MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb140984e61c9b9860794656d3f978896944a0f7258c5abe25391b8c71f56853. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	eb140984e61c9b9860794656d3f978896944a0f7258c5abe25391b8c71f56853
SHA3-384 hash:	932ae7438b0ca01b4335de70ea19167c05d8f28cbfaa8357cb7f1a5095cf6be70660e42860e860e2ff874670d05f0071
SHA1 hash:	5350b2e3f988d48fd0a9b8ab52c43caada878721
MD5 hash:	0fa9f824e7e956d42dcac1dda49bc353
humanhash:	minnesota-spring-earth-don
File name:	SHIPPING DOCUMENTS - AWB N0 84136312 .exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	458'752 bytes
First seen:	2020-10-21 09:58:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:45h+YXMeiem7SxdEqHIELCHSlrygmcuo7nguROZN:LZeRm7SHaSlryzo7MN
Threatray	1'793 similar samples on MalwareBazaar
TLSH	DFA4E0366A9CAF10E0BE273A54A5144017FAE906F733C21E7CF930DD6A66FA44572722
Reporter	abuse_ch
Tags:	DHL exe Loki

abuse_ch

Malspam distributing Loki:

HELO: vps.untrarto.com
Sending IP: 45.153.203.102
From: DHL CUSTOMER SERVICE <office@untrarto.com>
Subject: Failed DHL Delivery Notification (AWB N0: 8413****6312)
Attachment: SHIPPING DOCUMENTS - AWB N0 84136312 .gz (contains "SHIPPING DOCUMENTS - AWB N0 84136312 .exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Loki

Link:

https://www.capesandbox.com/analysis/73976/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Reading critical registry keys

Changing a file

Replacing files

DNS request

Connection attempt

Sending an HTTP POST request

Creating a file in the %AppData% subdirectories

Deleting a recently created file

Stealing user critical data

Moving of the original file

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/505676

Signature

Antivirus detection for URL or domain

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Yara detected AntiVM_3

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/eb140984e61c9b9860794656d3f978896944a0f7258c5abe25391b8c71f56853/

Threat name:

ByteCode-MSIL.Backdoor.Androm

Status:

Malicious

First seen:

2020-10-21 00:59:06 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5mkatbhgdsnzqydzizlnh6lyrfuujihxewgfvprfhenyy4pvnbjq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

lokibot

Score:

10/10

Tags:

spyware trojan stealer family:lokibot

Link:

https://tria.ge/reports/201021-dq793qt6b2/

Behaviour

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://ad4teg.com/ccu/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

eb140984e61c9b9860794656d3f978896944a0f7258c5abe25391b8c71f56853

MD5 hash:

0fa9f824e7e956d42dcac1dda49bc353

SHA1 hash:

5350b2e3f988d48fd0a9b8ab52c43caada878721

Link:

https://www.unpac.me/results/23d70562-ab88-4beb-811e-54f750467451/

SH256 hash:

0ac9e23c31eff3a19fd86a07579589a28ecebd798a19124c06f562367b74ec85

MD5 hash:

2144298371d1e078fc4e8de3075e4ed2

SHA1 hash:

8bb71550fb5919630e504e5cd138a401ddb0881c

Link:

https://www.unpac.me/results/23d70562-ab88-4beb-811e-54f750467451/

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/23d70562-ab88-4beb-811e-54f750467451/

SH256 hash:

0499d0f733a15ec307f3532f25e319df59339342bea3cc003a3c882bac499068

MD5 hash:

ef946c6d0f2c532b09a4b587313c01b2

SHA1 hash:

eb08f3c51d2afaa75f048314afca735d7223d309

Detections:

win_lokipws_g0

win_lokipws_auto

Link:

https://www.unpac.me/results/23d70562-ab88-4beb-811e-54f750467451/

Parent samples :

eb140984e61c9b9860794656d3f978896944a0f7258c5abe25391b8c71f56853
0a58f60e4266e0d801a185d06903c24271d73314711f95ab0ed4eab349f6b938
f254f002d3465852e6c63f331e1688fa8ec089ce6f7e0d8d37f75bf039ead9de

SH256 hash:

6f0011f4d05415d003987bcaf4b123d9c28c9839f66a3e1c0273c7949d1970a0

MD5 hash:

01e67b65bde7b9d0acea2fe6f2d67b0d

SHA1 hash:

f5b68ba6286993125d3fda40c531fd6559349dbb

Link:

https://www.unpac.me/results/23d70562-ab88-4beb-811e-54f750467451/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	Lokibot Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	STEALER_Lokibot Create hunting rule
Author:	Marc Rivero \| McAfee ATR Team
Description:	Rule to detect Lokibot stealer

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com