MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe5c1951ae2974e208a94346ba859a9ed7a30393880d4041315f35a3dd90bf38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe5c1951ae2974e208a94346ba859a9ed7a30393880d4041315f35a3dd90bf38
SHA3-384 hash: b5cd3c36c89a01a600e0a927c5c855d8c63816d24f926e693888a6798508a2760bab7812eddd492cc3d73f67ebbba21c
SHA1 hash: 9cf027af7e84d7ec71ce54db868de067f8fbfe5e
MD5 hash: 60ade4912973d4ae63679603304102ec
humanhash: xray-november-hydrogen-delta
File name:purchase contract.pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:602'112 bytes
First seen:2023-04-17 06:37:33 UTC
Last seen:2023-04-17 06:39:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:yBRJXJTxig4/V2lAUszrDcav/hkMyc47ClRBKvGlf7/Uyhjk:CXNxiTDXca47ClRBYyzH
Threatray 4'233 similar samples on MalwareBazaar
TLSH T1E3D4E069E0259DE7E6CD077A00143AE9DB3865E3787BC63C0B9674DACB9F3112D8418B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 00e86871e8d4c400 (6 x AgentTesla, 1 x Loki)
Reporter lowmal3
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
559
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
lokibot
Create hunting rule
ID:
1
File name:
purchase contract.pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-04-17 06:40:10 UTC
Tags:
trojan lokibot
Link:
https://app.any.run/tasks/0678cef0-29ba-48d5-8b74-63358ad55953

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382725/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a process from a recently created file
Creating a file in the %temp% directory
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lokibot packed
Link:
https://www.filescan.io/uploads/643ce94da952850b62766b3b/reports/d7fbaa98-9266-4cb3-8f83-c3e859a8c286/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/fe5c1951ae2974e208a94346ba859a9ed7a30393880d4041315f35a3dd90bf38
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c647554f-e47b-4cf9-8b41-2d9f93d71e7f
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1214995
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 847919 Sample: purchase_contract.pdf.exe Startdate: 17/04/2023 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 10 other signatures 2->51 7 purchase_contract.pdf.exe 7 2->7         started        11 zodYWPVhHwzJI.exe 5 2->11         started        process3 file4 35 C:\Users\user\AppData\...\zodYWPVhHwzJI.exe, PE32 7->35 dropped 37 C:\...\zodYWPVhHwzJI.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\Local\Temp\tmpFF6.tmp, XML 7->39 dropped 41 C:\Users\...\purchase_contract.pdf.exe.log, CSV 7->41 dropped 53 Uses schtasks.exe or at.exe to add and modify task schedules 7->53 55 Adds a directory exclusion to Windows Defender 7->55 13 purchase_contract.pdf.exe 57 7->13         started        17 powershell.exe 21 7->17         started        19 powershell.exe 20 7->19         started        25 2 other processes 7->25 57 Multi AV Scanner detection for dropped file 11->57 59 Tries to steal Mail credentials (via file registry) 11->59 61 Machine Learning detection for dropped file 11->61 21 schtasks.exe 1 11->21         started        23 zodYWPVhHwzJI.exe 11->23         started        signatures5 process6 dnsIp7 43 64.227.48.212, 80 DIGITALOCEAN-ASNUS United States 13->43 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->63 65 Tries to steal Mail credentials (via file / registry access) 13->65 67 Tries to harvest and steal ftp login credentials 13->67 69 Tries to harvest and steal browser information (history, passwords, etc) 13->69 27 conhost.exe 17->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        33 conhost.exe 25->33         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe5c1951ae2974e208a94346ba859a9ed7a30393880d4041315f35a3dd90bf38/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7zobsunoff2oecfjindlvbm2t3l2ga4traguaqjrl422hxmqx44a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
099dfc4278cbcfc8c1e84bd46bde0b5ddbdc86b20d95b8ba6b98b66b4436a345
Loki
289a4bc231a47d921ad357468a18f0fcae9173f369fbd23b602eae0feaf95759
Loki
3a7511034e72aa8874f3763cb01604464c74571237bc08906578ed9dcf2c137f
Loki
5267caaadc1e9d045e08de329de614b3b85f615aeec1a5927c32cfe82d493d2c
Loki
82faa2430877999d6998765647feeb8a474a5672736637d8278efa9e2425ca83
Loki
ad9510ceea49f6f5b37d1310869d7d1d09ce0366833197c55fa83bbfa95d52ee
Loki
d79b67e9e7380e870103acd7b29951d0a4cb5f6da18c28a21070463aad65be45
Loki
ec6cebe1ace02965184a065528322e6b881abc1930d87223cfeafac4204c0bbc
Loki
f36afdc4b01e349a83cd54619dcc3864d800c328c784c79ccce271ff48742523
Loki
+ 4'223 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer trojan
Link:
https://tria.ge/reports/230417-hd2spsdc48/
Behaviour
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://64.227.48.212/?page_id=4983000593629
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Unpacked files
SH256 hash:
21f0154b51a09767f94922b81f5fcd15cf4a6390ab7314e40d0e17b2dcdfe6ba
MD5 hash:
c926563698de3a89ad20474c85122f73
SHA1 hash:
ed1a3b2527ace111e6f39880c7ee3965f301330d
Link:
https://www.unpac.me/results/ee83e564-cc10-49b0-815b-9370a8da03a0/
SH256 hash:
0fd1f00d94aff36ad8f02077efb33ddf269985ea37038aae554ff6202fdc020f
MD5 hash:
8dfd8e44c82066f4aeeff652fa2a33c5
SHA1 hash:
b844952e48ecab0e7ab2e3d5e38a20629399f94c
Link:
https://www.unpac.me/results/ee83e564-cc10-49b0-815b-9370a8da03a0/
SH256 hash:
07fcb84891f6ccbc3e96cf947aaf8d6ebdc68e0ada83cb27e7fddaa30d3f088a
MD5 hash:
e635110b909e53217ee5c7488bd7425f
SHA1 hash:
892fc85c05125484cf675e9912b993498477a767
Link:
https://www.unpac.me/results/ee83e564-cc10-49b0-815b-9370a8da03a0/
SH256 hash:
69193d4ec928b60a32ed5ee6e8fdab3da230436b8c50062992a7dba0761b4928
MD5 hash:
cf3b94170e79640c8e4f4ff0cf1e11a2
SHA1 hash:
553907b7789a0763e300be6758e47dd1feecce7c
Detections:
lokibot
Create hunting rule
win_lokipws_auto
Create hunting rule
win_lokipws_g0
Create hunting rule
Link:
https://www.unpac.me/results/ee83e564-cc10-49b0-815b-9370a8da03a0/
Parent samples :
9379c08a611d759dd3dd8532c51baf927373581ec4ed728e7fe9e418aa297ed2
d79b67e9e7380e870103acd7b29951d0a4cb5f6da18c28a21070463aad65be45
099dfc4278cbcfc8c1e84bd46bde0b5ddbdc86b20d95b8ba6b98b66b4436a345
ad9510ceea49f6f5b37d1310869d7d1d09ce0366833197c55fa83bbfa95d52ee
fe5c1951ae2974e208a94346ba859a9ed7a30393880d4041315f35a3dd90bf38
SH256 hash:
ade0d6223c3f40fad59f55a11e4e9c8067ee049b0b3a766fd0d8253ac3764a3b
MD5 hash:
3c1a77e42af8c39f7a52cd2e600d127e
SHA1 hash:
38e259a8377f674f3a4a839e9a9f72e55200435a
Link:
https://www.unpac.me/results/ee83e564-cc10-49b0-815b-9370a8da03a0/
SH256 hash:
fe5c1951ae2974e208a94346ba859a9ed7a30393880d4041315f35a3dd90bf38
MD5 hash:
60ade4912973d4ae63679603304102ec
SHA1 hash:
9cf027af7e84d7ec71ce54db868de067f8fbfe5e
Link:
https://www.unpac.me/results/ee83e564-cc10-49b0-815b-9370a8da03a0/
Malware family:
Lokibot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fe5c1951ae29/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe fe5c1951ae2974e208a94346ba859a9ed7a30393880d4041315f35a3dd90bf38

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382725/

Comments