MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72df3f9a494ac0d849ea6ba3917dfc37d7275f170f01348d3fd2ad77fb3d601d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72df3f9a494ac0d849ea6ba3917dfc37d7275f170f01348d3fd2ad77fb3d601d
SHA3-384 hash: 4591f836bbb59aa7f3fa6c51c1739a4beb77a7dbcdf9d6f7f052d09099a1d1fe833dff110086f645e41b84a5a7a13ce2
SHA1 hash: fb34281e91b8ec537a438e66f927009da72b07a3
MD5 hash: 3768fe51238c141f42cab373c8135963
humanhash: beer-four-avocado-mirror
File name:PI-BL_SHIPPING DOCUMENT.scr
Download: download sample
Signature Loki
Create hunting rule
File size:184'320 bytes
First seen:2020-05-18 06:35:18 UTC
Last seen:2020-05-18 11:46:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 140e1ff4cd8767608ceefff2e05187ce (1 x Loki)
ssdeep 3072:/u7oSVw1Luj/0z/SJa0xhZcv9xrVEybRWsy58J/:29wFum/SJRxg9N2K5y
Threatray 49 similar samples on MalwareBazaar
TLSH 41045B62F5D4AE02D621893E9FE586B8511ABCB04F11C90370863F5F3AF7946A772327
Reporter abuse_ch
Tags:Loki Maersk scr


Avatar
abuse_ch
Malspam distributing Loki:

HELO: rance.com
Sending IP: 173.82.243.253
From: Maersk Line Container Logistics & Supply Chain Services Container Logistics & Supply Chain Services <ca.export@maersk.com>
Subject: ATTN: PI&BL URGENT_SHIPPING_DOCUMENT%
Attachment: PI-BL_SHIPPING DOCUMENT.gz (contains "PI-BL_SHIPPING DOCUMENT.scr")

Loki C2:
http://lmpulsefashion.net/four/gates3/fre.php

Intelligence

File Origin
# of uploads :
4
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.46843.32253.7741.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-17 21:40:43 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
23 of 30 (76.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=olpt7gsjjlanqspknorzc7p4g7lsoxyxb4atjdj72kwxp6z5maoq._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
2f2670e8a7845cf300320415c6a16ffc34e662672f16d7cfcf5b911d088516d9
Loki
30e772385fc3887fdd1ef1e358dc05cc83da655ecf53257800daf5d68ae430fd
Loki
3e5bbf9fcae918011ec4eee75ac6402fddf20d09fef95b362d0e226d56b80f1d
Loki
5aa9861dcb5890caaadd311b1eed80e2ae65bd0d46937cc3bdee4757da908fc6
Loki
60544c6694620488b69e568b15c96b33971dd7343ba63da31f993332852871c2
Loki
81a9eb444ffc7c5a700d4da6198c2f929d0e312d38667b9d3e29740eccabca3f
Loki
89ba115fae17f47a9f69c535d1b79510d8123e80207495b5380b1b8b1f66c814
Loki
8d5a770975e52ce1048534372207336f6cc657b43887daa49994e63e8d7f6ce1
Loki
af53e36a62f237597b47d34349e40c16a3682a492fe7c320c7e834f6247e078a
Loki
e5b440a826d14744df920514f027f0871f84292d83b95b731eadfe3165117448
Loki
+ 39 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/201109-9nj2x5cm62/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent state file
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

gz e821b5d7800df3d0049b41d6c33997b3d710d3b37801704bd2823cc621a678b8

Loki

Executable exe 72df3f9a494ac0d849ea6ba3917dfc37d7275f170f01348d3fd2ad77fb3d601d

(this sample)

  
Dropped by
MD5 72e478f8aec32822709260549d0ec7a5
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e821b5d7800df3d0049b41d6c33997b3d710d3b37801704bd2823cc621a678b8

Comments