MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3368363263766bc139e690192523a2a2d585c137b3b9d6230e06a590c1ba7753. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3368363263766bc139e690192523a2a2d585c137b3b9d6230e06a590c1ba7753
SHA3-384 hash: 47597ce09b0824c67bdc08fea4a362499d9c9702b701446ae084cd11c9116eaf42c078c95421d799850503982bbe0be8
SHA1 hash: f117aa74010903ec638f374f82850cff80fc6603
MD5 hash: 3604c94317e50567f1bee2a3d06d2c48
humanhash: timing-friend-happy-illinois
File name:RFQ40631.exe
Download: download sample
Signature Loki
Create hunting rule
File size:702'464 bytes
First seen:2020-05-05 09:26:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 226840561775b99befbf510bf424651d (8 x AgentTesla, 4 x Loki, 2 x NanoCore)
ssdeep 12288:iYIh/JDWJ31qKVD4sNe48ZoVX/tTIiPyN8/rvZVEbwFggDQZqx2Y7Ds:iF/Ds4LoVX1hagvZVxFggIC24o
Threatray 1'500 similar samples on MalwareBazaar
TLSH 4FE4AF26B1904C37C16FEA3D8C4B9764B93EBE512E2865823BF51D4C5F387E1392A187
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: host1105.infoser.net
Sending IP: 37.153.90.190
From: Georgios Michos <m.george@immsupplies.com>
Subject: RE: Νέα παραaγγελία / αίτηaμα_RFQ40631
Attachment: RFQ40631.zip (contains "RFQ40631.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Remcos-7759529-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 01:57:05 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gnudmmtdozv4copgsamski5culkylqjxwo45miyoa2szbqn2o5jq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0321b082e29f9b21f9994c225d25ff752bd6359ae9c10c79fe7cff61cfd770dd
Loki
4d9b378b9a46745f4987b348e6d3c7d0e3238cf23284c5551e457f28dc3a726b
Loki
5b2989ef162f3637ce93f1aa6b8a0efaf712078d1217aed9150b8c7dc55f0275
Loki
7c7a4a9bb34b9c0f6167e07c150c1cd48257a98d3383af09e7962a61583d014e
Loki
ad1922d859c3503dbd1a971cc42b5e949c9c7f2d85b7dcc3b2e4317cb776c9ce
Loki
b3157c8f83d4e664f3f5963fffe6ab33b3bcbd231bde05ccb732edfe31bc28a2
Loki
caa2e60301253755864101e4e87e427842a0ba4f78f40e1bc330991b87775028
Loki
d1398a54275d65d1bbb0f8937e4de1263dc5293586d58d8140418c9ee162e27c
Loki
e6c32ec6965b96c741a2e916faa8c1e296d8da47474fe7feda65427c9565a705
Loki
ee6148aef85c2c43108bccc176a944851f971999eb0aff03cae72c57ecd50959
Loki
+ 1'490 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/201109-y455295n1a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Lokibot
Malware Config
C2 Extraction:
http://flennor-de.icu/P1/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

zip 56f72fd8913b4d8e21663dee4a2b1ec242b875b9e185ace9cce522bfbb60e422

Loki

Executable exe 3368363263766bc139e690192523a2a2d585c137b3b9d6230e06a590c1ba7753

(this sample)

  
Dropped by
MD5 2f6bcfeb9f75a972aa8d03cfc82cce30
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 56f72fd8913b4d8e21663dee4a2b1ec242b875b9e185ace9cce522bfbb60e422

Comments