MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0a213269441f3202b4471e073843aa004f78eb2d939fd0cd51b3ab604d5f774. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0a213269441f3202b4471e073843aa004f78eb2d939fd0cd51b3ab604d5f774
SHA3-384 hash: e5c2ada39effd50865f914e3c08337666162e41f5c4ab37ce07e31fc2ebf5766d0dcab34e5bfa45d97c210516ecbbd3c
SHA1 hash: 738cf2b9289cc4d46141c70a4708b214d112f5eb
MD5 hash: 75ccf567569785dd9df9a1d3942aa43a
humanhash: delaware-moon-thirteen-bacon
File name:Copy-Docs521510_pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:714'752 bytes
First seen:2020-04-07 13:33:54 UTC
Last seen:2020-04-07 19:11:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fff3bd1817ca5b3a439e9ed0a1fe088b (3 x Loki, 2 x AgentTesla)
ssdeep 12288:sE1a0xLFIubbygeGkqCYWWG41Ffr5/qvkp7MFXcK5XWtlaqnT:soZxuu/b6W/1TtIXcoWt4sT
Threatray 1'473 similar samples on MalwareBazaar
TLSH 2AE47C16FE908432C16619388D5BF6B85B35FD01FA2BDB162AD83E4D7E3528139263D3
Reporter jarumlus
Tags:Loki Lokibot

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'067
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Packer.BorlandDelphi-1
Create hunting rule

Win.Trojan.Bladabindi-7663170-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Bladabindi
Create hunting rule
Status:
Malicious
First seen:
2020-04-07 01:06:46 UTC
File Type:
PE (Exe)
Extracted files:
75
AV detection:
30 of 31 (96.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ucrbgjuuihzsak2eohqhhbb2uacppdvs3e472dgvdm5lmbgv652a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
10839c4eb55e4d1cb78e5a9993d3b2f896fd945fd0f9464272af2f8e8aeae769
Loki
51230b571bc415dd906c04528a48a7558866ad5ff3895ad0bb6e591a0819ee00
Loki
5895f5fabc547b0085b8f6d77c7ee281e78b37a27e64dde09ae0ce84685efd9c
Loki
7d4f426890be9c55705465a92773cbd44a03d08c110a759d83c32b4a788b8f34
Loki
9bcf29ef3bbb1003db97934e2412dfb77fc1d289797a9b4eab2af243bbc8987f
Loki
cd7638f97bc9ae54e9d1fd3f2887c2aeae9b17015b95cf1873370dd59808005c
Loki
ceb4c5bc713bdc2801949e2d25f6fc2f4edf7b3cd47fdd87250a7efe72f1e0fd
Loki
d8689dd42505b5642a74074a5b1b37f8cd721c5e6423cf63f1fe80fe180f839a
Loki
e3728476d2bf67c1a6efb3ee13844d4c4632974c6c2f3e29eeb9f84a201eb3c1
Loki
fe36f8b161c6e9f38fba4be32eb2b67846c9c93de9f48028762f79e5ee2b6169
Loki
+ 1'463 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_lokipws_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments