MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dad8c93bcc13fc14eaa524eb580ba849cc4070a3ac23e511e44b2fddd832c4b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dad8c93bcc13fc14eaa524eb580ba849cc4070a3ac23e511e44b2fddd832c4b1
SHA3-384 hash: 516c90bd347b3a591d6d12116b1920692baeef6b9bfda5e0fa91cd886c8c3a9ac7f7ef90e5c6c582714f2e4b5cd146c1
SHA1 hash: 65868fdf6783edfcc6bfec97184c9a429899b56e
MD5 hash: 9180fa96e950bd1932008fdfb8a87acd
humanhash: sink-delta-ceiling-seven
File name:?????? ?? ?????? 15-02-2022·pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:200'640 bytes
First seen:2022-02-15 14:30:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (728 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 3072:XbG7N2kDTHUpoulOl5cbgm5uvUqa6Ehou+fW09gqfT1g95MA6ZqtIAtHjQFnVu/S:XbE/HU4sgJa6EhQJ9TTusAOhAdj4y2
Threatray 9'280 similar samples on MalwareBazaar
TLSH T18E1402215B61C063E422DBB0A937563FAFB8D9292DA0851727D47F3DAC563C2890F35E
File icon (PE):PE icon
dhash icon 3aea82dafeecfee0 (2 x Loki)
Reporter abuse_ch
Tags:exe Loki signed

Code Signing Certificate

Organisation:Forringers
Issuer:Forringers
Algorithm:sha256WithRSAEncryption
Valid from:2022-02-15T10:29:50Z
Valid to:2023-02-15T10:29:50Z
Serial number: 00
Intelligence: 325 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 2db5d3acca16f58f17c6ce5c659c2f6940d2ed371de348adc9c33cd2bf715489
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Loki C2:
http://164.90.194.235/?id=7361073434082270

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://164.90.194.235/?id=7361073434082270 https://threatfox.abuse.ch/ioc/387465/

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241641/
Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/620bb92aa2660f3bb9db6a45/reports/3461d562-3e3e-4d48-bc40-52683ac507e8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41efa8dd-a388-470b-8470-b8d5ac1beb81
Result
Threat name:
GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/940142
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 572620 Sample: ______ __ ______ 15-02-2022... Startdate: 15/02/2022 Architecture: WINDOWS Score: 100 24 googlehosted.l.googleusercontent.com 2->24 26 drive.google.com 2->26 28 doc-14-94-docs.googleusercontent.com 2->28 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Multi AV Scanner detection for domain / URL 2->38 40 Found malware configuration 2->40 42 4 other signatures 2->42 8 ______ __ ______ 15-02-2022#U00b7pdf.exe 23 2->8         started        signatures3 process4 file5 18 C:\Users\user\AppData\Local\Temp\rtscom.dll, PE32 8->18 dropped 20 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 8->20 dropped 22 C:\Users\user\AppData\Local\...\System.dll, PE32 8->22 dropped 44 Tries to detect Any.run 8->44 46 Hides threads from debuggers 8->46 12 ______ __ ______ 15-02-2022#U00b7pdf.exe 21 8->12         started        signatures6 process7 dnsIp8 30 164.90.194.235, 49808, 80 DIGITALOCEAN-ASNUS United States 12->30 32 drive.google.com 142.250.181.238, 443, 49801 GOOGLEUS United States 12->32 34 googlehosted.l.googleusercontent.com 172.217.16.129, 443, 49802 GOOGLEUS United States 12->34 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->48 50 Tries to steal Mail credentials (via file / registry access) 12->50 52 Tries to harvest and steal ftp login credentials 12->52 54 3 other signatures 12->54 16 WerFault.exe 2 12->16         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dad8c93bcc13fc14eaa524eb580ba849cc4070a3ac23e511e44b2fddd832c4b1/
Threat name:
Win32.Trojan.GenCBL
Create hunting rule
Status:
Malicious
First seen:
2022-02-15 12:09:38 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
14 of 25 (56.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3lmmso6mcp6bj2vfetvvqc5ijhgea4fdvqr6kepejmx53wbsysyq._file
Verdict:
suspicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
125fdd6ece6bef31be73fa219aebd74708a750bddc944ea481bb07f7fa7ceae9
Loki
23b5df2d469238921bc4292d4ad2f179d57b19eba17a93c37af5d3ccae03f1c0
Loki
59819eed25c7ec484455237149273827c8c3476bf961f5be7443e856d3131259
Loki
7768da29cc4ef93cb4790f664e139d1d8c2972e22fe8840b6b86c50e15dba347
Loki
88a56adfda71155cd315c64ca5ab176120f7d74369cc752cb63ee6a00f90e736
Loki
c6f93eb69924750adbe61115b2d6a200d534e783c6bd4ca0e2c0cd2969e9469e
Loki
da3208711d472f6c9af1141faa1272cab7b80cbaef1cfe0c24c5b1597f7a0c99
Loki
+ 9'270 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:lokibot collection downloader spyware stealer suricata trojan
Link:
https://tria.ge/reports/220215-rvpzxahbfn/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent file
Loads dropped DLL
Reads user/profile data of web browsers
Guloader,Cloudeye
Lokibot
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://164.90.194.235/?id=7361073434082270
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
dad8c93bcc13fc14eaa524eb580ba849cc4070a3ac23e511e44b2fddd832c4b1
MD5 hash:
9180fa96e950bd1932008fdfb8a87acd
SHA1 hash:
65868fdf6783edfcc6bfec97184c9a429899b56e
Link:
https://www.unpac.me/results/cfa70b5b-bfca-4135-8f02-d10c5ec2e2a6/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dad8c93bcc13/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
Link:
https://yomi.yoroi.company/submissions/dad8c93bcc13fc14eaa524eb580ba849cc4070a3ac23e511e44b2fddd832c4b1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/241641/

Comments