MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da65aee4d8d8b4f979ab4176c9e69347e06187ef59c03914f278859acadff45a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da65aee4d8d8b4f979ab4176c9e69347e06187ef59c03914f278859acadff45a
SHA3-384 hash: d5790057ab0e4756b961ab21ef707073fafa8361d792263b090f2910fec5eead817028d7a3393515c7bd6304f7d3a5db
SHA1 hash: ee845f1f34fe6d728f368ea3d2ed2831cf9932b5
MD5 hash: c2054ed016db1e929d4ba83cf72f7872
humanhash: red-california-high-cup
File name:N32589900.exe
Download: download sample
Signature Loki
Create hunting rule
File size:975'872 bytes
First seen:2022-09-22 07:56:33 UTC
Last seen:2022-09-29 10:22:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:hpFGux7CC9iCxET7RGImvgmN1D2oesyyJN/1v041BM29Ljjl0:hpWqiyEH4I0WoesLV0YBMCjjl0
TLSH T146259C1127EA8E03F2795BB584E0D47087B56D02D56AC38B2FC61DDFB252BE68681327
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 74d298b898b0f8b4 (11 x AgentTesla, 11 x SnakeKeylogger, 9 x Formbook)
Reporter TeamDreier
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
N32589900.exe
Verdict:
Malicious activity
Analysis date:
2022-09-22 07:59:50 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/ae0495dd-a484-46b7-9153-88c2de685ecf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312244/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.6660.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
75%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/632c159e36ba812561abee66/reports/0167f6ae-78dc-4451-98cb-0e7fe99cef5e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/81aaabda-98c0-473e-a6d2-17a16a2f88e3
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1075093
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/da65aee4d8d8b4f979ab4176c9e69347e06187ef59c03914f278859acadff45a/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-09-21 08:28:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
23 of 41 (56.10%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3js25zgy3c2ps6nlif3mtzuti7qgdb7plhadsfhspcczvsw76rna._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/220922-js9mjaafa3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://sempersim.su/gk3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/711a41aa-0c34-4493-bf51-395254176f5d
Unpacked files
SH256 hash:
49bdf1ed18d453e600a6c7301f1b061f10287420791b8b9feb0369e9dda02f6e
MD5 hash:
3ffbc0acbbb9980bff34a8d6ab1218a6
SHA1 hash:
dbe6a122a17fb0dd8a2953c1e41d12f04520bfd5
Link:
https://www.unpac.me/results/e75b06b3-77e1-4e4f-bf6a-e07ab9df2ea8/
SH256 hash:
f8471f0dd61647e095900300b0d20168ca3a07c0c70f1c545247d9dd2727d2ff
MD5 hash:
7e7571fc40e6a4a3b061f89275002881
SHA1 hash:
8ebdf7ee12b15c044b8383fc7522498a4609d90a
Link:
https://www.unpac.me/results/e75b06b3-77e1-4e4f-bf6a-e07ab9df2ea8/
SH256 hash:
d1886e36357a1276a435d3fe093b624c6ccea9c2bf4253d8e41bde70ecc2910d
MD5 hash:
97825d574a817eb60754c815274b1aeb
SHA1 hash:
84a8880045f252e3e78e334e67cc0f7cfdf1d63e
Link:
https://www.unpac.me/results/e75b06b3-77e1-4e4f-bf6a-e07ab9df2ea8/
SH256 hash:
5ef85c9d6fb6247b6ce941403f9652754333da964a53a835135b5d87671b6ffc
MD5 hash:
db8268998a219fe36aca11da8f42ad87
SHA1 hash:
63ee65e7b651ef983ae730761ab5e6a9d9cb70f5
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/e75b06b3-77e1-4e4f-bf6a-e07ab9df2ea8/
Parent samples :
4c1e931dea2deeab544ccf36257c87bd395385e54765fd38c20d999338f3293e
418e1af063dc2e3a10e0507fbb72d7afc74a11a737eb790ad9f60d7c67999c01
989e37904256682bf82062c0649aa0b41f278705ad722f7c1be9a7966d4312b9
dd905894bd06f37b177dda986cd4378e3bafb3a991c15f8f430b23f24498223f
2ffca591481e2b654f5fedb10627d3a25ef9aa84d45723e0a343d7a2ca21f78f
0e2a3243365380d4d8e6f64f6162935b1e8a366f02c574151234b48f25d0de6e
a4d14d5e1d1899c6f86455561db1b23bc9dd456f3fc0e9a01ed67b204ebecf9e
da65aee4d8d8b4f979ab4176c9e69347e06187ef59c03914f278859acadff45a
ae4ad82fdbd7be97e93a92555320e683ea177de299f4a882411d652b464837f7
db382b74819cd4431972a7fcd845aaab7c62ff55c5bcedf92af38a17be07194e
8766fd6dfc19005f53805d67b96168319d9d0812a8806d6fda9049ecc327d0b0
2493b7f9d3e433a649edc03d76311d3e119de0b2e531b2fe5c0fe418a3282187
b1232ebc02cd61f1a97a8e08a98a59beedae5e33434031761f669f04f418d282
SH256 hash:
edadc813f4440ada276da601d8f31780e5e138b8ee392e3f49a509322a1fb51e
MD5 hash:
574597554c69083c1af2b742a97a92b6
SHA1 hash:
043eea660b8650c5a0042f842fd8db3516d37a2c
Link:
https://www.unpac.me/results/e75b06b3-77e1-4e4f-bf6a-e07ab9df2ea8/
SH256 hash:
da65aee4d8d8b4f979ab4176c9e69347e06187ef59c03914f278859acadff45a
MD5 hash:
c2054ed016db1e929d4ba83cf72f7872
SHA1 hash:
ee845f1f34fe6d728f368ea3d2ed2831cf9932b5
Link:
https://www.unpac.me/results/e75b06b3-77e1-4e4f-bf6a-e07ab9df2ea8/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/da65aee4d8d8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/da65aee4d8d8b4f979ab4176c9e69347e06187ef59c03914f278859acadff45a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe da65aee4d8d8b4f979ab4176c9e69347e06187ef59c03914f278859acadff45a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/312244/

Comments