MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76b62ef8530770a98200250ce45c56647bab874f0bd1c2a5daa074e570a7d204. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 3 Comments

SHA256 hash: 76b62ef8530770a98200250ce45c56647bab874f0bd1c2a5daa074e570a7d204
SHA3-384 hash: 21a6ebe17c2a4fa47c7ec2fee89f472a2ee04161db5a0f40be9a083eb2ac1507e58213ed29dea9a01ad6c47d96d87a19
SHA1 hash: 2a788f8becf61929ed9ee2f829fb672845467782
MD5 hash: daf2b66d6a336a33451b7dd1a0ec4268
humanhash: nine-carolina-orange-vegan
File name:Outstanding payment_ IVTJ20000686 AND IVTJ20000687.exe
Download: download sample
Signature Loki
File size:791'040 bytes
First seen:2020-07-31 11:17:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bd44fc7474cd1f02fae5c94314314eb4
ssdeep 12288:UesfUazLqCwtZKGdotXPk0XvuZFuj905RzZZaGkzlDajU3eFt1vv8123VhOY:UzsEQD2Pk60A8NfmxiCere2FhX
TLSH 62F46C22B2D04432C3231A7F8F5B966C6936BF5F2925AA866BF51CCC5F396407835393
Reporter @abuse_ch
Tags:exe Loki


Twitter
@abuse_ch
Malspam distributing Loki:

HELO: bck.a2u2.com
Sending IP: 199.195.146.246
From: a.zhunysova@shanyrak-group.kz
Subject: Outstanding payment_ IVTJ20000686 AND IVTJ20000687
Attachment: Outstanding payment_ IVTJ20000686 AND IVTJ20000687.zip (contains "Outstanding payment_ IVTJ20000686 AND IVTJ20000687.exe")

Loki C2:
http://sieqwarteg.com/chief/chief2/fre.php

Intelligence


File Origin
# of uploads :
1
# of downloads :
35
Origin country :
US US
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Result
Threat name:
Lokibot
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.DataStealer
Status:
Malicious
First seen:
2020-07-31 11:19:06 UTC
AV detection:
22 of 31 (70.97%)
Threat level
  5/5
Result
Malware family:
lokibot
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
Extraction:
http://sieqwarteg.com/chief/chief2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Threat name:
Malicious File
Score:
1.00

Yara Signatures


Rule name:Lokibot
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 76b62ef8530770a98200250ce45c56647bab874f0bd1c2a5daa074e570a7d204

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments