MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fccd7eaee0eeecb3beab4005e428887eb9d25549d1c26d1efb50abe078202894. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fccd7eaee0eeecb3beab4005e428887eb9d25549d1c26d1efb50abe078202894
SHA3-384 hash: 14fa7ba8d0aaaed54b1225541a8102f022d25ba95354cc34d9cd5f4ed85932212cbd92b3e5f09112a2daf4448f551f1d
SHA1 hash: 74e9e7038a1669a5aecb02047476e318b7c5700e
MD5 hash: 972db0a413a4d80edde64d0f13ee2d4e
humanhash: pizza-jig-blossom-alpha
File name:CONTRACT_pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:704'512 bytes
First seen:2023-05-04 13:51:07 UTC
Last seen:2023-05-13 22:48:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:YbkcdXHwni4IyS+sKzMQ8yFXXfuBzpmCQu1ttbE4gCQweGfEmgAA76HQByjD:YbJNwLVzR8ypXf+mCF1thvjQweGfEmRR
TLSH T1F0E4F17714AAC390E03F8BB0B968BE2416A731D7F8D39E35072929C55E99B113C9D18F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:exe Loki

Intelligence

File Origin
# of uploads :
3
# of downloads :
271
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
CONTRACT_pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-05-04 13:53:05 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/0566ce9d-3c5d-4ea5-8380-c4b6d8ea9dee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LokiBot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/386555/
Detection(s):
SecuriteInfo.com.Trojan.GenericFCA.Agent.88484.6146.24420.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Enabling the 'hidden' option for analyzed file
Moving of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook packed
Link:
https://www.filescan.io/uploads/6453b883961a21dc785cd15b/reports/b01a9841-c838-4c47-b17b-846d962118c6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fccd7eaee0eeecb3beab4005e428887eb9d25549d1c26d1efb50abe078202894
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/151a65cb-dc22-4c75-a656-2a098d332859
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1226245
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fccd7eaee0eeecb3beab4005e428887eb9d25549d1c26d1efb50abe078202894/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-04 03:48:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7tgx5lxa53wlhpvliac6ikeip245evkj2hbg2hx3kcv6a6bafcka._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230504-q6dkkscg49/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://185.246.220.85/blair/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
06f7815673123551c85d99397ce8a67060db84192d597f264575d9af0f40ab23
MD5 hash:
f8b1b6d6249722c781d5689edea36610
SHA1 hash:
d99d70226b55f25122e7a3ea52a6c3173baab1ec
Link:
https://www.unpac.me/results/2310b7a0-762d-4a6d-9d6b-4fba2dcaf36d/
SH256 hash:
c8808b69b0f4d52c253e35b001da94086786b34162fd51daa3f17eda94bac7f0
MD5 hash:
da56041df789c24cb2a36a364431f766
SHA1 hash:
876e6c579d1092a76ce90c500c43af0cf11724a4
Link:
https://www.unpac.me/results/2310b7a0-762d-4a6d-9d6b-4fba2dcaf36d/
SH256 hash:
f7a57eb1e0f5a36f44d69da42b47d38cc6789f051f6b6330ad06258bdad4d431
MD5 hash:
20f1c2ff544eeebe2ecf7fec118745a9
SHA1 hash:
59b33ddc78da25fec39369e5f0034b3df5ceafae
Link:
https://www.unpac.me/results/2310b7a0-762d-4a6d-9d6b-4fba2dcaf36d/
SH256 hash:
fa4db85f3a1033bd913e406301af9cd74de4d3a80051a76f7dd6ee42418a1bce
MD5 hash:
392329d50db25b4cea1ac5b1f35bbff2
SHA1 hash:
3c99aea8e48352da4c61fbad78c860ea059c34fe
Link:
https://www.unpac.me/results/2310b7a0-762d-4a6d-9d6b-4fba2dcaf36d/
SH256 hash:
e3c9c30badebb3313c557c1f9c9838bbedf0cc3039d72ea77e608f676069740c
MD5 hash:
868a56b4856375ee3aa846b606c33239
SHA1 hash:
07fa86b2fcb7df96e056d0b2b4876080714b3cba
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/2310b7a0-762d-4a6d-9d6b-4fba2dcaf36d/
Parent samples :
9889a91e24a729669aa276f27617f5169fd9d8f0358be427ed4e4cd9bb8e5dab
ac39c17f070f097e41f41579a26b8e381963fbd103e56cbdfdf5d25205c2e167
2071a487cad8b16b69b9951410d61564b4cfcc0bcf7c45108d10135bee256337
8e6cde38df37ec19a97ac003f47a15629fb425b19ed6e869f108512555fc4f95
fccd7eaee0eeecb3beab4005e428887eb9d25549d1c26d1efb50abe078202894
84404319135e2e1cc2bced7f56c99a81c1b19dc442966d3f0b1fa21756ee94b8
29fb5b111ae1c20a4b6a0e74b8df0748b1ccea58aa9d07a80f0bd1bb4577db56
SH256 hash:
fccd7eaee0eeecb3beab4005e428887eb9d25549d1c26d1efb50abe078202894
MD5 hash:
972db0a413a4d80edde64d0f13ee2d4e
SHA1 hash:
74e9e7038a1669a5aecb02047476e318b7c5700e
Link:
https://www.unpac.me/results/2310b7a0-762d-4a6d-9d6b-4fba2dcaf36d/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fccd7eaee0ee/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/fccd7eaee0eeecb3beab4005e428887eb9d25549d1c26d1efb50abe078202894

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_EXE_in_ISO
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects ISO files that contains an Exe file. Does not need to be malicious
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe fccd7eaee0eeecb3beab4005e428887eb9d25549d1c26d1efb50abe078202894

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/386555/

Comments