MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c287d78aae1e3f907ce09a6750eea328153e32598726a505651ab5ca1ee573e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 4 Yara 4 Comments

SHA256 hash: 0c287d78aae1e3f907ce09a6750eea328153e32598726a505651ab5ca1ee573e
SHA3-384 hash: 9f24eff761a900556a9345225e43960b6c86fb9e10db96364316b6a87a218ed9b720d6f92fafabf90f2707903a78fbf0
SHA1 hash: 298d99bd858bdf19a2874a5e8bd5f655c7695974
MD5 hash: 7a3e1f5c0c498fc33db2702be21d2073
humanhash: kentucky-sierra-shade-summer
File name:updated file_pdf.exe
Download: download sample
Signature Loki
File size:935'936 bytes
First seen:2020-06-29 18:01:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9a5cc778d0f4132de3891c04833334e8
ssdeep 12288:ijnGLjIup+Q67pPhPc3IAMXOvIHoFdDRVmqOJ1UVSZp6ohSloWZazub1ZG:ijoUuGNhPc3uOIoScVSZHhSJZaqb1ZG
TLSH B4157D22F2925433E1B356389C1B52B5983ABDD0FD3C98466BE5CD6C5F3968338342A7
Reporter @abuse_ch
Tags:BRA exe geo Loki


Twitter
@abuse_ch
Malspam distributing Loki:

HELO: metheksis.gr
Sending IP: 5.9.14.91
From: Universidade de São Paulo <office@5.usp.br>
Subject: PEDIDO DE LICITAÇÃO (Universidade de São Paulo) EUI894/BU4600
Attachment: PEDIDO DE LICITAÇÃO 29-6-2020_pdf.rar (contains "updated file_pdf.exe")

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 33
Origin country US US
CAPE Sandbox Detection:Loki
Link: https://www.capesandbox.com/analysis/16551/
ClamAV PUA.Win.Adware.Slugin-6803969-0
PUA.Win.Adware.Slugin-6840354-0
PUA.Win.Adware.Webalta-6854075-0
PUA.Win.Adware.Webalta-6862190-0
SecuriteInfo.com.Variant.Zusy.307899.10298.11102.UNOFFICIAL
CERT.PL MWDB Detection:lokibot
Link: https://mwdb.cert.pl/sample/0c287d78aae1e3f907ce09a6750eea328153e32598726a505651ab5ca1ee573e/
ReversingLabs :Status:Malicious
Threat name:Win32.Trojan.Injector
First seen:2020-06-29 17:03:33 UTC
AV detection:28 of 30 (93.33%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:lokibot
Link: https://tria.ge/reports/200629-spx46twcea/
Tags:spyware trojan stealer family:lokibot
Config extraction:http://195.69.140.147/.op/cr.php/SczbkxCQZQyVr
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
VirusTotal:Virustotal results 36.99%

Yara Signatures


Rule name:Lokibot
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_lokipws_g0
Author:Slavo Greminger, SWITCH-CERT
Rule name:with_sqlite
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 0c287d78aae1e3f907ce09a6750eea328153e32598726a505651ab5ca1ee573e

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments