MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da3208711d472f6c9af1141faa1272cab7b80cbaef1cfe0c24c5b1597f7a0c99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	da3208711d472f6c9af1141faa1272cab7b80cbaef1cfe0c24c5b1597f7a0c99
SHA3-384 hash:	2b1ad7d2203b2e217953f6f63fbf6efe34a6469399a8c13e50207143bf75ae110bd92429327e97e8298f328c6db0ef85
SHA1 hash:	f92315f8bb635d7934dd77657a11b482bd70464e
MD5 hash:	8d2374ca90b2fa4c236af40e89de41a7
humanhash:	mexico-hydrogen-red-network
File name:	Demande d'offre 14-02-2022·pdf.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	457'944 bytes
First seen:	2022-02-14 08:06:46 UTC
Last seen:	2022-02-14 13:15:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep	6144:obE/HUsq8j7IjYLjVrH76Brup88h8h+843ggbxfNSXNISJSdIX3y:obwq846jVrH7pv1bxfUdIOCb
Threatray	9'237 similar samples on MalwareBazaar
TLSH	T1D0A4CF2D0B3CC856F0B02DFC6822EBB97EFC5E11621DF96753206CD718F52925A8919B
File icon (PE):
dhash icon	1998b0b69ee6fc08 (3 x Loki, 1 x GuLoader)
Reporter	pr0xylife
Tags:	exe GuLoader Loki Lokibot signed

Code Signing Certificate

Organisation:	Opsamlingscirkulres8
Issuer:	Opsamlingscirkulres8
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-02-14T02:47:03Z
Valid to:	2023-02-14T02:47:03Z
Serial number:	00
Intelligence:	325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:	This certificate is on the Cert Central blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	eadc7555bdcb331957ecbf3d68459efe2e8b40bf465e06a2178d55d6e7b4f7c3
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

468

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.1089.18626.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% subdirectories

Creating a file

Gathering data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/ad6d03b6-14e0-4847-a3a9-3d476c9669a7

Result

Threat name:

GuLoader

Detection:

malicious

Classification:

troj.evad.spyw

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/939173

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Hides threads from debuggers

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected GuLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/da3208711d472f6c9af1141faa1272cab7b80cbaef1cfe0c24c5b1597f7a0c99/

Threat name:

Win32.Trojan.GenCBL

Status:

Malicious

First seen:

2022-02-14 08:07:13 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3izaq4i5i4xwzgxrcqp2uetszk33qdf254op4dbeywyvs732bsmq._file

Verdict:

unknown

Loki

23b5df2d469238921bc4292d4ad2f179d57b19eba17a93c37af5d3ccae03f1c0

Loki

39cd27e2d57db8bfedfc31413679e5c4cb27274a45c0acb98c0ad81905729ca5

Loki

67732ae3efbde55f0ea32af1488f1a430943f4402b1f2ce163058f5ec76146de

Loki

767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255

Loki

819c9d8c88fc1ffbfeae1797646f7b90f930fef4dae513fe8e43fad3bf475bf0

Loki

88a56adfda71155cd315c64ca5ab176120f7d74369cc752cb63ee6a00f90e736

Loki

a319ca95679f9e8a30001a66ec55403a08be8c7398916746baea02c6c6539d02

Loki

ee23fa71bea1f05017e21b38e7592db6334a0fc4e9e44bb48452b40a4ddf0677

Loki

+ 9'227 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:guloader family:lokibot collection downloader spyware stealer suricata trojan

Link:

https://tria.ge/reports/220214-jzzqxaacgr/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Checks QEMU agent file

Loads dropped DLL

Reads user/profile data of web browsers

Guloader,Cloudeye

Lokibot

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Malware Config

C2 Extraction:

http://164.90.194.235/?id=20300464226184894
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

da3208711d472f6c9af1141faa1272cab7b80cbaef1cfe0c24c5b1597f7a0c99

MD5 hash:

8d2374ca90b2fa4c236af40e89de41a7

SHA1 hash:

f92315f8bb635d7934dd77657a11b482bd70464e

Link:

https://www.unpac.me/results/ea421b78-18e6-4cf8-be09-3b2389637e47/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/da3208711d472f6c9af1141faa1272cab7b80cbaef1cfe0c24c5b1597f7a0c99

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample