MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 14


Maldoc score: 4


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d
SHA3-384 hash: c95bd192c4f61e22cc686d91a2caae4130a95d5e0e0aada4a0314b47628b777bb2f3c5ba84d67b06ffb10613e2e4b340
SHA1 hash: 7fdf7feed6f105ce6bfeb34fb44c9c58dfe9057e
MD5 hash: 5a69ac58c3133e24a783cf4ea670a243
humanhash: crazy-tennis-burger-robin
File name:Payment Advice.xls
Download: download sample
Signature Loki
Create hunting rule
File size:1'136'128 bytes
First seen:2024-11-20 06:47:09 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 24576:auq9PLiijE2Z5Z2amwshXCdQtF84LJQohL7m90Ns4Ql1xzRjpCrHac:auEPLiij7Z5ZKwsAsFjLJQohm90Clvzu
TLSH T189352355F985EF06D69BA9320CA3D8F22408BC83BF69A2422730779F647D1F81F47195
TrID 46.5% (.XLS) Microsoft Excel sheet (alternate) (56500/1/4)
26.7% (.XLS) Microsoft Excel sheet (32500/1/3)
20.1% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
6.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika xls
Reporter abuse_ch
Tags:cve-2017-0199 Loki xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 4
OLE dump

MalwareBazaar was able to identify 15 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
2244 bytesDocumentSummaryInformation
3200 bytesSummaryInformation
499 bytesMBD001C4526/CompObj
5781880 bytesMBD001C4526/Package
6376 bytesMBD001C4527/Ole
7330975 bytesWorkbook
8521 bytes_VBA_PROJECT_CUR/PROJECT
9104 bytes_VBA_PROJECT_CUR/PROJECTwm
10977 bytes_VBA_PROJECT_CUR/VBA/Sheet1
11977 bytes_VBA_PROJECT_CUR/VBA/Sheet2
12977 bytes_VBA_PROJECT_CUR/VBA/Sheet3
13985 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
142644 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
15553 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
460
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Advice.xls
Verdict:
No threats detected
Analysis date:
2024-11-20 06:49:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bbc09db1-3217-4f2b-af8e-c49c8bc5080d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
False
Detection(s):
TwinWave.EvilDoc.93TilInfinity.20240412.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Other.Malware-gen.20234.27473.UNOFFICIAL
Create hunting rule

Sanesecurity.Badmacro.Xls.BadUsr1.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.VBA.Agent-16.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673d86c0e293c03416fb4faa
Tags:
infosteal trojan agent virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Creating a window
DNS request
Sending an HTTP GET request
Сreating synchronization primitives
Connection attempt by exploiting the app vulnerability
Sending a custom TCP request by exploiting the app vulnerability
Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d/results/dashboard
Payload URLs
URL
File name
https://provit.uk/CxdOH5?&radar=sneaky&psychology=outstanding&sherry=spotless&suggestion
Embedded Ole
Behaviour
SuspiciousRTF detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
macros powershell
Link:
https://www.filescan.io/uploads/673d862303e404306c7702a6/reports/5a20ca09-a987-4e30-bfc1-860ef88f7438/overview
Verdict:
Malicious
Labled as:
CVE-2017-0199
Link:
https://www.hybrid-analysis.com/sample/f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d
Label:
Benign
Suspicious Score:
2.1/10
Score Malicious:
21%
Score Benign:
79%
Link:
https://www.malware.ai/gui/files/?id=cdf39f12-c90c-4573-b002-88f05f9c9c14
Result
Threat name:
HTMLPhisher, Lokibot
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1559095
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Found malware configuration
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Microsoft Office drops suspicious files
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected aPLib compressed binary
Yara detected HtmlPhish44
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1559095 Sample: Payment Advice.xls Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 119 Suricata IDS alerts for network traffic 2->119 121 Found malware configuration 2->121 123 Malicious sample detected (through community Yara rule) 2->123 125 19 other signatures 2->125 9 EXCEL.EXE 57 53 2->9         started        14 taskeng.exe 2->14         started        process3 dnsIp4 103 192.3.243.136, 49164, 49166, 49167 AS-COLOCROSSINGUS United States 9->103 105 provit.uk 198.244.140.41, 443, 49163, 49165 RIDLEYSD-NETUS United States 9->105 85 C:\Users\user\...\Payment Advice.xls (copy), Composite 9->85 dropped 87 C:\Users\user\...\~DF6CCF4596F2406470.TMP, Composite 9->87 dropped 89 greetingwithgreatt...sgivenmeback[1].hta, HTML 9->89 dropped 147 Microsoft Office drops suspicious files 9->147 16 mshta.exe 10 9->16         started        20 mshta.exe 9->20         started        22 AcroRd32.exe 9->22         started        24 rrwscqkDSNwLK.exe 14->24         started        file5 signatures6 process7 dnsIp8 97 provit.uk 16->97 107 Suspicious powershell command line found 16->107 109 PowerShell case anomaly found 16->109 26 powershell.exe 23 16->26         started        99 provit.uk 20->99 30 powershell.exe 20->30         started        111 Antivirus detection for dropped file 24->111 113 Tries to steal Mail credentials (via file registry) 24->113 115 Machine Learning detection for dropped file 24->115 117 2 other signatures 24->117 32 powershell.exe 24->32         started        34 powershell.exe 24->34         started        36 schtasks.exe 24->36         started        38 rrwscqkDSNwLK.exe 24->38         started        signatures9 process10 file11 91 C:\Users\user\AppData\Roaming\caspol.exe, PE32 26->91 dropped 93 C:\Users\user\AppData\Local\...\caspol[1].exe, PE32 26->93 dropped 95 C:\Users\user\AppData\...\i4ik0bio.cmdline, Unicode 26->95 dropped 149 Powershell drops PE file 26->149 40 caspol.exe 5 26->40         started        44 powershell.exe 4 26->44         started        46 csc.exe 2 26->46         started        48 caspol.exe 30->48         started        50 csc.exe 30->50         started        52 powershell.exe 30->52         started        signatures12 process13 file14 77 C:\Users\user\AppData\...\rrwscqkDSNwLK.exe, PE32 40->77 dropped 79 C:\Users\user\AppData\Local\...\tmpAAE0.tmp, XML 40->79 dropped 135 Antivirus detection for dropped file 40->135 137 Machine Learning detection for dropped file 40->137 139 Uses schtasks.exe or at.exe to add and modify task schedules 40->139 54 caspol.exe 40->54         started        59 powershell.exe 4 40->59         started        61 powershell.exe 40->61         started        63 schtasks.exe 40->63         started        141 Installs new ROOT certificates 44->141 81 C:\Users\user\AppData\Local\...\i4ik0bio.dll, PE32 46->81 dropped 65 cvtres.exe 46->65         started        143 Adds a directory exclusion to Windows Defender 48->143 145 Injects a PE file into a foreign processes 48->145 67 powershell.exe 48->67         started        69 powershell.exe 48->69         started        73 2 other processes 48->73 83 C:\Users\user\AppData\Local\...\zpwvvpvf.dll, PE32 50->83 dropped 71 cvtres.exe 50->71         started        signatures15 process16 dnsIp17 101 94.156.177.41, 49168, 49169, 49170 NET1-ASBG Bulgaria 54->101 75 C:\Users\user\AppData\...\5879F5.exe (copy), PE32 54->75 dropped 127 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 54->127 129 Tries to steal Mail credentials (via file / registry access) 54->129 131 Tries to harvest and steal ftp login credentials 54->131 133 Tries to harvest and steal browser information (history, passwords, etc) 54->133 file18 signatures19
Score:
100%
Verdict:
Malware
File Type:
OFFICE
Link:
https://malprob.io/report/f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d/
Threat name:
Document-Office.Exploit.CVE-2017-0199
Create hunting rule
Status:
Malicious
First seen:
2024-11-20 02:42:24 UTC
File Type:
Document
Extracted files:
96
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7fbkgbdfed3yhdrtueiw7l4ltjtbk5lparcvczisa72tw5k2ajgq._file
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection defense_evasion discovery execution spyware stealer trojan
Link:
https://tria.ge/reports/241120-hkrw3sxqcr/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Evasion via Device Credential Deployment
Lokibot
Lokibot family
Process spawned unexpected child process
Malware Config
C2 Extraction:
http://94.156.177.41/simple/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/91b55eef-5a10-48f8-9aca-73060306a7dc
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:informational_win_ole_protected
Create hunting rule
Author:Jeff White (karttoon@gmail.com) @noottrak
Description:Identify OLE Project protection within documents.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:XLS_STRINGS
Create hunting rule
Author:somedieyoungZZ
Description:Detect Strings targeting Bangladesh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments