MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1cf4da06bdbb2578c72334e19ecc794697355a13a7931711748de27b2163e44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Intelligence 2 File information 4 Yara 3 Comments

SHA256 hash: d1cf4da06bdbb2578c72334e19ecc794697355a13a7931711748de27b2163e44
SHA3-384 hash: 46dea3bfbf3f0b63ae2d65d89f0211d58c94bb8b5132773742fb0ce7349988db314ef063321267c3a571653fd06a1677
SHA1 hash: 688ab170f40065ca9b8f28a22a4297a92dfea8b4
MD5 hash: 48a173cfd8c009be182b420fb276003b
humanhash: oranges-charlie-victor-leopard
File name:INV 3326GHF- from Outriger General Importers Korea for acknowledgment.exe
Download: download sample
Signature Loki
File size:606'208 bytes
First seen:2020-06-30 05:36:35 UTC
Last seen:2020-06-30 07:01:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 24f26e153c9b6068c0a4770547eb6d9e
ssdeep 12288:MCbpcLhilrm7G8oclWEAroCo3DQmTN1sFOgQqJ0g/Bfl:zuLhi80Jro77sFOAJ0gRl
TLSH DBD47D22E3A0443FF172363D9D2B56BC982EBD51393C59463BE4DD4C6F392823926297
Reporter @abuse_ch
Tags:exe Loki

Malspam distributing Loki:

Sending IP:
From: Sales Team <>
Subject: INV 3326GHF- from Outriger General Importers Korea for acknowledgment
Attachment: INV 3326GHF- from Outriger General Importers Korea for (contains "INV 3326GHF- from Outriger General Importers Korea for acknowledgment.exe")

Loki C2:


Mail intelligence
Trap location Impact
Global Low
# of uploads 2
# of downloads 34
Origin country US US
CAPE Sandbox Detection:n/a
ClamAV PUA.Win.Adware.Slugin-6803969-0
CERT.PL MWDB Detection:lokibot
ReversingLabs :Status:Malicious
Threat name:Win32.Trojan.Injector
First seen:2020-06-29 23:33:33 UTC
AV detection:25 of 31 (80.65%)
Threat level:   5/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:lokibot
Tags:spyware trojan stealer family:lokibot
Config extraction:
VirusTotal:Virustotal results 50.00%

Yara Signatures

Rule name:Lokibot
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Author:Julian J. Gonzalez <>
Description:Rule to detect the presence of SQLite data in raw image

File information

The table below shows additional information about this malware sample such as delivery method and external references.



Executable exe d1cf4da06bdbb2578c72334e19ecc794697355a13a7931711748de27b2163e44

(this sample)

Delivery method
Distributed via e-mail attachment