MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7ac7c64889312c42876b74c7c4e7be0a383d98449dbc3d41eb9835bea79e0cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	e7ac7c64889312c42876b74c7c4e7be0a383d98449dbc3d41eb9835bea79e0cd
SHA3-384 hash:	e76198c785e56934d8429e55ed18ebea0660f9db170bc190ca29a7ae902f8baae4379746507d8aaf8a2ac081af2c3769
SHA1 hash:	5bd9147c88341dc383f437bc473e2c866bcfc113
MD5 hash:	a922f9ed29b869017a10ca43e95325fd
humanhash:	north-aspen-wisconsin-september
File name:	Purchase Order_exe.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	390'862 bytes
First seen:	2021-08-18 06:12:34 UTC
Last seen:	2021-08-18 06:45:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6b1520ba8a8e7d12cecb5bd04c747ffc (2 x AZORult, 1 x Formbook, 1 x SnakeKeylogger)
ssdeep	6144:N3GnTkELHaRQvF9ur4UeRs/YuKmyUsDUUrLDUQK6jeIddpQ/DUheWXZl6PyRAX2N:FvwaRQvF9ur4Viy6SfUD6Jd/QoYiT6PQ
Threatray	4'324 similar samples on MalwareBazaar
TLSH	T13584D022F2858076D9B2293382F6A5792C3D3B72071F9EEB138459B94F745D1B930A27
Reporter	GovCERT_CH
Tags:	exe Loki

Intelligence

File Origin

# of uploads :

# of downloads :

134

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Purchase Order_exe.exe

Verdict:

Malicious activity

Analysis date:

2021-08-18 06:13:09 UTC

Tags:

trojan lokibot stealer

Link:

https://app.any.run/tasks/28087f64-815d-4f73-a3c7-1305b5b5cd57

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/180204/

Detection(s):

SecuriteInfo.com.Variant.Razy.909438.26476.26404.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Reading critical registry keys

Changing a file

Replacing files

DNS request

Connection attempt

Sending an HTTP POST request

Creating a file in the %AppData% subdirectories

Deleting a recently created file

Sending a UDP request

Stealing user critical data

Moving of the original file

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/94bf634c-e983-49b5-a3a2-568a33b5e3ac

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/834891

Signature

C2 URLs / IPs found in malware configuration

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

lokibot

Link:

https://mwdb.cert.pl/sample/e7ac7c64889312c42876b74c7c4e7be0a383d98449dbc3d41eb9835bea79e0cd/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2021-08-18 04:45:37 UTC

AV detection:

19 of 46 (41.30%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=46whyzeismjmikdww5ghytt34cryhwmejhn4hva6xgbvx2tz4dgq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210818-fg84cdme3s/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Unpacked files

SH256 hash:

1e195a1a4cf9c0dcff5bb1ef65a45d869f70b2c3e11e9c0119654d5950ba099c

MD5 hash:

127ada2a40b0268a2bab81f810e9e89f

SHA1 hash:

72f38ec73857301ab37d7c88391cba47a6776212

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/7303d641-1c45-451d-9454-a5e9c171073f/

Parent samples :

995bffd2446e01cf7817573adfc1ecf40679b37ffce1640969352ddca313c346
e7ac7c64889312c42876b74c7c4e7be0a383d98449dbc3d41eb9835bea79e0cd
6ad1a9114fabea8c23151bcb789a9867cb2345e7b65187e5443e6f76f20c7037
46a26fb39083f77a088365eded45839567dd33a1623ddb6440073dbf242c8811
54bdd507eb726a7a4ac9f8d7c220e97f447b37c61986e050cf54119ceec42c65

SH256 hash:

e7ac7c64889312c42876b74c7c4e7be0a383d98449dbc3d41eb9835bea79e0cd

MD5 hash:

a922f9ed29b869017a10ca43e95325fd

SHA1 hash:

5bd9147c88341dc383f437bc473e2c866bcfc113

Link:

https://www.unpac.me/results/7303d641-1c45-451d-9454-a5e9c171073f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e7ac7c64889312c42876b74c7c4e7be0a383d98449dbc3d41eb9835bea79e0cd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

exe e7ac7c64889312c42876b74c7c4e7be0a383d98449dbc3d41eb9835bea79e0cd

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/180204/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample