MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21
SHA3-384 hash: 0f4d159b66cca33030d6b14df100d4d9446015a4b627975128e1c0baf2b6c61b9983054e35f1fd7761ecfb8cc2d53b19
SHA1 hash: 465738a3e31b16ad80c44f3dc7bdd762e402cb51
MD5 hash: a54bdd270a424ec79b735ef6b513c2e4
humanhash: september-glucose-dakota-quiet
File name:seemefasterthanbeforewithhisbestthingsinonlineforgetreadyfor.hta
Download: download sample
Signature Loki
Create hunting rule
File size:182'364 bytes
First seen:2024-11-18 17:35:43 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 96:4vCl1722AAZtbZfjdDINnmScJXD65zbfKZ/UQ:4vCld22AAVjBIcyzbfyUQ
Threatray 4'410 similar samples on MalwareBazaar
TLSH T15804D596DE301DDCB7CC0DA3B2FD71C9BA7C93ABA3DA0E6691AB3141D95831C90C0465
Magika txt
Reporter abuse_ch
Tags:hta Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.JS.Obfus-95.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673b7c685107a56eacc79806
Tags:
infosteal gumen
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
GT:JS.Acsogenixx.855
Link:
https://www.hybrid-analysis.com/sample/dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21
Result
Threat name:
Cobalt Strike, HTMLPhisher, Lokibot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1557930
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected Cobalt Strike Beacon
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected HtmlPhish44
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1557930 Sample: seemefasterthanbeforewithhi... Startdate: 18/11/2024 Architecture: WINDOWS Score: 100 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 15 other signatures 2->79 9 mshta.exe 1 2->9         started        12 svchost.exe 1 1 2->12         started        process3 dnsIp4 91 Detected Cobalt Strike Beacon 9->91 93 Suspicious powershell command line found 9->93 95 PowerShell case anomaly found 9->95 15 powershell.exe 34 9->15         started        53 127.0.0.1 unknown unknown 12->53 signatures5 process6 dnsIp7 57 66.63.187.231, 49739, 80 ASN-QUADRANET-GLOBALUS United States 15->57 43 C:\Users\user\AppData\Roaming\caspol.exe, PE32 15->43 dropped 45 C:\Users\user\AppData\Local\...\caspol[1].exe, PE32 15->45 dropped 47 C:\Users\user\AppData\...\qzegfbt4.cmdline, Unicode 15->47 dropped 69 Detected Cobalt Strike Beacon 15->69 71 Powershell drops PE file 15->71 20 caspol.exe 4 15->20         started        23 powershell.exe 21 15->23         started        25 csc.exe 3 15->25         started        28 conhost.exe 15->28         started        file8 signatures9 process10 file11 81 Antivirus detection for dropped file 20->81 83 Detected Cobalt Strike Beacon 20->83 85 Tries to steal Mail credentials (via file registry) 20->85 89 3 other signatures 20->89 30 caspol.exe 20->30         started        35 powershell.exe 23 20->35         started        87 Loading BitLocker PowerShell Module 23->87 49 C:\Users\user\AppData\Local\...\qzegfbt4.dll, PE32 25->49 dropped 37 cvtres.exe 1 25->37         started        signatures12 process13 dnsIp14 55 94.156.177.95, 49783, 49839, 49888 NET1-ASBG Bulgaria 30->55 51 C:\Users\user\AppData\...\31437F.exe (copy), PE32 30->51 dropped 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 30->59 61 Tries to steal Mail credentials (via file / registry access) 30->61 63 Tries to harvest and steal ftp login credentials 30->63 65 Tries to harvest and steal browser information (history, passwords, etc) 30->65 67 Loading BitLocker PowerShell Module 35->67 39 conhost.exe 35->39         started        41 WmiPrvSE.exe 35->41         started        file15 signatures16 process17
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21/
Threat name:
Script-JS.Trojan.Acsogenixx
Create hunting rule
Status:
Malicious
First seen:
2024-11-18 15:15:01 UTC
File Type:
Text
AV detection:
8 of 37 (21.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3pf3khumcfh2rj5zuhncxo5bacmu52so2qd3ym4n5xwf7ai23yqq._file
Verdict:
malicious
Label(s):
lokibot
Create hunting rule
lokipasswordstealer(pws)
Create hunting rule
unknown_loader_037
Create hunting rule
Similar samples:
0dc69e491c783527c6465e25b8b33447391ae9d7ace6e4c1c20db8047aa1918a
Loki
0f6a0c8f4c9d3fa419bd22b2687328e7a721ad0b1ef504a64166b1c630997cee
Loki
594a574211cffc47d78817221315092ab978403b71e1ff43922286ec9f60e188
Loki
63703694c54d43f82c63cb2f61964b693a73bcf6f013cda7e226d29a77d0c82b
Loki
79866667d5cd578a1c6eda54a748ff9d316fff39064eecd282bc2a9ad8a5ac7d
Loki
a1f8dd874a1d63dfbd2cc504fbe6d5784eb00610b02fef44b606b7a127f41bc4
Loki
b32a47004e6134879604cb3246c89b351bc5fb2547b1d87070846c5719951727
Loki
error
Loki
fc05c8cd30f572b0db13bc5189c99ce499f133f7b65167c06518638c26623a81
Loki
+ 4'400 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection defense_evasion discovery execution spyware stealer trojan
Link:
https://tria.ge/reports/241118-v6jtta1fmf/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Evasion via Device Credential Deployment
Lokibot
Lokibot family
Malware Config
C2 Extraction:
http://94.156.177.95/maxzi/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

HTML Application (hta) hta dbcbb51e8c114fa8a7b9a1da2bbba100994eea4ed407bc338dedec5f811ade21

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3295141/
  
Delivery method
Distributed via web download

Comments