MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13e68c9cf4148738297e4af309633a506792e76707a814cccfbb4a9f47e2285d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13e68c9cf4148738297e4af309633a506792e76707a814cccfbb4a9f47e2285d
SHA3-384 hash: 4f2e18630d464aab33e792f611a84ae175b65a2a01e7cf9910ec64951aa8f264641ac5c1cc7f744c2381b6458cfd322a
SHA1 hash: 3079d4634f472044df2f49c6e6eb6b6d89e85611
MD5 hash: 4575be5d45893b7309b17f8ba84680b4
humanhash: robert-video-alanine-kilo
File name:attachments.zip
Download: download sample
Signature Loki
Create hunting rule
File size:408'443 bytes
First seen:2020-07-28 13:27:46 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:6aG9k6Hyon+JhtrtE3+3XsQcAqvq0jyjg0Ir:VG91Z2hXADlvfWir
TLSH FA9423BF501DBD96DBEFAC9DC0085CE3310A47393346AFFDAA4849C44D9E12E42698D6
Reporter abuse_ch
Tags:Loki zip


Avatar
abuse_ch
Malspam distributing Loki:

HELO: standard13.doveserver.com
Sending IP: 67.220.184.98
From: payment//exchange@hsbc.com
Subject: Credit Note: FIN Payment process ref: HS7902002 7/28/2020 4:24:31 a.m.
Attachment: attachments.zip (contains "swiftcopy.xlsm")

Loki payload URL:
https://reklaimapparel.com/wp-admin/js/swiftcopy.exe

Loki C2:
http://193.142.59.58/m0ham/pin.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13e68c9cf4148738297e4af309633a506792e76707a814cccfbb4a9f47e2285d/
Threat name:
Script-Macro.Downloader.EncDoc
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 13:29:04 UTC
AV detection:
15 of 48 (31.25%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cptizhhucsdtqkl6jlzqsyz2kbtzfz3ha6ubjtgpxnfj6r7cfboq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13e68c9cf4148738297e4af309633a506792e76707a814cccfbb4a9f47e2285d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

zip 13e68c9cf4148738297e4af309633a506792e76707a814cccfbb4a9f47e2285d

(this sample)

Loki

Executable exe cdc41582e9adab3909c91439550971e75bfa342a251276b256141b2e585cca3e

Loki

Excel file xlsm 0fb26f19e30fbd8a79fb1a97c515e8dffe912fb53ed8b580f8d052d7fe3570df

  
URLhaus
https://urlhaus.abuse.ch/url/420677/
  
Dropping
MD5 702b1e2d4b0af04d195bb35cd07596ed
  
Dropping
Loki
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 0fb26f19e30fbd8a79fb1a97c515e8dffe912fb53ed8b580f8d052d7fe3570df

Comments