MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efdb9675638b745ba04b13d940943324426bad53ade1138027758bf4ea40cf27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efdb9675638b745ba04b13d940943324426bad53ade1138027758bf4ea40cf27
SHA3-384 hash: 77e38b506b4d4d493ed360951d89b236cd772b1c5a87864b440d50b5cc61f9e5c3ee58abaccb9b4830f9c0100c1699f7
SHA1 hash: 559f7fcebff4768bda43f3e1fd2059797689a272
MD5 hash: 6947b4080fa4849b57bce6b7170e1815
humanhash: bacon-twelve-arizona-kansas
File name:New Order.exe
Download: download sample
Signature Loki
Create hunting rule
File size:919'552 bytes
First seen:2022-03-22 05:22:23 UTC
Last seen:2022-03-22 07:21:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:BX1oh26qD/2jLqMfVK10+cWDuESI9Ca8fqJ/MnZab1zB1jIhmCPYABaCelbS:BlohSD/2jLffoK+hCA9qk/MngbOn38m
Threatray 6'757 similar samples on MalwareBazaar
TLSH T1F91523E536B427BAF1D21B305CAA21282BF1570D30A2D72E8DC7F7E591DA7211212F57
Reporter GovCERT_CH
Tags:exe Loki

Intelligence

File Origin
# of uploads :
3
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/253990/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.48687447.19771.25922.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/62395d38b94fb38cb4caf28d/reports/2b3ef5fc-5862-450f-83b0-71f95462b587/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/454b4cfc-ac95-43d4-bc40-f689bc0046b3
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/961397
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/efdb9675638b745ba04b13d940943324426bad53ade1138027758bf4ea40cf27/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-22 05:23:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=57nzm5ldrn2fxiclcpmubfbterbgxlktvxqrhabhowf7j2saz4tq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0f99be5d4e238bbb90cfba686cd616fc8ba6a8c1ef1847d7433bc7d263c14509
Loki
188f27b2a8de6beae7ceadc333671e53102baf203660ad06a7d94fc1c3c82862
Loki
5d619b8944c749501aed6403110cdbbb71ca435dcf221eb442790f5cb03bb712
Loki
aa24ec4d75449a623095a651897f490584eb9a129d38762676c907c96fdf946b
Loki
d9f2e08354b94f008d996b9277cb9ed53c7ae5dbdd77a029b441f84e60993de4
Loki
+ 6'747 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220322-f254xsaghk/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://164.90.194.235/?id=5694236595514536
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
1befcf5dccff6b9a301bb03902905166e6ed0ea035273218117154d6b0ff35cf
MD5 hash:
99e6a1eca5b8bf908fa80f39a9487e02
SHA1 hash:
fc5eb1ddaa79c2cebf423d95ea06fb84fb3e078b
Detections:
win_lokipws_g0
Create hunting rule
win_lokipws_auto
Create hunting rule
Link:
https://www.unpac.me/results/66691a09-2e41-4c71-b1cf-d284757ac1fd/
Parent samples :
1816a19316181d9107bad9b5e6050a3a20328eab8ca6a7a4efab45ded9e5ba22
7d7758f93ab3f7e86babb05947e6610b91787cc12d15f06f40592d1cf2b456f3
75e1116bb12f5a8f1d3005656940543dedc3bd1166ab20229b827bfc35ae8984
5f6bf7015ba2b07f70f29dc97a673c6dae2bcadfbc5fd8c4f5448d7238aa33eb
f907bb4548a2c3d49ab289554b6f6c98e6affd633278c6568b7bcb5a38a3b075
e6a5d3db69bbe0374a7a6aee60f9010e653eee9dd9529656d2b2b574120c2994
efdb9675638b745ba04b13d940943324426bad53ade1138027758bf4ea40cf27
0d2c1106dda0e49869315d629f57e23ab0f84702e92328cfa70fcca7545a1b18
SH256 hash:
301642ff8826ac264d1a78b36237b5ece99cb31a2d9cecd04aafb3449679d94b
MD5 hash:
f08268ddb5c1236b947fe2864860fc98
SHA1 hash:
772410110fee00fc53939b94c2f64069fa824cf4
Link:
https://www.unpac.me/results/66691a09-2e41-4c71-b1cf-d284757ac1fd/
SH256 hash:
414f985149a640eb05b596cf097af84a7f5276028762f01c063f6b37eac64b3e
MD5 hash:
81b0dff3f8ca825f3990de59491fc664
SHA1 hash:
5ba08c4c7664ac86f0a497e027d2492a1bdef05b
Link:
https://www.unpac.me/results/66691a09-2e41-4c71-b1cf-d284757ac1fd/
SH256 hash:
398e4792a628b11306f44eb6797cc86eb493035329d3835ac22f9ea7a024cc6e
MD5 hash:
f8646cd01640434529c4fd6f7cf4b868
SHA1 hash:
42da324452579decdf6f2aa2465f84e066c641d8
Link:
https://www.unpac.me/results/66691a09-2e41-4c71-b1cf-d284757ac1fd/
SH256 hash:
efdb9675638b745ba04b13d940943324426bad53ade1138027758bf4ea40cf27
MD5 hash:
6947b4080fa4849b57bce6b7170e1815
SHA1 hash:
559f7fcebff4768bda43f3e1fd2059797689a272
Link:
https://www.unpac.me/results/66691a09-2e41-4c71-b1cf-d284757ac1fd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/efdb9675638b745ba04b13d940943324426bad53ade1138027758bf4ea40cf27

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe efdb9675638b745ba04b13d940943324426bad53ade1138027758bf4ea40cf27

(this sample)

  
Dropped by
loki
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/253990/

Comments