MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74e6a167dff835aee34f4896f9745ef7113baefbb8bf0610c4ec8e1827c79f2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 3 Comments

SHA256 hash: 74e6a167dff835aee34f4896f9745ef7113baefbb8bf0610c4ec8e1827c79f2e
SHA3-384 hash: 8dfc2df0f453d1e05740c12fb038a3dfaba5b54e84856d16978ffbebc565daa251158bd1f838159535058123446c41bc
SHA1 hash: 19c2de0a634d65fb3312ea2e5c71298369685648
MD5 hash: de7567dcc1d3608f5c45cadcc56b6b30
humanhash: uranus-green-jupiter-violet
File name:Quotation_pdf.exe
Download: download sample
Signature Loki
File size:372'183 bytes
First seen:2020-07-31 11:07:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0
ssdeep 6144:RPCganNN0iP/ph7hXOweKY9xa0O+87mHGdfTIluOMTMeO+GEsNwDK6+:Pan/04v7hX7o9xj6vdbIluTMD+GEvDKD
TLSH BF841340B274D892C5609E710C76ED36ABD6BE890FA9D50BEBE4F96EB1F01C7090F245
Reporter @abuse_ch
Tags:exe Loki


Twitter
@abuse_ch
Malspam distributing Loki:

HELO: amout08.alpha-mail.net
Sending IP: 216.230.254.48
From: "Catherine Minio"<info@sagami-su.co.jp>
Reply-To: <c.mini@blancmariclo.com>
Subject: AW: Quotation for new order
Attachment: Quotation.rar (contains "Quotation_pdf.exe")

Loki C2:
http://modevin.ga/~zadmin/lmark/gld/mode.php

Intelligence


File Origin
# of uploads :
1
# of downloads :
32
Origin country :
US US
Mail intelligence
Geo location:
CH Switzerland
Volume:
Low
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Result
Threat name:
Lokibot
Detection:
malicious
Classification:
spyw.evad
Score:
84 / 100
Signature
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Hijacks the control flow in another process
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255315 Sample: Quotation_pdf.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 84 33 modevin.ga 2->33 35 g.msn.com 2->35 37 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Yara detected Lokibot 2->41 43 Initial sample is a PE file and has a suspicious name 2->43 45 Yara detected aPLib compressed binary 2->45 8 Quotation_pdf.exe 52 2->8         started        signatures3 process4 file5 23 C:\Users\user\AppData\Roaming\...\regcap.exe, PE32 8->23 dropped 25 C:\Users\user\AppData\...\csspkgui.dll, PE32 8->25 dropped 27 C:\Users\user\AppData\Roaming\...\vshost.exe, PE32 8->27 dropped 29 9 other files (none is malicious) 8->29 dropped 11 rundll32.exe 8->11         started        process6 signatures7 47 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->47 49 Hijacks the control flow in another process 11->49 51 Maps a DLL or memory area into another process 11->51 14 cmd.exe 11->14         started        17 cmd.exe 58 11->17         started        process8 dnsIp9 53 Tries to steal Mail credentials (via file registry) 14->53 55 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 14->55 31 modevin.ga 84.38.180.148, 80 SELECTELRU Russian Federation 17->31 21 C:\Users\user\AppData\Roaming\...\B52B3F.exe, PE32 17->21 dropped 57 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->57 file10 signatures11
Threat name:
Win32.Trojan.FormBook
Status:
Malicious
First seen:
2020-07-31 11:09:05 UTC
AV detection:
17 of 31 (54.84%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Behaviour
NSIS installer
Threat name:
Gamarue
Score:
1.00

Yara Signatures


Rule name:Lokibot
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 74e6a167dff835aee34f4896f9745ef7113baefbb8bf0610c4ec8e1827c79f2e

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments