MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 068ec47d8b4ff08861d1a9f4548132c8408cac3ee909b19f2c69e837a6f61f03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 068ec47d8b4ff08861d1a9f4548132c8408cac3ee909b19f2c69e837a6f61f03
SHA3-384 hash: c68f84bf4e0e07e8d95ffdb345a3581e20e339c414458c59b5c8574140dcca4ecb38701d842cdedbdd3ca06d060ccc29
SHA1 hash: bcdf7efe8da399ab0c3845d14f92d18551f1542a
MD5 hash: 2d7d8d6c2e9de8461eef887545f79656
humanhash: mississippi-seven-mockingbird-summer
File name:INV02072020PO9876.exe
Download: download sample
Signature Loki
Create hunting rule
File size:244'089 bytes
First seen:2020-07-02 07:01:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep 6144:BPCganNH03DkX1MfJmjme4SoP6pBndjPPlyPeDrGi2cWhAE7:/anx03D46cjmNoBndR8eDCZHhAE7
Threatray 1'165 similar samples on MalwareBazaar
TLSH E734121A6FC0E427DC7709B00F7179EAAFF9973100524B8F1B502E49B94BBD79A2D162
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: sectec.co.kr
Sending IP: 5.101.151.104
From: Majid Jami <majid.jami@parsbehdasht.com>
Reply-To: info@dennisbearman.com
Subject: COVID-19-Order-JULY-02-07-20-Quote
Attachment: INV02072020PO9876.gz (contains "INV02072020PO9876.exe")

Loki C2:
http://egamcorps.ga/~zadmin/lmark/frega/mode.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18338/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

PUA.Win.Adware.Browserio-6725861-0
Create hunting rule

SecuriteInfo.com.Artemis162931E90DCF.4593.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/068ec47d8b4ff08861d1a9f4548132c8408cac3ee909b19f2c69e837a6f61f03/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-07-02 07:03:10 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a2hmi7mlj7yiqyorvh2fjajszbaizlb65ee3dhzmnhudpjxwd4bq._file
Verdict:
malicious
Similar samples:
263ebb9b5300e025d410afc9957357143ba4d7ece37bf1704919f3e69a37fc1a
Loki
3412f3e08654eceebff6c557eb9f0e82ab9e7b4cf5b0a3b9f2c7fefa5d07fe75
Loki
4adb6a21c1056dafc19fe22df99b061d94e25e258aa4ff3c35fb8cc65faa2c17
Loki
5866468d4084d09ee1b47f5135e8968923581b6f6fb5bacaed97b0e3da3a6999
Loki
5a0715de8860e50b6f80a1a1cd245d6133d6b3a15bfce756b46458efd8abd8ab
Loki
5ff8d4f4e7a47982ad40dd0338524c881824e309c548b211b68a161da5f14a78
Loki
ba70b16e63725d98406a9e9da5126d9dde77fea5f3b080b5571f2553675ad8a7
Loki
c382d2d33c7036ac95058ef7ab3305b3234394428c28786d8c35f4a049047653
Loki
de7d61e71cd9f20980881075cd70b8ec69b8fea3624d2381bb91acb0000d2b52
Loki
df914069e95c673b5d02b806aba18f932a8f1b745cfd98fcba0189c030dfaec0
Loki
+ 1'155 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200702-2myymchq7e/
Behaviour
NSIS installer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_lokipws_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

gz 76907971155e0da50fa727638d4122aa7977092d377e1757cd7ce598938b2e37

Loki

Executable exe 068ec47d8b4ff08861d1a9f4548132c8408cac3ee909b19f2c69e837a6f61f03

(this sample)

  
Dropped by
MD5 f84cf06425077b6dbeb5bd5890ba7d91
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 76907971155e0da50fa727638d4122aa7977092d377e1757cd7ce598938b2e37
Cape
Cape
https://www.capesandbox.com/analysis/18338/

Comments