MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee55f1da09c9d2a19913408691a0e4a33164c1bd3f5d520f339af2f073e62aa7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	ee55f1da09c9d2a19913408691a0e4a33164c1bd3f5d520f339af2f073e62aa7
SHA3-384 hash:	853adfe88a7191aba9127893cc5374176392e27c45af4ce385f9cca1bbabb68adbfddce92921cfd7bfd4e94f3e66bd87
SHA1 hash:	556716293473f4193b8249b8b89b162023f2f0a2
MD5 hash:	60cfc5ff32ca1f28e446c850e5163996
humanhash:	cat-edward-black-princess
File name:	FREIGHT INVOICEpdf.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	1'157'632 bytes
First seen:	2023-02-22 11:06:30 UTC
Last seen:	2023-02-22 12:55:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	24576:dCUSUZpBB47Y5YWBNj+FQmQHnXLI2LTNjuCm4/Ctcu:dCUSUXBOIJtsQmQHnXnC
Threatray	3'966 similar samples on MalwareBazaar
TLSH	T18C35AC4BBAF09476F99E41BC063916CF5E31B212764DE2265F3B78448E4ADFBB1C8112
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://sempersim.su/ha5/fre.php

Intelligence

File Origin

# of uploads :

# of downloads :

215

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

lokibot

ID:

File name:

FREIGHT INVOICEpdf.exe

Verdict:

Malicious activity

Analysis date:

2023-02-22 11:15:42 UTC

Tags:

trojan lokibot

Link:

https://app.any.run/tasks/f3d5459c-c77b-43f4-97e2-029bed56fd10

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/368984/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file

Enabling the 'hidden' option for analyzed file

Moving of the original file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

packed

Link:

https://www.filescan.io/uploads/63f5f75701b99ad33e7f7707/reports/519a6aa5-05a3-468f-8910-4b3677f7df7c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ee55f1da09c9d2a19913408691a0e4a33164c1bd3f5d520f339af2f073e62aa7

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Loki

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ebc22c2f-dc75-4673-9572-8bc948c8cf0d

Result

Threat name:

Lokibot

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1180471

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Yara detected Lokibot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ee55f1da09c9d2a19913408691a0e4a33164c1bd3f5d520f339af2f073e62aa7/

Threat name:

ByteCode-MSIL.Spyware.SnakeLogger

Status:

Malicious

First seen:

2023-02-22 11:07:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 25 (76.00%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5zk7dwqjzhjkdgiticdjdiheumywjqn5h5ovedzttlzpa47gfktq._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Loki

0f6a0c8f4c9d3fa419bd22b2687328e7a721ad0b1ef504a64166b1c630997cee

Loki

26cfdd614196dd8f128f01480c55504960ecafad60991455a030cc5c73130f2a

Loki

4e12ca0674f72503e00f35b8b27aa98da0855baa9e25264b357bb934e31a2217

Loki

7f0fcb4f3651ec6a3b273322857afe8aa8373f77964afd0bb592378a4a97fe1a

Loki

83ce4d12583639df7dcbe4d13b6e608bca3c42a58dc4fbb18c352fa93dec7800

Loki

a1f8dd874a1d63dfbd2cc504fbe6d5784eb00610b02fef44b606b7a127f41bc4

Loki

+ 3'956 additional samples on MalwareBazaar

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/230222-m7zmnacg8w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

https://sempersim.su/ha5/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Unpacked files

SH256 hash:

c70e771b6fe475bc78f9ae25118bf28f89f1f0040ad54572ee38a5232e1aa5fa

MD5 hash:

dceaf73e1744ba64ee981762ad848c3d

SHA1 hash:

aef5a93ef39eec4ddaf7412002a257c9acea7d12

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/8a561b1f-4d8e-4ae9-b888-f2ecc9a1ecbb/

SH256 hash:

423c3a56865b9ad2c1328d8858f599ff0b5579df3c472a432d42abf9fa9c6b0d

MD5 hash:

2b56ce50f1ec9c2c3b78cb970f2daa18

SHA1 hash:

a4abc56c223a254a2aa7888ee9c55284430b4fd5

Detections:

lokibot

win_lokipws_auto

win_lokipws_g0

Link:

https://www.unpac.me/results/8a561b1f-4d8e-4ae9-b888-f2ecc9a1ecbb/

SH256 hash:

b2dd5bcf9138720f9ffeca3b8aefa001e40b2dd879c1db3bb8e47281c3575f8e

MD5 hash:

301d49f143b4559eebb04d6604c9c806

SHA1 hash:

8e1065918d606bf77bf8d0fd3375de5c1e4ec0b3

Link:

https://www.unpac.me/results/8a561b1f-4d8e-4ae9-b888-f2ecc9a1ecbb/

SH256 hash:

b05393723364661b56d432da2cbff392bdbc0e3e8166fadb12df4141eef4aaeb

MD5 hash:

654dbdbe77d7957982466caa82fd80d2

SHA1 hash:

6dd8b4e613bc1738248c7b4d463a88540810272e

Link:

https://www.unpac.me/results/8a561b1f-4d8e-4ae9-b888-f2ecc9a1ecbb/

SH256 hash:

8617cea503c2a3961120a9c503d853bc21d38d1fca7143d6b1ef4f388bc5cec7

MD5 hash:

7f225c69df031bf0560aed3847a1221a

SHA1 hash:

4d5f3ccdb2c6015d2b2a73326c0f32b173af2819

Link:

https://www.unpac.me/results/8a561b1f-4d8e-4ae9-b888-f2ecc9a1ecbb/

SH256 hash:

ee55f1da09c9d2a19913408691a0e4a33164c1bd3f5d520f339af2f073e62aa7

MD5 hash:

60cfc5ff32ca1f28e446c850e5163996

SHA1 hash:

556716293473f4193b8249b8b89b162023f2f0a2

Link:

https://www.unpac.me/results/8a561b1f-4d8e-4ae9-b888-f2ecc9a1ecbb/

Malware family:

Lokibot

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ee55f1da09c9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/ee55f1da09c9d2a19913408691a0e4a33164c1bd3f5d520f339af2f073e62aa7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/368984/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample