MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4ae2cb5ba91a9b7a87cb5d79158e07f8252e8c3ad0649fca573a0d73bbbdc62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4ae2cb5ba91a9b7a87cb5d79158e07f8252e8c3ad0649fca573a0d73bbbdc62
SHA3-384 hash: c2b4ec585c2280679cd88cbe211573c9cd4df91de05769be02b28b06be6a12d91d41b07c0fa703880415990a47ed284a
SHA1 hash: 8660283f1dd38d08004390b5729603ff11b0d842
MD5 hash: 17d6fb7249d7cf29404e4b604f38a35c
humanhash: undress-timing-uncle-november
File name:inv-img.pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:103'424 bytes
First seen:2020-10-12 06:03:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dc9305f43b0447d33c96319b9b08ac0e (1 x Loki)
ssdeep 1536:cO8kfpq+5b97EYxqwN4HE60Ja2QyfI/gpp+J4FeonntsWEl5tcd6vVH9VT:DrxqNHr0Ja2QyQEVey6a6vVHT
Threatray 1'583 similar samples on MalwareBazaar
TLSH 75A32801B5C1CF71D17F18318870C6A15A2FFD215E65ABEB63843E6A3E341D09A2ADB7
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: cpanel.blazingfast.io
Sending IP: 185.62.188.4
From: Import LLC <importllc@blissfullogistics.org>
Subject: Payment Slip
Attachment: inv-img.pdf.img (contains "inv-img.pdf.exe")

Loki payload URL:
http://keeperfile.atwebpages.com/keep/img.jpag

Loki C2:
http://42815messagecenter.com/five/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69933/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Launching a process
DNS request
Creating a window
Sending an HTTP GET request
Deleting a recently created file
Creating a process from a recently created file
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Setting a single autorun event
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487976
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to hide the console window
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296438 Sample: inv-img.pdf.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 5 other signatures 2->60 8 cmd.exe 1 2->8         started        11 inv-img.pdf.exe 14 2->11         started        15 cmd.exe 1 2->15         started        process3 dnsIp4 66 Suspicious powershell command line found 8->66 17 powershell.exe 13 8->17         started        19 conhost.exe 8->19         started        42 keeperfile.atwebpages.com 185.176.43.100, 49724, 49729, 49734 ZETTA-ASBG Bulgaria 11->42 44 nicovsh.ddns.net 172.100.179.236, 54908 TWC-11351-NORTHEASTUS United States 11->44 40 C:\Users\user\AppData\Local\...\lang965p.jpg, PE32 11->40 dropped 68 Contains functionality to hide the console window 11->68 21 reg.exe 1 1 11->21         started        24 conhost.exe 11->24         started        26 powershell.exe 12 15->26         started        28 conhost.exe 15->28         started        file5 signatures6 process7 signatures8 30 lang965p.jpg 13 17->30         started        62 Creates autostart registry keys with suspicious values (likely registry only malware) 21->62 64 Creates autostart registry keys with suspicious names 21->64 34 lang965p.jpg 13 26->34         started        process9 dnsIp10 46 nicovsh.ddns.net 30->46 48 keeperfile.atwebpages.com 30->48 70 Antivirus detection for dropped file 30->70 72 Multi AV Scanner detection for dropped file 30->72 74 Machine Learning detection for dropped file 30->74 76 Contains functionality to hide the console window 30->76 36 conhost.exe 30->36         started        50 nicovsh.ddns.net 34->50 52 keeperfile.atwebpages.com 34->52 38 conhost.exe 34->38         started        signatures11 process12
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e4ae2cb5ba91a9b7a87cb5d79158e07f8252e8c3ad0649fca573a0d73bbbdc62/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-10-11 09:04:54 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4sxcznn2sgu3pkd4wxlzcwhap6bff2gdvudet7ffooqnoo533rra._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
2c64af2b995ad6b33bc90f4103e1ae990db77c9c341279c0ab0af1c38d414405
Loki
3fe2d0dd224e7799ad1d669d3e01ec1676ce6ba39170e12df1a600ca49ae3422
Loki
50718583f71413c3eaeb95f88c1ad4e0b12958758de441ee6a0a20c072a26142
Loki
77777da436f12d38fe7834a137bc2bf51c1f09324a1e274d22e51c2ee0b4b8c3
Loki
7880e819461fdc72eb551b9cdcbd6d0e8417c685d62efb649caca31307009a66
Loki
7c7a4a9bb34b9c0f6167e07c150c1cd48257a98d3383af09e7962a61583d014e
Loki
be64654bb507094ad7ace4a1da27dfe42dd6451d9dadb24b8310aa50e8ff5f34
Loki
ceeffdff4b0af45c77f3923e47c03a529c87dd4e0e92fdc88b0551857df53239
Loki
d050b76ba909799dc235b62e32658b86294dbd5c8282df0c4c3f4a5581373603
Loki
f834e2059da963db70d88af267f09807a69fb3edfaefc344e5ab542911835be3
Loki
+ 1'573 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/201012-b3ghv2th4n/
Behaviour
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
e4ae2cb5ba91a9b7a87cb5d79158e07f8252e8c3ad0649fca573a0d73bbbdc62
MD5 hash:
17d6fb7249d7cf29404e4b604f38a35c
SHA1 hash:
8660283f1dd38d08004390b5729603ff11b0d842
Link:
https://www.unpac.me/results/1b322a71-9f85-4ef8-a111-117de777905e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4ae2cb5ba91a9b7a87cb5d79158e07f8252e8c3ad0649fca573a0d73bbbdc62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:STEALER_Lokibot
Create hunting rule
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Lokibot stealer
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

img b8c5f6d98c5bf5ae61e901f84200a0ca6516d2b047bd71066262d672a0677a38

Loki

Executable exe e4ae2cb5ba91a9b7a87cb5d79158e07f8252e8c3ad0649fca573a0d73bbbdc62

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/683847/
  
Dropped by
MD5 b487046e13da1a3c0a6b0d7670efb788
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69933/
  
Dropped by
SHA256 b8c5f6d98c5bf5ae61e901f84200a0ca6516d2b047bd71066262d672a0677a38

Comments