MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddbe6aa81458808ff4ffb464a0871f0cde3e69fee90004625029ad882fc77525. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 18


Intelligence 18 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ddbe6aa81458808ff4ffb464a0871f0cde3e69fee90004625029ad882fc77525
SHA3-384 hash: 77fdf87876b4ed489fade5b1ef013284b8c5b87fb542a7b9f48402d458f91be844dea599dbdc59ccb056144667448ea5
SHA1 hash: 0a14506262914b6d5a502fd407d2ca36244d2ede
MD5 hash: 710d9ff3b02313f81c0ea6679a219c5c
humanhash: twelve-violet-wisconsin-two
File name:11121409.exe
Download: download sample
Signature Loki
Create hunting rule
File size:631'296 bytes
First seen:2023-06-06 12:42:39 UTC
Last seen:2023-06-06 13:15:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ssIdul2iNfmFx2iqNhujGjU7eK6H0rvoCT81qCYdoC89GWlsWc1A+l:ssIdul1lmFxU06H0cr5MqPlP+
TLSH T197D4F12853FE471AD6B367B656B4563093BBFE9DB631E30A0E87B08D1961F018A10773
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter cocaman
Tags:exe Loki

Intelligence

File Origin
# of uploads :
6
# of downloads :
302
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
11121409.exe
Verdict:
Malicious activity
Analysis date:
2023-06-06 12:44:03 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/85033e0c-357c-4cf0-b3b5-2c86cb20af11

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/396123/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Win.Dropper.Nanocore-10003611-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Unauthorized injection to a recently created process
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for analyzed file
Stealing user critical data
Moving of the original file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fareit lolbin packed
Link:
https://www.filescan.io/uploads/647f29d65864876b26424315/reports/5b2c0dae-677c-4e0e-9870-ed0689571b31/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ddbe6aa81458808ff4ffb464a0871f0cde3e69fee90004625029ad882fc77525
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/efbcae78-e315-4083-84d5-851544d983b0
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1249540
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ddbe6aa81458808ff4ffb464a0871f0cde3e69fee90004625029ad882fc77525/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2023-05-29 09:09:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3w7gvkaulcai75h7wrskbby7btpd42p65eaaiysqfgwyql6housq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230606-pxwjcseb8s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://185.246.220.85/project/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/e62d0971-9573-46cb-9531-f24205e881e7/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
f53222f9c2e03ae5781054867df2e3ba86137425df35ce15c13fa48f2f843c79
MD5 hash:
252c81e286415725e6cd6d524b4f030f
SHA1 hash:
5a8c396f03bf6c66ee0f196f8c50dce8e63cef68
Link:
https://www.unpac.me/results/e62d0971-9573-46cb-9531-f24205e881e7/
SH256 hash:
4617a042fe44aaf516943d755d5c600dba7ac6b7c142aa6a9d3f17f5166bc77b
MD5 hash:
d20a4039b259b16a264d59824bd0ccae
SHA1 hash:
4804aa673bc927140520194de12e11646f7383f6
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/e62d0971-9573-46cb-9531-f24205e881e7/
Parent samples :
8cf00d2afc13dfb147426c04aa2e0f01185ece5cc6d33f0c24dab812fcb2ddc5
e523dd1e51303c2be9fe5cccef1960524a5b6de9bb2aeab9e4e4cfc94c86db32
4617a042fe44aaf516943d755d5c600dba7ac6b7c142aa6a9d3f17f5166bc77b
a19a7f643cbad12cc1144bf4894bb452c67667c20f35de5f167d870b8e84ed84
d2443db39011b4dd31366597f9a9a2bc9b437c8c447f39ed71c17e4a221bf8de
e955fc3741fe1809aa1c2ac006e8a64e9db41e666554e69e426111926c30d3f4
ddbe6aa81458808ff4ffb464a0871f0cde3e69fee90004625029ad882fc77525
01b0afd5519e0f4b6602dcb0387e414fa65ece3a6b7338dc2df10abf2d1c5a01
87d7051c8e84d0820bae86d6969b551fd1a921084e23bff33494c1e55625e43a
5d961d6c0a4a89cced23dd8b7de5adde334379d0bfe1df4aa40c4b16e208e3aa
SH256 hash:
0b861d0e19d173621dba77fc3954b6325b3e89e0856817eb9ac1b0e4b4b6f9a0
MD5 hash:
34e9924238cc9c184aed0f7e0dd905ab
SHA1 hash:
42e0e3852a327ae2d232858ba41fca9cadd628db
Link:
https://www.unpac.me/results/e62d0971-9573-46cb-9531-f24205e881e7/
SH256 hash:
ef4ae2aa24d990d2723bd9b9b130e103b8fa60c76adbb418c9313c0c5596da0d
MD5 hash:
3d5dd39422b4420c4818a5d78f69d1c3
SHA1 hash:
2e8b6a813710358e7b40421851018c9340c80e7d
Link:
https://www.unpac.me/results/e62d0971-9573-46cb-9531-f24205e881e7/
SH256 hash:
ddbe6aa81458808ff4ffb464a0871f0cde3e69fee90004625029ad882fc77525
MD5 hash:
710d9ff3b02313f81c0ea6679a219c5c
SHA1 hash:
0a14506262914b6d5a502fd407d2ca36244d2ede
Link:
https://www.unpac.me/results/e62d0971-9573-46cb-9531-f24205e881e7/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ddbe6aa81458/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ddbe6aa81458808ff4ffb464a0871f0cde3e69fee90004625029ad882fc77525

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

zip 182c6fa00df15464432021561516c0c5b27ecc80e57abf661fae2cc376933c18

Loki

Executable exe ddbe6aa81458808ff4ffb464a0871f0cde3e69fee90004625029ad882fc77525

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 182c6fa00df15464432021561516c0c5b27ecc80e57abf661fae2cc376933c18
Cape
Cape
https://www.capesandbox.com/analysis/396123/
  
Dropped by
SHA256 d65c56de4ba43127d338477f64ebfde03afc406b3142e25f30d54900398b4521
  
Dropped by
SHA256 c168fbe77b50db29e162c513bd6ab692d4a2592b098f17fd4a12a117b207a5c3
  
Dropped by
SHA256 7eb686a51cbb8fd5f9acb2e8d614eda9a504845b402b1d2665d5edc1d6686829
  
Dropped by
SHA256 fd072398dd3278431f57bb0649361b34006fe3a803d8c39549f30913a71f121a
  
Dropped by
SHA256 75a78f2758626fc1ef5e1bda1f20a007e576ab83ecd515e29d9203e8b283c725
  
Dropped by
MD5 0c457df8d7a54f95c75350425f0b25b1
  
Dropped by
MD5 0d1a6209704cddb135abbc85bfba2dc1
  
Dropped by
MD5 b4f1b4ec9732645c73e73261815a2d88
  
Dropped by
MD5 50af122af635225e9c237cf0d2cf01c8
  
Dropped by
MD5 f971bc4c1d9a5d7fa408a41bb1dd7922
  
Dropped by
MD5 a8daec5a05981e2d8a416ffae08f6e35

Comments