MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 198d05241ee46346a622e687e628fbdbe7185db3a206eaa7883b5f18f0095de2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 198d05241ee46346a622e687e628fbdbe7185db3a206eaa7883b5f18f0095de2
SHA3-384 hash: a15285876cf989adbf370fb6e6fc88c2692b3d25616f610e6f46d2e4eb89a1e65c9058b981289e803491f522eb6906cf
SHA1 hash: 75fe35ecb9531fdd886d70abd0f67b6ac775e2aa
MD5 hash: c6eff7fa929456a8dbbd7672f82db958
humanhash: jig-asparagus-wisconsin-potato
File name:TT Payment.exe
Download: download sample
Signature Loki
Create hunting rule
File size:291'959 bytes
First seen:2020-08-17 06:17:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 24f4223e271413c25abad52fd456a9bc (21 x GuLoader, 15 x Loki, 10 x AgentTesla)
ssdeep 6144:NHfYbU1LGOzs7YHS4r7tT795JsS9kGGjXM/ykZ9Ru1:NfYOzsd41P9DsIkTM/E
Threatray 181 similar samples on MalwareBazaar
TLSH 9F5412023350CC16EAB16571403A6BBA09F9F8BB50A3DF1707A05FADBC127C5D82E75A
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: tbs01-cpanel13-ip230.cloud9.ge
Sending IP: 188.93.90.230
From: Mahesh Rana (AHP)<noreply@anika.ge>
Reply-To: <purchase33@akhilhealthcare.com>
Subject: Re: Invoice & PL for Payment
Attachment: TT payment.rar (contains "TT Payment.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/46656/
Detection(s):
PUA.Win.Adware.Browserio-6725861-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.ObfusRansom.bc.6542.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Delayed reading of the file
Sending a UDP request
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/432586
Signature
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/198d05241ee46346a622e687e628fbdbe7185db3a206eaa7883b5f18f0095de2/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 00:11:16 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dggqkja64rrunjrc42d6mkh33ptrqxntuidovj4ihnprr4ajlxra._file
Verdict:
malicious
Similar samples:
021ecc7db491245a744d036978de5a20916eeb67299c50f1f456ea21e622d7f5
Loki
088999945f71cb731f4fa4d6e73591ecdf1829306a6dca66be75947fc0c8d00b
Loki
44b2a6748bfe73b0e4515854def74fbd816ffa56842e3b544438cb34a249a41c
Loki
5b13588741f33a75c4e277d1e38b875e3b495c31980a2a41d7c25a2fde3d398d
Loki
60952b7b0b3edeb47b07f1d2a0fb87856b165550e47c605c4ef4fb1da699a332
Loki
a89c531ad157965de03cf15ab2783f0b24e6db0981556a7bf5ad8fe5c7d66ef5
Loki
b5bcbfe8ba02879ac963d4f9ed48203c934e80edb58b814129ad836544f2c3a3
Loki
d87e7752ee36b46b902d88317b5c5b172927760a4f171c95f812991ec62ae963
Loki
dbe7a4140fd10b17154c74ca5adfa07f0c30f7f399785c10f5a3b3d2643e8af3
Loki
ffcd16f648002caedec6c28e8b0bf0eca95cd2e7ee136709ce52d545922929ca
Loki
+ 171 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200817-361d8s3b7a/
Behaviour
Modifies registry class
Modifies registry class
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/198d05241ee46346a622e687e628fbdbe7185db3a206eaa7883b5f18f0095de2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

rar 8f4cec88d02c4b0d4fc0b8af18ca1bdb496976afe339ca4cc396dd5c6da4f563

Loki

Executable exe 198d05241ee46346a622e687e628fbdbe7185db3a206eaa7883b5f18f0095de2

(this sample)

  
Dropped by
MD5 213bff80f6797ee0013f273b5e180639
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/46656/
  
Dropped by
SHA256 8f4cec88d02c4b0d4fc0b8af18ca1bdb496976afe339ca4cc396dd5c6da4f563

Comments