MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c287d78aae1e3f907ce09a6750eea328153e32598726a505651ab5ca1ee573e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Intelligence 2 File information 4 Yara 4 Comments

SHA256 hash: 0c287d78aae1e3f907ce09a6750eea328153e32598726a505651ab5ca1ee573e
SHA3-384 hash: 9f24eff761a900556a9345225e43960b6c86fb9e10db96364316b6a87a218ed9b720d6f92fafabf90f2707903a78fbf0
SHA1 hash: 298d99bd858bdf19a2874a5e8bd5f655c7695974
MD5 hash: 7a3e1f5c0c498fc33db2702be21d2073
humanhash: kentucky-sierra-shade-summer
File name:updated file_pdf.exe
Download: download sample
Signature Loki
File size:935'936 bytes
First seen:2020-06-29 18:01:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9a5cc778d0f4132de3891c04833334e8
ssdeep 12288:ijnGLjIup+Q67pPhPc3IAMXOvIHoFdDRVmqOJ1UVSZp6ohSloWZazub1ZG:ijoUuGNhPc3uOIoScVSZHhSJZaqb1ZG
TLSH B4157D22F2925433E1B356389C1B52B5983ABDD0FD3C98466BE5CD6C5F3968338342A7
Reporter @abuse_ch
Tags:BRA exe geo Loki

Malspam distributing Loki:

Sending IP:
From: Universidade de São Paulo <>
Subject: PEDIDO DE LICITAÇÃO (Universidade de São Paulo) EUI894/BU4600
Attachment: PEDIDO DE LICITAÇÃO 29-6-2020_pdf.rar (contains "updated file_pdf.exe")


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 33
Origin country US US
CAPE Sandbox Detection:Loki
ClamAV PUA.Win.Adware.Slugin-6803969-0
CERT.PL MWDB Detection:lokibot
ReversingLabs :Status:Malicious
Threat name:Win32.Trojan.Injector
First seen:2020-06-29 17:03:33 UTC
AV detection:28 of 30 (93.33%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:lokibot
Tags:spyware trojan stealer family:lokibot
Config extraction:
VirusTotal:Virustotal results 36.99%

Yara Signatures

Rule name:Lokibot
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_lokipws_g0
Author:Slavo Greminger, SWITCH-CERT
Rule name:with_sqlite
Author:Julian J. Gonzalez <>
Description:Rule to detect the presence of SQLite data in raw image

File information

The table below shows additional information about this malware sample such as delivery method and external references.



Executable exe 0c287d78aae1e3f907ce09a6750eea328153e32598726a505651ab5ca1ee573e

(this sample)

Delivery method
Distributed via e-mail attachment