MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcc9e86561e2eef4cb3d9be190882d9ce1596c5d673acf67a54a0f54f3722f1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fcc9e86561e2eef4cb3d9be190882d9ce1596c5d673acf67a54a0f54f3722f1d
SHA3-384 hash: e7fb346e8cf9e4ae9b285ec68b7a5255814c76ea03aa9ee8f955cbbfb51464ffa6800ad82b242980fd0824d65c7a4b8a
SHA1 hash: c9d77ef2c5d0ef145f83494ff3133169f01edffb
MD5 hash: 49cabe2e00e290a69e727475d214f4ec
humanhash: carolina-charlie-london-april
File name:DHL_billoflanding.exe
Download: download sample
Signature Loki
Create hunting rule
File size:2'113'024 bytes
First seen:2023-05-24 12:19:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep 49152:ansHyjtk2MYC5GDzJTDEfSCHZJmm8xondDG3ybqTMbS3:ansmtk2aCZDE6KOm7mjD3
Threatray 1'985 similar samples on MalwareBazaar
TLSH T198A5F122B6D18437D1731B3C8C6BA3B8582ABE513E34794B3BF92D4D5F3A64128652D3
TrID 93.3% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
1.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.4% (.EXE) Win64 Executable (generic) (10523/12/4)
1.4% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
0.6% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter Anonymous
Tags:exe Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
392
Origin country :
US US
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
DHL_billoflanding.exe
Verdict:
Malicious activity
Analysis date:
2023-05-24 12:38:51 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/b646855a-6d3c-457a-9b3a-f76fb807c3f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/391156/
Detection(s):
PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

Win.Trojan.Emotet-9850453-0
Create hunting rule

Win.Trojan.Generic-9936029-0
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Moving a recently created file
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Modifying an executable file
DNS request
Sending an HTTP GET request
Sending a UDP request
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Infecting executable files
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/87723/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd.exe darkkomet dropper evasive fingerprint greyware hacktool keylogger lokibot lolbin macros macros-on-close macros-on-open optix packed shell32.dll unsafe
Link:
https://www.filescan.io/uploads/646e00f374a37a9dca1b3496/reports/3a8653ff-74fe-4450-8ec9-59d28d5c1931/overview
Verdict:
Malicious
Labled as:
Delf.NBX virus
Link:
https://www.hybrid-analysis.com/sample/fcc9e86561e2eef4cb3d9be190882d9ce1596c5d673acf67a54a0f54f3722f1d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a9e48f1-a45f-49b8-9459-88e97e8f0e59
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
expl.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1241620
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 874644 Sample: DHL_billoflanding.exe Startdate: 24/05/2023 Architecture: WINDOWS Score: 100 75 Snort IDS alert for network traffic 2->75 77 Multi AV Scanner detection for domain / URL 2->77 79 Found malware configuration 2->79 81 17 other signatures 2->81 8 DHL_billoflanding.exe 1 6 2->8         started        11 EXCEL.EXE 22 15 2->11         started        14 Synaptics.exe 2->14         started        process3 dnsIp4 45 C:\Users\...\._cache_DHL_billoflanding.exe, PE32 8->45 dropped 47 C:\ProgramData\Synaptics\Synaptics.exe, PE32 8->47 dropped 49 C:\ProgramData\Synaptics\RCXD2FA.tmp, PE32 8->49 dropped 51 C:\...\Synaptics.exe:Zone.Identifier, ASCII 8->51 dropped 16 ._cache_DHL_billoflanding.exe 3 8->16         started        20 Synaptics.exe 34 8->20         started        61 192.168.2.1 unknown unknown 11->61 file5 process6 dnsIp7 33 C:\...\._cache_DHL_billoflanding.exe.log, ASCII 16->33 dropped 65 Multi AV Scanner detection for dropped file 16->65 67 Machine Learning detection for dropped file 16->67 69 Injects a PE file into a foreign processes 16->69 23 ._cache_DHL_billoflanding.exe 2 16->23         started        55 freedns.afraid.org 174.128.246.100, 49704, 80 ST-BGPUS United States 20->55 57 docs.google.com 142.250.203.110, 443, 49699, 49700 GOOGLEUS United States 20->57 59 xred.mooo.com 20->59 35 C:\Users\user\Downloads\ChromeSetup.exe, PE32 20->35 dropped 37 C:\Users\user\Documents\CZQKSDDMWR\~$cache1, PE32 20->37 dropped 39 C:\Users\user\AppData\Local\...\RCXDF9E.tmp, PE32 20->39 dropped 41 2 other malicious files 20->41 dropped 71 Antivirus detection for dropped file 20->71 73 Drops PE files to the document folder of the user 20->73 26 WerFault.exe 24 9 20->26         started        file8 signatures9 process10 file11 43 C:\...\._cache_._cache_DHL_billoflanding.exe, PE32 23->43 dropped 28 ._cache_._cache_DHL_billoflanding.exe 54 23->28         started        process12 dnsIp13 63 161.35.102.56, 49722, 49724, 49725 DIGITALOCEAN-ASNUS United States 28->63 53 C:\Users\user\AppData\...\B52B3F.exe (copy), PE32 28->53 dropped 83 Antivirus detection for dropped file 28->83 85 Multi AV Scanner detection for dropped file 28->85 87 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->87 89 5 other signatures 28->89 file14 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fcc9e86561e2eef4cb3d9be190882d9ce1596c5d673acf67a54a0f54f3722f1d/
Threat name:
Win32.Virus.Napwhich
Create hunting rule
Status:
Malicious
First seen:
2023-05-24 05:25:58 UTC
File Type:
PE (Exe)
Extracted files:
73
AV detection:
23 of 23 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7te6qzlb4lxpjsz5tpqzbcbnttqvs3c5m45m6z5fjihvj43sf4oq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
04aa55e1600b801ddda368268eaf6f2ab9858f402b526468d727a943eadfb122
Loki
069d0eb7f3e3d5bda86b1b2782d6a0cbf16da50a28b2738c0e91252a3ed34eba
Loki
4969ef4af9004baaf340293cb7b7a4b46289d2648105c840997a961b19f7d846
Loki
4f250e4c6d12fc351a9e0cfae8036b78a88c409e6c6c88a45aa6b659d8c4901e
Loki
578873c16060e04fcfe43f9c9c04d2779a09a7566b3b4e97c1b18d87ac381057
Loki
62f1922f673fdb34aea18eac783649154f1bdc646410052e3b72c4ebe6c78f37
Loki
a5fb447c2992f48abd863452bcd6934032cf29bef1f0907bd9344a31a41e0edb
Loki
b2fb5fa4aab3329297f4f06a3596a9f640826252f473cc0f62b21c8f1a8b0cfa
Loki
c7b06e2840e703c98fbe1fbfd9f33f5478e58840112d85c1e94c27a34474c95f
Loki
ce3c9c47d811745d5534bf268331382438b274a112d2327396cdc8623e82f98b
Loki
+ 1'975 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection persistence spyware stealer trojan
Link:
https://tria.ge/reports/230524-phra4ach8w/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://161.35.102.56/~nikol/?p=4479137330
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/563f600b-5869-473f-b6f2-7a5f93ad388b/
SH256 hash:
e0bb4b803264aa8e1aeaa72bc4864d77c92df4b9d817bf1d07e3172ea6a667e1
MD5 hash:
6b6025f37ba620a327ccf36e9bffb8cd
SHA1 hash:
d86b62a6d9f2693815d7e6e8ba495ea51fee06fc
Link:
https://www.unpac.me/results/563f600b-5869-473f-b6f2-7a5f93ad388b/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/563f600b-5869-473f-b6f2-7a5f93ad388b/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
e17c72d80c47b69de339dabcea2cb93ebb9a7a98f7f8f78c233d4cec02471aee
MD5 hash:
3d81dc8162f2c97463d9b4487c2a1308
SHA1 hash:
98ba9509e131f36742200cd116733c338b4b1971
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/563f600b-5869-473f-b6f2-7a5f93ad388b/
Parent samples :
52a13a4d61a25202abe50d85c42d4b3aac7e364af1100233c28cf06e4598882e
fcc9e86561e2eef4cb3d9be190882d9ce1596c5d673acf67a54a0f54f3722f1d
8926f2c51db03fda181f7b020c07b72627f8348c1d9b73d22eefd05ac4a0983f
SH256 hash:
299758f17977a1f279bf989f5d88be7930f5bfe50302308c24378d6816d283a7
MD5 hash:
ccff145ae678e9f9cd29e569c6d110cf
SHA1 hash:
8fa3ec346ea886e40dd44913e44dc35e4a460c56
Link:
https://www.unpac.me/results/563f600b-5869-473f-b6f2-7a5f93ad388b/
SH256 hash:
a518e0fddabae1e59f933566cb54e592331404d5362976f3ef81a1432dac4ffb
MD5 hash:
de906fce89f615f303ddfb80c1b37b35
SHA1 hash:
3568e3f9f0731da9a3294f4f8de61f95dc3eec31
Link:
https://www.unpac.me/results/563f600b-5869-473f-b6f2-7a5f93ad388b/
SH256 hash:
47e38500e6c3a15ec0a4fab51355fe99938c6fb05f16eddb83918b56158aa3eb
MD5 hash:
8e6d2cb664f4641b79d2b6c80c0fec65
SHA1 hash:
e87143b0963c5a719f75b4c2b2c3c5db5b647235
Link:
https://www.unpac.me/results/563f600b-5869-473f-b6f2-7a5f93ad388b/
SH256 hash:
fcc9e86561e2eef4cb3d9be190882d9ce1596c5d673acf67a54a0f54f3722f1d
MD5 hash:
49cabe2e00e290a69e727475d214f4ec
SHA1 hash:
c9d77ef2c5d0ef145f83494ff3133169f01edffb
Link:
https://www.unpac.me/results/563f600b-5869-473f-b6f2-7a5f93ad388b/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fcc9e86561e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/fcc9e86561e2eef4cb3d9be190882d9ce1596c5d673acf67a54a0f54f3722f1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/391156/

Comments