MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e59a9f5da7389d07f3649a20a9e10135b7ab42c2c9711e8990b32aa3aa79eac8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 4 Yara 3 Comments

SHA256 hash: e59a9f5da7389d07f3649a20a9e10135b7ab42c2c9711e8990b32aa3aa79eac8
SHA3-384 hash: 445c67347a4fbb51dc8b5ed4133182fd7238c44712eb846279c7daf99943a772843880d7790f52ed7492377d97d04fef
SHA1 hash: b2e8a3ced8d1a4ef15432892ed2998920d4b7cd0
MD5 hash: 9d99b9aff2251ca3b2ab0658ab1ec0a6
humanhash: red-fruit-princess-hawaii
File name:PO-USD#04072018.exe
Download: download sample
Signature Loki
File size:214'338 bytes
First seen:2020-06-30 08:53:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0
ssdeep 3072:zPqRxga51PDBfcRFbCa4d+N1QHqnzibPOh6pptOnjB1JOW/q/qK/4Bdf:zPCganNeJV4omHqnzfQpp0nLoW/QN4Df
TLSH EF24025B6BA0D8BBC2580A7115397ABBEFAD5E2401412F0B1FA13E173C7B1425E0F65E
Reporter @jarumlus
Tags:Loki

Intelligence


Mail intelligence
Trap location Impact
Global Low
NL Netherlands Low
# of uploads 1
# of downloads 30
Origin country US US
CAPE Sandbox Detection:Loki
Link: https://www.capesandbox.com/analysis/17015/
ClamAV PUA.Win.Downloader.Soft32downloader-6691270-0
SecuriteInfo.com.Artemis162931E90DCF.4593.UNOFFICIAL
CERT.PL MWDB Detection:n/a
Link: https://mwdb.cert.pl/sample/e59a9f5da7389d07f3649a20a9e10135b7ab42c2c9711e8990b32aa3aa79eac8/
ReversingLabs :Status:Malicious
Threat name:Win32.Trojan.Swotter
First seen:2020-06-30 08:55:06 UTC
AV detection:24 of 31 (77.42%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:lokibot
Link: https://tria.ge/reports/200630-h7bydjy6rj/
Tags:spyware trojan stealer family:lokibot
Config extraction:http://egamcorps.ga/~zadmin/lmark/pvent/mode.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
VirusTotal:Virustotal results 24.66%

Yara Signatures


Rule name:Lokibot
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe e59a9f5da7389d07f3649a20a9e10135b7ab42c2c9711e8990b32aa3aa79eac8

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments