MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1cf4da06bdbb2578c72334e19ecc794697355a13a7931711748de27b2163e44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 4 Yara 3 Comments

SHA256 hash: d1cf4da06bdbb2578c72334e19ecc794697355a13a7931711748de27b2163e44
SHA3-384 hash: 46dea3bfbf3f0b63ae2d65d89f0211d58c94bb8b5132773742fb0ce7349988db314ef063321267c3a571653fd06a1677
SHA1 hash: 688ab170f40065ca9b8f28a22a4297a92dfea8b4
MD5 hash: 48a173cfd8c009be182b420fb276003b
humanhash: oranges-charlie-victor-leopard
File name:INV 3326GHF- from Outriger General Importers Korea for acknowledgment.exe
Download: download sample
Signature Loki
File size:606'208 bytes
First seen:2020-06-30 05:36:35 UTC
Last seen:2020-06-30 07:01:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 24f26e153c9b6068c0a4770547eb6d9e
ssdeep 12288:MCbpcLhilrm7G8oclWEAroCo3DQmTN1sFOgQqJ0g/Bfl:zuLhi80Jro77sFOAJ0gRl
TLSH DBD47D22E3A0443FF172363D9D2B56BC982EBD51393C59463BE4DD4C6F392823926297
Reporter @abuse_ch
Tags:exe Loki


Twitter
@abuse_ch
Malspam distributing Loki:

HELO: gmail.com
Sending IP: 156.96.62.70
From: Sales Team <sales.outriger@gmail.com>
Subject: INV 3326GHF- from Outriger General Importers Korea for acknowledgment
Attachment: INV 3326GHF- from Outriger General Importers Korea for acknowledgment.zip (contains "INV 3326GHF- from Outriger General Importers Korea for acknowledgment.exe")

Loki C2:
http://coolgirlsnation.com/wp-includes/manba/fre.php

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 2
# of downloads 34
Origin country US US
CAPE Sandbox Detection:n/a
Link: https://www.capesandbox.com/analysis/16774/
ClamAV PUA.Win.Adware.Slugin-6803969-0
PUA.Win.Adware.Slugin-6840354-0
CERT.PL MWDB Detection:lokibot
Link: https://mwdb.cert.pl/sample/d1cf4da06bdbb2578c72334e19ecc794697355a13a7931711748de27b2163e44/
ReversingLabs :Status:Malicious
Threat name:Win32.Trojan.Injector
First seen:2020-06-29 23:33:33 UTC
AV detection:25 of 31 (80.65%)
Threat level:   5/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:lokibot
Link: https://tria.ge/reports/200630-b9dj19ck7n/
Tags:spyware trojan stealer family:lokibot
Config extraction:http://coolgirlsnation.com/wp-includes/manba/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
VirusTotal:Virustotal results 50.00%

Yara Signatures


Rule name:Lokibot
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe d1cf4da06bdbb2578c72334e19ecc794697355a13a7931711748de27b2163e44

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments