MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 057f4ea12c391a6fb346574383fb2a4feaf692e4bdb8383160b34672fdf239da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 057f4ea12c391a6fb346574383fb2a4feaf692e4bdb8383160b34672fdf239da
SHA3-384 hash: 716c5f69003caf264d2a9a73a8c61603b8ba5fbab1b05de37417922b3fd17186a56a66af88e669132e5f73e522dd4096
SHA1 hash: 04cceb3158b25281708b5a81dad842027b5d6242
MD5 hash: 00e0a2a9a97c415975ef5f9734653a9b
humanhash: william-yankee-iowa-asparagus
File name:BKG# PNPN203746.xls.gz.exe
Download: download sample
Signature Loki
Create hunting rule
File size:243'200 bytes
First seen:2020-06-18 05:32:26 UTC
Last seen:2020-06-18 12:59:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:OlGUQPgSEvKxt6UtT02/MPjk1YAHyv3s1wIy3vuV6lfud4xgBlDN5bPcSe8xKQWk:vSc6eTRI1QyvKy/zlfudIA7cSrKK
Threatray 1'606 similar samples on MalwareBazaar
TLSH EC34CF0A7A9CDB15C86D4B7BC4E6410003F8AD6A3A22E72E7FC5339C19537E7590668F
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: uapcu.org
Sending IP: 95.211.208.25
From: Vicheth <info1@uapcu.org>
Subject: RE: BOOKING PNH FOR ETD JUNE-2020 BKG# PNPN203746
Attachment: BKG PNPN203746.xls.gz.zip (contains "BKG# PNPN203746.xls.gz.exe")

Loki C2:
http://uapcu.org/bin/cdi-bin/five/fre.php

Intelligence

File Origin
# of uploads :
3
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19600/
Detection(s):
SecuriteInfo.com.FakeAlert.9060.1798.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-18 00:45:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=av7u5ijmheng7m2gk5byh6zkj7vpnexexw4dqmlawndhf7pshhna._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
069ce231194bdb4305fde084a55ad1026acaa073fcb90110b132ba27a53441ab
Loki
143da9c82587966091a89e47a13083cbfa757699296e37b333ba607c7052dc8f
Loki
313fc2bc689fcc4d9d0b191fa6107cf29dd9f56aba4b3ef2ad0b02e6a7596bf4
Loki
319274d1c6c50850ea1fb7673c288c90b4df3420fd6362bac3fbfb93e3f1ea2d
Loki
36f23217058d61b401b63cfe41e8a7ccc1f5525a3f6b0c57800fda8403429fb6
Loki
6e7b381441447157749ba664134682c01bad587614b29dab79aeab904419857d
Loki
7bb0368333b8dc8c6b4c422f11c02ec43d385547b460c2f1f8cf78013521a2f5
Loki
b32e124d79e22d6fa01bea107ce49b5247629f4c4be8b27242887f2151d9ac31
Loki
bf7ae4c4b3df671cb890a8814463ad46ec4d6edb6da0fe9c9201c1d3d9bec52d
Loki
cdef1fc7b825c5c220e1f3422d9e1da4e930473ff6c113b6610db99eccca8e17
Loki
+ 1'596 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/200624-qpxgcnvala/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
Creates scheduled task(s)
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://uapcu.org/bin/cdi-bin/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

zip c5c03ed092f1f4d36a62f1006e6b7fb8fba7f08fd54e09918c67029970829c84

Loki

Executable exe 057f4ea12c391a6fb346574383fb2a4feaf692e4bdb8383160b34672fdf239da

(this sample)

  
Dropped by
MD5 5796f4cde28079c537ae19afa3f678a9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c5c03ed092f1f4d36a62f1006e6b7fb8fba7f08fd54e09918c67029970829c84
Cape
Cape
https://www.capesandbox.com/analysis/19600/

Comments