MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f75f2eff7ffa6301ab74cde10a6927d2fd7e4bdc4ff63c70ecafc12360f0a78e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f75f2eff7ffa6301ab74cde10a6927d2fd7e4bdc4ff63c70ecafc12360f0a78e
SHA3-384 hash: 531a09e1bae39bcf6eacc9e0946eba7e298c5a7cf4e5cd0cd2d1a019769c2b5667567d06b6cd2e82decf138af07502b6
SHA1 hash: 5c58d6bbdb22128b276ab53ca79f7254fbdc8ce6
MD5 hash: c51f399db170780b9b5e0c0d5079b7f9
humanhash: north-ink-triple-blue
File name:DHL_AWB_PO_9882900_1010840355_10108.exe
Download: download sample
Signature Loki
Create hunting rule
File size:299'580 bytes
First seen:2020-07-30 10:06:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep 6144:BPCganNKgNoIysANgtasokRKj1MA+naYW0EQJkE6n6G7:/ansgNSsBEs/R68ndEQJk57
Threatray 579 similar samples on MalwareBazaar
TLSH BD5412AB5210C4FBC6FD453106BEAF6E66B8B125012913679FD44F1C2C438D2AE1DE9B
Reporter abuse_ch
Tags:DHL exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: polaris.vostok1.com
Sending IP: 173.160.187.11
From: DHL | Express Shipping <dhlexpress.billingid@dhl.com>
Reply-To: dhlexpress.billingid@dhl.com
Subject: Urgent: Shipping Documents (Reminder)
Attachment: DHL_AWB_PO_9882900_1010840355_10108.rar (contains "DHL_AWB_PO_9882900_1010840355_10108.exe")

Loki C2:
http://modevin.ga/~zadmin/lmark/frega3/mode.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/35456/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

PUA.Win.Adware.Browserio-6725861-0
Create hunting rule

SecuriteInfo.com.Artemis162931E90DCF.4593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a file in the %AppData% subdirectories
Launching a process
Launching cmd.exe command interpreter
Reading critical registry keys
Changing a file
Replacing files
Deleting a recently created file
Enabling the 'hidden' option for recently created files
Forced shutdown of a system process
Unauthorized injection to a system process
Stealing user critical data
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/403497
Signature
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Hijacks the control flow in another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 253975 Sample: DHL_AWB_PO_9882900_10108403... Startdate: 30/07/2020 Architecture: WINDOWS Score: 96 31 g.msn.com 2->31 33 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->33 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Yara detected Lokibot 2->47 49 3 other signatures 2->49 8 DHL_AWB_PO_9882900_1010840355_10108.exe 52 2->8         started        signatures3 process4 file5 21 C:\Users\user\AppData\...\VSLauncherUI.dll, PE32 8->21 dropped 23 C:\Users\...\MicrosoftVisualStudioWebUI.dll, PE32 8->23 dropped 25 C:\Users\user\AppData\...\webmigrationui.dll, PE32 8->25 dropped 27 6 other files (none is malicious) 8->27 dropped 11 rundll32.exe 8->11         started        process6 signatures7 51 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->51 53 Hijacks the control flow in another process 11->53 55 Maps a DLL or memory area into another process 11->55 14 cmd.exe 55 11->14         started        19 cmd.exe 11->19         started        process8 dnsIp9 35 modevin.ga 84.38.182.12, 49727, 49728, 49729 SELECTELRU Russian Federation 14->35 29 C:\Users\user\AppData\Roaming\...\B52B3F.exe, PE32 14->29 dropped 37 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->37 39 Tries to steal Mail credentials (via file registry) 19->39 41 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 19->41 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f75f2eff7ffa6301ab74cde10a6927d2fd7e4bdc4ff63c70ecafc12360f0a78e/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-07-30 10:08:06 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=65ps57377jrqdk3uzxqqu2jh2l6x4s64j73dy4hmv7asgyhqu6ha._file
Verdict:
malicious
Similar samples:
068ec47d8b4ff08861d1a9f4548132c8408cac3ee909b19f2c69e837a6f61f03
Loki
0e4c5cf2d1d60e4931c7af6021073006379935d688f5f55ad21fb29844d75a5a
Loki
3412f3e08654eceebff6c557eb9f0e82ab9e7b4cf5b0a3b9f2c7fefa5d07fe75
Loki
43a7ad11c500e6f3338f620a4056ae808ef5b61cd13b621bbf7d2e04122a61ec
Loki
8a1f8815b2d54f7171358001bec7be97d87660a29d8bce9d247da901b012f594
Loki
ba70b16e63725d98406a9e9da5126d9dde77fea5f3b080b5571f2553675ad8a7
Loki
c382d2d33c7036ac95058ef7ab3305b3234394428c28786d8c35f4a049047653
Loki
de7d61e71cd9f20980881075cd70b8ec69b8fea3624d2381bb91acb0000d2b52
Loki
df914069e95c673b5d02b806aba18f932a8f1b745cfd98fcba0189c030dfaec0
Loki
f53c786b54756ce78e13149ab3e6aefa649ae596502194d16dbcda9eb22f566c
Loki
+ 569 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200730-12y9e1npba/
Behaviour
NSIS installer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/f75f2eff7ffa6301ab74cde10a6927d2fd7e4bdc4ff63c70ecafc12360f0a78e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

rar 623eb3c87b369ee52773e1a818369cf99e8e8b91280e768e96eda096b7fa176f

Loki

Executable exe f75f2eff7ffa6301ab74cde10a6927d2fd7e4bdc4ff63c70ecafc12360f0a78e

(this sample)

  
Dropped by
MD5 74dc81629475432dc42aa380980c9d12
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/35456/
  
Dropped by
SHA256 623eb3c87b369ee52773e1a818369cf99e8e8b91280e768e96eda096b7fa176f

Comments