MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 faa3a278a21f49f11e1b16046f40ee2a4ca3db0eba7c4639c20b58a9d647f99c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: faa3a278a21f49f11e1b16046f40ee2a4ca3db0eba7c4639c20b58a9d647f99c
SHA3-384 hash: cbf0c7c09d0982c2e818f00e35c1d146548e5db4482f59f62f4e7119ff9fae328563c5c0076287745966ff623eb50672
SHA1 hash: a594779f1d5bf7af732234dd1606561ec7ab3891
MD5 hash: e4536fe93a67b4ad00e10610353a6d5d
humanhash: massachusetts-yankee-march-social
File name:EXP DHL Reimb Exp InvU9422-PDF.gz
Download: download sample
Signature Loki
Create hunting rule
File size:343'923 bytes
First seen:2020-06-29 06:33:02 UTC
Last seen:Never
File type: gz
MIME type:application/gzip
ssdeep 6144:7IpfHMNA1gQN4gGQbBHQGHCP1+L7omeORRqIN/M3+5BJuG+Iq/jEaHm5R:MpfHMNA1zLi8Aw7oveplCIqb6L
TLSH 7A7423D74E964279F4F965D07AAEFCE7E253C7570C988030EFA02AB6064728C770B619
Reporter abuse_ch
Tags:DHL gz Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: ezw02-outboundmail.oncloud.co.id
Sending IP: 117.54.5.20
From: Formal Delivery Clearance Support (DHL) <qiqi@multiguna-ip.co.id>
Subject: Electronic invoice generated by DHL Express_Invoice-MAJW-18-06-2020: Air Waybill no 1395482082
Attachment: EXP DHL Reimb Exp InvU9422-PDF.gz (contains "EXP DHL Reimb Exp InvU9422-PDF.exe")

Loki C2:
http://airmanselectiontest.com/dest/Panel/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Fareit-6863179-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/faa3a278a21f49f11e1b16046f40ee2a4ca3db0eba7c4639c20b58a9d647f99c/
Threat name:
Win32.Infostealer.PonyStealer
Create hunting rule
Status:
Malicious
First seen:
2020-06-29 03:04:07 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7kr2e6fcd5e7chq3cycg6qhofjgkhwyoxj6emoocbnmktvsh7goa._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

gz faa3a278a21f49f11e1b16046f40ee2a4ca3db0eba7c4639c20b58a9d647f99c

(this sample)

Loki

Executable exe 4734e7e0e57782304f8e1eda095ac61495d6a4cf60c894b3d3c74a7559e92b3a

  
Dropping
MD5 f5b5f600e97f743b36e3e7ac55cfefbe
  
Dropping
Loki
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 4734e7e0e57782304f8e1eda095ac61495d6a4cf60c894b3d3c74a7559e92b3a

Comments