MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 defd4619ffb8cde9f007f7a33ffda97fb9f1d7db127fe6019e43d945d62a2f9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: defd4619ffb8cde9f007f7a33ffda97fb9f1d7db127fe6019e43d945d62a2f9c
SHA3-384 hash: 054ee5aba11206a94d6882ac0b32ec5038f3caedfa7ec827a23763752a2d512591aee63e8801a6e8a651e48e67edd3cc
SHA1 hash: a1360af848bc9d6b62152a66985586aeaf068657
MD5 hash: a88e55dc1ff60754a07693abe159cc23
humanhash: carbon-quiet-solar-autumn
File name:Purchase Order.pdf.exe.exe
Download: download sample
Signature Loki
Create hunting rule
File size:896'000 bytes
First seen:2021-06-18 10:30:59 UTC
Last seen:2021-06-18 11:50:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:YO7Tw32ZzUFBp9kLY4+Xsjl01J3thdPt+Eww/jUtswIfK/wxSAq5pSUevKlgpMsp:r70GZUrfXolCtN7UG3CYx7q5p2agp
Threatray 3'240 similar samples on MalwareBazaar
TLSH 45156A9D722072EEC85BD4729EA81C64EB506C7B931F5203902335EDAA7D897CF245F2
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Loki C2:
http://63.141.228.141/32.php/3V16BrI6suXPx

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://63.141.228.141/32.php/3V16BrI6suXPx https://threatfox.abuse.ch/ioc/136310/

Intelligence

File Origin
# of uploads :
2
# of downloads :
174
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order.pdf.exe.exe
Verdict:
Malicious activity
Analysis date:
2021-06-18 10:33:24 UTC
Tags:
trojan lokibot stealer
Link:
https://app.any.run/tasks/6770cfb2-33dd-4089-8d02-b1b9b5d8b5ef

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166822/
Detection(s):
SecuriteInfo.com.generic.ml.24826.23893.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f0a075d-aae2-4409-b247-d206e87ca7ee
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804266
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
PE file contains section with special chars
PE file has nameless sections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/defd4619ffb8cde9f007f7a33ffda97fb9f1d7db127fe6019e43d945d62a2f9c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-18 10:31:08 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=336umgp7xdg6t4ah66rt77njp647dv63cj76mam6ipmulvrkf6oa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
47aa20a304624dbf8b71da1804f3f848ab12f2797390d0788067b542dc2c6a9c
Loki
48133f0cf5365001a0c93f29fab32146bee4676e4ed1474580591fb3303e0342
Loki
9c6820c272c99c423cdeec4f7ec725d82725dfa4df3174fbf0097551e0de5c53
Loki
a7fa0b9c523e32efbdefa0c04cc8229bbdea0cc820d3362289e8d2b0670281d4
Loki
bc0e4d752580a45adc132bafa84fafea4c9e517b6af4450a57724c294a6f79bf
Loki
bd8d9286525b1c6df2d531a06620f5c39e388843a515f105ce6e13d7d7e275b6
Loki
c0928225885d5bd8fa680f7fc6cbe5d8e79923b2adabc3a66cadacbb79099d27
Loki
cb4c7251ab8b703ca6f52e0a0497e4814655cce0af71292c827e7622f2497cdf
Loki
e9b8e797fa3c506edffd22f690a3951878fa9ab230255f9c658410545aaae505
Loki
f87996a3c60c353c55b058cf87d59e6f67a705c2b2e8e211889cc3c10a9af093
Loki
+ 3'230 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/210618-j4sxkt8wle/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://63.141.228.141/32.php/3V16BrI6suXPx
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
bed73f7ba948bf6c9f8280d1bc8e48f34b5c9fe62bdb0d393c9138fe12701832
MD5 hash:
d220b7de35e659ace210796f7326d760
SHA1 hash:
17959784fe5beb6f75b959a79229a34ca0ae4762
Link:
https://www.unpac.me/results/8dcdc6dc-404f-44b5-9bba-8e70289d4a21/
SH256 hash:
defd4619ffb8cde9f007f7a33ffda97fb9f1d7db127fe6019e43d945d62a2f9c
MD5 hash:
a88e55dc1ff60754a07693abe159cc23
SHA1 hash:
a1360af848bc9d6b62152a66985586aeaf068657
Link:
https://www.unpac.me/results/8dcdc6dc-404f-44b5-9bba-8e70289d4a21/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.49
Link:
https://yomi.yoroi.company/submissions/defd4619ffb8cde9f007f7a33ffda97fb9f1d7db127fe6019e43d945d62a2f9c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/166822/

Comments