MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc6607f4aa63d04407994442f3f085ccd29a2feadac2a791b90cdbcfee2f5fac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc6607f4aa63d04407994442f3f085ccd29a2feadac2a791b90cdbcfee2f5fac
SHA3-384 hash: c21cc891ba163b9da018b23e421d17fe1b36b5dcea8caeb48ee2d4d92f8eaba5d0afd21ea47c4e12e0bdd2f488621f29
SHA1 hash: d3cc11739d47aebc183e425750d53ea0d412c8e0
MD5 hash: ae06697b71084618bb9a2d051f6fad2f
humanhash: berlin-spring-oklahoma-moon
File name:PRORAČUNSKA ZAHTEVA 09-30-2024·pdf.vbe
Download: download sample
Signature Loki
Create hunting rule
File size:74'801 bytes
First seen:2024-10-01 05:31:20 UTC
Last seen:Never
File type:Visual Basic Script (vbe) vbe
MIME type:text/plain
ssdeep 1536:sM0x6oY5kcFA/RYq0KkFV8N+FhhxGEoU5J/Gbrf:sM0xlYAJYJFFhhFo9f
TLSH T1EE733C11DBD73F3E8D4623DDB94905F78D7A81F8713580FCA58D862A3022A78DA7E264
Magika vba
Reporter abuse_ch
Tags:Loki vbe

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.24701.8138.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fb8957936bd9db87720fd4
Tags:
Powershell Xtreme Agent Sage
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/dc6607f4aa63d04407994442f3f085ccd29a2feadac2a791b90cdbcfee2f5fac
Result
Threat name:
GuLoader, Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1523160
Signature
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected GuLoader
Yara detected Lokibot
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523160 Sample: PRORA#U010cUNSKA ZAHTEVA 09... Startdate: 01/10/2024 Architecture: WINDOWS Score: 100 30 drive.usercontent.google.com 2->30 32 drive.google.com 2->32 40 Multi AV Scanner detection for domain / URL 2->40 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 7 other signatures 2->46 8 powershell.exe 18 2->8         started        11 wscript.exe 1 2->11         started        signatures3 process4 signatures5 48 Writes to foreign memory regions 8->48 50 Found suspicious powershell code related to unpacking or dynamic code loading 8->50 13 dxdiag.exe 1 94 8->13         started        18 conhost.exe 8->18         started        20 msiexec.exe 8->20         started        24 10 other processes 8->24 52 Suspicious powershell command line found 11->52 54 Wscript starts Powershell (via cmd or directly) 11->54 56 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->56 58 Suspicious execution chain found 11->58 22 powershell.exe 14 18 11->22         started        process6 dnsIp7 34 137.184.191.215, 49715, 49716, 49717 PANDGUS United States 13->34 28 C:\Users\user\AppData\Roaming\...\31437F.exe, PE32 13->28 dropped 60 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->60 62 Tries to steal Mail credentials (via file / registry access) 13->62 64 Tries to harvest and steal ftp login credentials 13->64 68 2 other signatures 13->68 36 drive.usercontent.google.com 142.250.184.193, 443, 49705, 49714 GOOGLEUS United States 22->36 38 drive.google.com 142.250.184.238, 443, 49704, 49713 GOOGLEUS United States 22->38 66 Found suspicious powershell code related to unpacking or dynamic code loading 22->66 26 conhost.exe 22->26         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc6607f4aa63d04407994442f3f085ccd29a2feadac2a791b90cdbcfee2f5fac/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-09-30 13:27:27 UTC
File Type:
Text (VBS)
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3rtap5fkmpieib4zirbph4efztjjul7k3lbkpenzbtn473rpl6wa._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
error
Loki
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection discovery execution spyware stealer trojan
Link:
https://tria.ge/reports/241001-f8axcsxbmd/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Blocklisted process makes network request
Lokibot
Malware Config
C2 Extraction:
http://137.184.191.215/index.php/check.php?id=1
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/dc6607f4aa63d04407994442f3f085ccd29a2feadac2a791b90cdbcfee2f5fac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments