MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 226b79cad9023ec26eb75a41422d76109a87c88a6879001f1901276d4d952a1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Intelligence 2 File information 3 Yara 3 Comments

SHA256 hash: 226b79cad9023ec26eb75a41422d76109a87c88a6879001f1901276d4d952a1b
SHA3-384 hash: 942d1387282a405a4713f67103af31dfc104046cd1c41dbd61f11531c52f596c672cdb78189f6a54a91c6f6af534307b
SHA1 hash: db1635ff38e0c47860fa4609f5b526a189043592
MD5 hash: 618f3898b3f144838ab2db9b0ce6aa9c
humanhash: texas-snake-fruit-robin
File name:Оплаты_29-06-2020.exe
Download: download sample
Signature Loki
File size:211'247 bytes
First seen:2020-06-30 12:15:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0
ssdeep 6144:/PCganN4VE8x6LhtPIIdU3WfvpG6sgFV99y9figoRqLb42W:Van+VE8xOtYGUT6V966RqXS
TLSH AA24126216B0F9EBD45502B204BA9A1ABBA9EF16010D978757C17E0E3D33AD7C61F04F
Reporter @abuse_ch
Tags:exe ge Loki RUS

Malspam distributing Loki:

Sending IP:
From: Финансов_Dept. <>
Subject: Fwd: Оплаты_29-06-2020
Attachment: Оплаты_29-06-2020.rar (contains "Оплаты_29-06-2020.exe")

Loki C2:


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 29
Origin country US US
CAPE Sandbox Detection:n/a
ClamAV PUA.Win.Downloader.Soft32downloader-6691270-0
CERT.PL MWDB Detection:n/a
ReversingLabs :Status:Malicious
Threat name:Win32.Trojan.Injector
First seen:2020-06-30 09:40:38 UTC
AV detection:23 of 31 (74.19%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   1/10
Malware Family:n/a
VirusTotal:Virustotal results 26.39%

Yara Signatures

Rule name:Lokibot
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Author:Julian J. Gonzalez <>
Description:Rule to detect the presence of SQLite data in raw image

File information

The table below shows additional information about this malware sample such as delivery method and external references.



Executable exe 226b79cad9023ec26eb75a41422d76109a87c88a6879001f1901276d4d952a1b

(this sample)

Dropped by
MD5 e06c1a4e4f3600eaf42a9caa8c635a1a
Delivery method
Distributed via e-mail attachment