MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3b88b1d9c86a4f7cb1ae7c8b91d44d67c9c9e66ea51504c3204eb575a668fea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3b88b1d9c86a4f7cb1ae7c8b91d44d67c9c9e66ea51504c3204eb575a668fea
SHA3-384 hash: 0cc9a3a2a7957f425c6ab2d65b0ec4f605517578c61a34b66d4cc72ec0950c96eb9b6abff899107b1e8238c3e3ca0de3
SHA1 hash: 0d9d8b77c11e2547c76b35827326c10b517a341e
MD5 hash: fcabd32842ae0009315bb57ffc372786
humanhash: one-six-salami-stairway
File name:Scan00678.bat
Download: download sample
Signature Loki
Create hunting rule
File size:192'512 bytes
First seen:2020-05-19 05:57:58 UTC
Last seen:2020-05-19 07:12:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 36d3452b060a469e7cd116e86a4370d2 (1 x Loki)
ssdeep 1536:IZwTfKW4++7TNuuXdbHTcWOsKh9SGz6JBGOdvRYk5YJQT5YnrPWylTHb89kGUgIO:uwTfI++hDRO5/ziZjYKAoI5Q3
Threatray 657 similar samples on MalwareBazaar
TLSH 72142828E694B42BDAF68EFE87B19AFA90CD6C795944D70375403F2F31F5880A164237
Reporter abuse_ch
Tags:bat Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: srv.amazondistributors.com
Sending IP: 49.50.100.74
From: Shipping Agency <accounts@ssagency.net>
Reply-To: accounts@ssagency.net
Subject: CODE ST649AMSS
Attachment: Scan00678.gz (contains "Scan00678.bat")

Loki C2:
http://adkmeritime.com/xo/yes.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.47153.14120.14371.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-19 04:17:31 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yo4iwhm4q2sppsy247elshke2z6jzhtg5jivatbsatvvowtgr7va._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0fe7ea8749ad06ace6adf0d7ffa5f6f22ade0f9acafc4aac72b77f3b7c017ad9
Loki
15c365dfb62dc041e46ede5ae90f2e0966d1000b5936f0ed5d68f5d10e813171
Loki
2c1642f94762a15404bbc286403d839f6ceba0659179aa227232af98d2b49d6d
Loki
39e6a374774392541d763a447932461156263e643508c7958416023115d3ff61
Loki
691f116a33f2fc98e59cd019c856b9cdb6202de6b09091481b980ef60fecaef8
Loki
7556ace3bd8a035ca289145f068029f6137fe41f935b32fd1d0b046d1f2e05ab
Loki
814e2c04eb5851c9624cf3b0871932e22f99f0b3cbb9b22d987829cb05779e37
Loki
a9266bf550d2639f64352c62d4a4f59ac24cadabb6bb459c448935feb2303816
Loki
c37ae1ed1bf166c96faa73db4544f415c2b81f0a42ccd5311e0aabc0b9e4f455
Loki
fe0e6e3be607ade9869e9d5a06c87f2485aaf35a29691f74354d7e6a386e711a
Loki
+ 647 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/201109-gwghaaj62x/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks QEMU agent state file
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

gz bb28ab8b53debe600b3abf814c8577903ef824a634ffc6c8af9462647404de47

Loki

Executable exe c3b88b1d9c86a4f7cb1ae7c8b91d44d67c9c9e66ea51504c3204eb575a668fea

(this sample)

  
Dropped by
MD5 3a94c5f9c853be1d832ab6ca655bde01
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 bb28ab8b53debe600b3abf814c8577903ef824a634ffc6c8af9462647404de47

Comments