MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcbcaf3bd263e87cfa4c5355c0c3236552bef553cd9fd4bec8e57200b71a23a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dcbcaf3bd263e87cfa4c5355c0c3236552bef553cd9fd4bec8e57200b71a23a4
SHA3-384 hash: bf0f16933ecb1158e851f4747f3259736c7dda30a99a69248ef6a7416f291bbcea10ee033b3574fa84123854ed9c5c1c
SHA1 hash: c2b8a66d2045db1181a9461f19a80f9c89b4e30d
MD5 hash: c69e7e09d13074593fba7966e5769210
humanhash: speaker-william-king-lake
File name:PO.exe
Download: download sample
Signature Loki
Create hunting rule
File size:975'360 bytes
First seen:2020-10-08 13:13:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:20QS2FVj+PDKNuWPNb1waPkNo0lbdjgjp8sqW1X:2S4CmAWPT+bdE18dW1
Threatray 508 similar samples on MalwareBazaar
TLSH 7F25DF297B969B8FC62D4E7A841784209BF0C563A207F7CB3DD729E84D5E7C84E21253
Reporter abuse_ch
Tags:exe geo KOR Loki


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail-smail-vm48.hanmail.net
Sending IP: 203.133.180.236
From: 김승준 <woritec@hanmail.net>
Subject: 발주서송부드립니다.
Attachment: 발주서송부드립니다.cab (contains "PO.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69257/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/485498
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dcbcaf3bd263e87cfa4c5355c0c3236552bef553cd9fd4bec8e57200b71a23a4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 04:35:50 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3s6k6o6smpuhz6smknk4bqzdmvjl55ktzwp5jpwi4vzabny2eosa._file
Verdict:
suspicious
Similar samples:
16ac9177a6a0421e04a1ea790048528d7b01664e50f409ffe263d24767c8fdd0
Loki
1957889d188ba3fd7df0ac9e3fe2505d5bd8576865fb96907fc52ad4517db8b1
Loki
1cee45036baef97e9be4d746253f962163c4addc173c3b1d401d54d16b66c36d
Loki
2dafd5f1570c579446d2b06ba815302da926c49683a36fe643241f1bd2144ac0
Loki
2df3cf76977b778b4ffe30de57192b6db63debdd422a296d788f8552be32181f
Loki
5f10fec31121883e725f46663c338b79694ad5de1636f974a724961aed9a16ff
Loki
767d213b2083d5ba0cfb4e4d281fcce7d2233345ec7932e2d89cf303fd51b10e
Loki
b8e2713744ae4bf75f6f051a88fd7cd88aa5a9d0e5707932b44a5fb47dd73057
Loki
c82132cbb99629877f81482148e3667c3c64b376d6c7486475dc25dd25a64b9e
Loki
fc0d990ef758b78feb650b93c761b3f0fe5daa30d1fbcc77a424eac49ca8cc4d
Loki
+ 498 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/201008-ckxnk6hzr6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://79.124.8.8/plesk-site-preview/benetaeu-group.com/http/79.124.8.8/ekene/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
dcbcaf3bd263e87cfa4c5355c0c3236552bef553cd9fd4bec8e57200b71a23a4
MD5 hash:
c69e7e09d13074593fba7966e5769210
SHA1 hash:
c2b8a66d2045db1181a9461f19a80f9c89b4e30d
Link:
https://www.unpac.me/results/a29af061-58d7-424f-9595-e207aa357330/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/a29af061-58d7-424f-9595-e207aa357330/
SH256 hash:
5509ed817f95aed13de53445e2ae8d44148b53c601e6d985eebc1e788d120286
MD5 hash:
6677160343910126f10e6f266acbe720
SHA1 hash:
55a151196ae4477a8cf3b5134a49afe1a7607ef0
Link:
https://www.unpac.me/results/a29af061-58d7-424f-9595-e207aa357330/
SH256 hash:
352abd787aaedb77e4298d886af432f3ea377e3652d5f3e08105fb65decc2d40
MD5 hash:
e63471b6f85a5a0899a7bfa770ebc4a5
SHA1 hash:
93a7e3449d0cfa25163f5fde90f31c567e26cae2
Link:
https://www.unpac.me/results/a29af061-58d7-424f-9595-e207aa357330/
SH256 hash:
d9802922275a05fd81dc1b54ba4a2261db7c1e99603ec7753d515abc70206ab2
MD5 hash:
fc2ab5b6391af75940dd55d2cf174b1f
SHA1 hash:
d9adb5a2c95403e5456ba15eafafaf9ecf361e74
Link:
https://www.unpac.me/results/a29af061-58d7-424f-9595-e207aa357330/
SH256 hash:
76485409cb017a48f703d8a73e92a807317d284627a4b87a795f284da27fdb28
MD5 hash:
22b288aa906b7b3388fbd89ab79f2ece
SHA1 hash:
5335cbda006c009b2d7ece5532557c3008c1e2d6
Link:
https://www.unpac.me/results/a29af061-58d7-424f-9595-e207aa357330/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dcbcaf3bd263e87cfa4c5355c0c3236552bef553cd9fd4bec8e57200b71a23a4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

cab 4d961b05436dd09b85c1a482f398329c9983e1a2c33b4fd820a307a19295c7d7

Loki

Executable exe dcbcaf3bd263e87cfa4c5355c0c3236552bef553cd9fd4bec8e57200b71a23a4

(this sample)

  
Dropped by
MD5 11a9dbefb53ea0b0ca22c35ee96b33a3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69257/
  
Dropped by
SHA256 4d961b05436dd09b85c1a482f398329c9983e1a2c33b4fd820a307a19295c7d7

Comments