MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9a2f1e7311dab79c889621aeb6e11c48024343f8f44e787ab4903a8f2495554. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9a2f1e7311dab79c889621aeb6e11c48024343f8f44e787ab4903a8f2495554
SHA3-384 hash: be508973547ab70f351cb00d4839bdb663b3412cda9f86b5100871703a070cc6310cf2014555f6542c9fff88bd3f1226
SHA1 hash: 907ce38d1654421cfd875031b8d5bf4334e8e644
MD5 hash: aed7063ecfeb47a9ffbd2df244d7cf3c
humanhash: princess-jersey-alpha-whiskey
File name:Dhbceds.exe
Download: download sample
Signature Loki
Create hunting rule
File size:635'392 bytes
First seen:2020-07-06 08:15:02 UTC
Last seen:2020-07-06 09:06:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d7a6667308868eb5622c328a0adcf08f (3 x FormBook, 1 x RemcosRAT, 1 x Loki)
ssdeep 12288:ByiFoineGN96o8Esw7/DQY8S0UuY+V9i0Lv6:BDQGN91D7rt+UuY+VXLv6
Threatray 1'701 similar samples on MalwareBazaar
TLSH D6D4AF61F2D28537C1671A3DCC5BA7B8A829BF512E2824475FE53D0C5F39782382AD93
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: relay14.raiolanetworks.com
Sending IP: 217.182.121.197
From: giovannidesantis@agride.it
Reply-To: giovamidesantis@agride.it
Subject: Inquiry
Attachment: Inquiry.zip (contains "Dhbceds.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21344/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9a2f1e7311dab79c889621aeb6e11c48024343f8f44e787ab4903a8f2495554/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-06 05:18:48 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7grpdzzrdwvxtsejminow3qrysacinb7r5copb5ljeb2r4sjkvka._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
2ceeb468000833002257f4237af1a1c24fc579f0b0be1eabcd7fd864ff7c9d44
Loki
391b079f44623381b2b2c9a6d6df08175e9779aefd7ae8fb9b369f5dac6c2188
Loki
3fe2d0dd224e7799ad1d669d3e01ec1676ce6ba39170e12df1a600ca49ae3422
Loki
433624fb71d727ee48760f7dbcf08e4d043913cf3ebaefc813adff118d2eda4b
Loki
4fcb2d6dd4e6699e31ef782cdb40bdf65c388311c72952702e8f3024c46c2793
Loki
8019700bd27aecf2c5a6874494f5d897aea450cfe806435f7fe28680487dcc8a
Loki
a95c6a61523704d369aa61231c2c1ae80c1ce87911f519b4108a40306b2152ac
Loki
b6423a90227ed2d30952943cdfc63e4f31b2c79a15f80e5f2fb6aa9efb75dcbe
Loki
bdf0628de7c3965db41f88705c2b900a19fc12499435fd77f6eabc172c397861
Loki
ca80e46167f7c8dd33ca38ecff1c2c19704a80735caa1c4b49498e0bc255b2cb
Loki
+ 1'691 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
persistence trojan spyware stealer family:lokibot
Link:
https://tria.ge/reports/200706-wfzvzgefdn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Adds Run entry to start application
Legitimate hosting services abused for malware hosting/C2
Lokibot
Malware Config
C2 Extraction:
http://beautynams.com/kuwait/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

zip 6c5dd9cdd25b44c39a48816ed800033de95b6fe0c488d475824ba10dda60a246

Loki

Executable exe f9a2f1e7311dab79c889621aeb6e11c48024343f8f44e787ab4903a8f2495554

(this sample)

  
Dropped by
MD5 e7ba0d52420cad0762892cf461321abf
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6c5dd9cdd25b44c39a48816ed800033de95b6fe0c488d475824ba10dda60a246
Cape
Cape
https://www.capesandbox.com/analysis/21344/

Comments