e4caa3d44f783e
SHA1 hash:
b95debc166afcbf9d165b25838416248c5398eae
Link:
https://www.unpac.me/results/2e85eea0-4dce-4cf0-b66e-7b17d006044f/
SH256 hash:
64a419709ad219ffc006bda776b650da486d55048d2fa34525f40227da0e5c86
MD5 hash:
88c0ec8398978fa2e4240f02765086ad
SHA1 hash:
5a5c4935b2d70e890c89ad9332365f4f4aa86f3c
Link:
https://www.unpac.me/results/2e85eea0-4dce-4cf0-b66e-7b17d006044f/
SH256 hash:
6103d0cac18c8d23fcb5d6eb24fc2a7a6741989d4b0ab50eeebf6fbb87dbb6c3
MD5 hash:
4c0b9e7c7c92e5ff79c180bd8574e763
SHA1 hash:
c83c7eeb05c984747577814aa4d7973511469633
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/2e85eea0-4dce-4cf0-b66e-7b17d006044f/
Parent samples :
d8c75bc438ec5aced7b348cbb95cc0e1da4da409ad464d1ebe9fbae9f8a21a3c
210883cd941e8c923b24deb108f84af9aede53350f8111ed83d1efc8eca8c1ba
897b0c3202ce39cf2929bc681b8dfe7344101bb9856b796e49cfe494e5f8ce38
9efbe2e08784ff116692693b1d1c759c6446741cc515662c2b1bacdc00809754
SH256 hash:
08c5f9099becee7c1391e303b5a3e17bcb4911f60317b5d1e384b40c29339116
MD5 hash:
09c6a0eb9179c832ee835e953401389c
SHA1 hash:
cd9287ef908fccab79b1cdcee3f8cf57a7957400
Link:
https://www.unpac.me/results/2e85eea0-4dce-4cf0-b66e-7b17d006044f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d8c75bc438ec5aced7b348cbb95cc0e1da4da409ad464d1ebe9fbae9f8a21a3c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

gz 719e1f45444fa850ab9d4cd28749d82c4e044a9211cb451a0a0da760421d64cf

Loki

Executable exe d8c75bc438ec5aced7b348cbb95cc0e1da4da409ad464d1ebe9fbae9f8a21a3c

(this sample)

  
Dropped by
MD5 6ea27b359ffa9cb9ecf810227d09f36d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111242/
  
Dropped by
SHA256 719e1f45444fa850ab9d4cd28749d82c4e044a9211cb451a0a0da760421d64cf

Comments