MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef203882acf676c759bf86f6f60a5a570a5c84a163314462c133bb70fada63a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef203882acf676c759bf86f6f60a5a570a5c84a163314462c133bb70fada63a7
SHA3-384 hash: a3da5ab2f4940fbf2f255cc11c44bcb2338595bc86bc75977512defed6d23f9bc55cabb5a627169a4ad498e38c8a5886
SHA1 hash: ad813920c8eae11830d3def325cae70e42bb2798
MD5 hash: e3093c7e54c91f4020bf8608de3e3e76
humanhash: north-island-april-texas
File name:618718IMG_222446.pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:701'552 bytes
First seen:2021-02-03 14:23:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:RctuOmlcA+kMk3S6oOwRmhr/dKps2tLvmn3alMN4:RcUWpkMkC6RXTOs2ty3ala4
Threatray 221 similar samples on MalwareBazaar
TLSH 54E4B5C277B2CA75E451F33692BA92BA03B2F8E746209663570F3FB6B0D11D65C0E584
Reporter James_inthe_box
Tags:exe Loki

Code Signing Certificate

Organisation:GlobalSign Timestamping CA - G2
Issuer:GlobalSign Root CA
Algorithm:sha1WithRSAEncryption
Valid from:Apr 13 10:00:00 2011 GMT
Valid to:Jan 28 12:00:00 2028 GMT
Serial number: 0400000000012F4EE152D7
Intelligence: 12 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: C977923C771E1A66C925A2B6F501732E678DC9887AFE6BFAAC039D1D9A71F0EC
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMG_222446.doc
Verdict:
Malicious activity
Analysis date:
2021-02-03 07:33:48 UTC
Tags:
ole-embedded exploit CVE-2017-11882 trojan lokibot stealer
Link:
https://app.any.run/tasks/7b32a61a-90e9-4311-be1a-d2f8a02c56a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/115342/
Detection(s):
SecuriteInfo.com.ArtemisTrojan.4293.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Running batch commands
Launching a process
Creating a file in the %temp% directory
Creating a file
Sending a UDP request
Creating a process from a recently created file
Reading critical registry keys
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/597903
Signature
Allocates memory in foreign processes
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 347994 Sample: 618718IMG_222446.pdf.exe Startdate: 03/02/2021 Architecture: WINDOWS Score: 100 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected AntiVM_3 2->37 39 5 other signatures 2->39 7 msgu.exe 14 2 2->7         started        10 618718IMG_222446.pdf.exe 15 7 2->10         started        13 msgu.exe 2 2->13         started        process3 file4 41 Multi AV Scanner detection for dropped file 7->41 43 Machine Learning detection for dropped file 7->43 45 Writes to foreign memory regions 7->45 51 2 other signatures 7->51 15 AddInProcess32.exe 7->15         started        25 C:\Users\user\msgu.exe, PE32 10->25 dropped 27 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 10->27 dropped 29 C:\Users\user\msgu.exe:Zone.Identifier, ASCII 10->29 dropped 31 C:\Users\...\618718IMG_222446.pdf.exe.log, ASCII 10->31 dropped 47 Drops PE files to the user root directory 10->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->49 17 cmd.exe 1 10->17         started        19 msgu.exe 3 10->19         started        signatures5 process6 process7 21 conhost.exe 17->21         started        23 reg.exe 1 1 17->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef203882acf676c759bf86f6f60a5a570a5c84a163314462c133bb70fada63a7/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2021-02-03 03:12:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=54qdravm6z3mown7q33pmcs2k4ffzbfbmmyuiywbgo5xb6w2motq._file
Verdict:
unknown
Similar samples:
19d23d06b49ced25b47d72f5338af4fa1fc533cce85dcaff4286e0da31054a38
Loki
32ec92b57297749ae4e4cc6299579355e77573ffdf0b125d1f65ebcc62b9fbfb
Loki
49a63eb1c6fd5d4b22396bb8a8397c3bf124c3f94d104bc2a7a304f4457b4526
Loki
581d4ba63e52707e1839c7d2c026c847d788b8b3025046bdb491f95a431ca1f7
Loki
5da82dd52f913ff5d416ec5479133a0f89cd5d835d2fbd964f32191f642ca9fa
Loki
83ef26bdf4b6b513417a97c8997aa2152bc0fb0f0af9d0b30cf6a46d4959ce38
Loki
d09722da6fd4b8eb8ba3ee4d8e8a7ffe2cd396c410fa074bcb9fd0b44e399cb9
Loki
d659838fb0e082657316694b3c5fa5b1664968b441d84fa60c3f6ed029e85a3f
Loki
e33cc945d6b0681de6b34b52f0cb609676cdf5f3ecf61f4122b64d7a7e74b5ca
Loki
f2a9b8210e9545bf90468330a3afe70cbe26148b94658c49ff77cd59c733117b
Loki
+ 211 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210203-e5s3qzl2ta/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Lokibot
Malware Config
C2 Extraction:
http://185.206.215.56/r-1/cgi.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
ef203882acf676c759bf86f6f60a5a570a5c84a163314462c133bb70fada63a7
MD5 hash:
e3093c7e54c91f4020bf8608de3e3e76
SHA1 hash:
ad813920c8eae11830d3def325cae70e42bb2798
Link:
https://www.unpac.me/results/e73076e1-ea41-4519-b3dc-1604cb551614/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ef203882acf676c759bf86f6f60a5a570a5c84a163314462c133bb70fada63a7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/988839/
Cape
Cape
https://www.capesandbox.com/analysis/115342/

Comments