MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 191c7c47fec63f29c5409e19a59ae3545295928a2e0e5f83a64ce64d1e2f0c1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 1 File information 3 Yara 3 Comments

SHA256 hash: 191c7c47fec63f29c5409e19a59ae3545295928a2e0e5f83a64ce64d1e2f0c1d
SHA3-384 hash: e39531c7cc6c7b164886a9f2b2af1fab23d951197fb6c4f01457a610ce6f6a5fd878a0f6b4bb672606df02542f5dfc6a
SHA1 hash: 555a223b93c90cd3f11bf3263abe9a2e16effed1
MD5 hash: b161e6ed6d212e7a36026eaed1f3d902
humanhash: bacon-mike-cat-idaho
File name:engineserv.exe
Download: download sample
Signature Loki
File size:603'648 bytes
First seen:2020-06-30 06:07:20 UTC
Last seen:2020-06-30 07:01:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 24f26e153c9b6068c0a4770547eb6d9e
ssdeep 12288:oCbpcLhilrm7G8oclWEAroCo3DQmTSh+hH1npSCWvwO:vuLhi80Jro7XBpAvP
TLSH 81D49F12E7A0443FF172363D9D2B57BC592ABE51393C59462BE4DC4C6F39382392A287
Reporter @Jouliok
Tags:exe Loki

Intelligence


Mail intelligence No data
# of uploads 2
# of downloads 35
Origin country GB GB
CAPE Sandbox Detection:n/a
Link: https://www.capesandbox.com/analysis/16799/
ClamAV PUA.Win.Adware.Slugin-6803969-0
PUA.Win.Adware.Slugin-6840354-0
CERT.PL MWDB Detection:lokibot
Link: https://mwdb.cert.pl/sample/191c7c47fec63f29c5409e19a59ae3545295928a2e0e5f83a64ce64d1e2f0c1d/
ReversingLabs :Status:Malicious
Threat name:Win32.Trojan.Injector
First seen:2020-06-30 06:09:05 UTC
AV detection:28 of 31 (90.32%)
Threat level:   5/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:lokibot
Link: https://tria.ge/reports/200630-enf2lx7lp2/
Tags:spyware trojan stealer family:lokibot
Config extraction:http://mecharnise.ir/ea3/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
VirusTotal:Virustotal results 49.32%

Yara Signatures


Rule name:Lokibot
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 191c7c47fec63f29c5409e19a59ae3545295928a2e0e5f83a64ce64d1e2f0c1d

(this sample)

  
Delivery method
Distributed via web download

Comments