MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 226b79cad9023ec26eb75a41422d76109a87c88a6879001f1901276d4d952a1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 3 Yara 3 Comments

SHA256 hash: 226b79cad9023ec26eb75a41422d76109a87c88a6879001f1901276d4d952a1b
SHA3-384 hash: 942d1387282a405a4713f67103af31dfc104046cd1c41dbd61f11531c52f596c672cdb78189f6a54a91c6f6af534307b
SHA1 hash: db1635ff38e0c47860fa4609f5b526a189043592
MD5 hash: 618f3898b3f144838ab2db9b0ce6aa9c
humanhash: texas-snake-fruit-robin
File name:Оплаты_29-06-2020.exe
Download: download sample
Signature Loki
File size:211'247 bytes
First seen:2020-06-30 12:15:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0
ssdeep 6144:/PCganN4VE8x6LhtPIIdU3WfvpG6sgFV99y9figoRqLb42W:Van+VE8xOtYGUT6V966RqXS
TLSH AA24126216B0F9EBD45502B204BA9A1ABBA9EF16010D978757C17E0E3D33AD7C61F04F
Reporter @abuse_ch
Tags:exe ge Loki RUS


Twitter
@abuse_ch
Malspam distributing Loki:

HELO: r2.s150.mail1.smtp.beget.ru
Sending IP: 185.78.30.105
From: Финансов_Dept. <vilada@musorunet.info>
Subject: Fwd: Оплаты_29-06-2020
Attachment: Оплаты_29-06-2020.rar (contains "Оплаты_29-06-2020.exe")

Loki C2:
http://egamcorps.ga/~zadmin/lmark/frega/mode.php

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 29
Origin country US US
CAPE Sandbox Detection:n/a
Link: https://www.capesandbox.com/analysis/17123/
ClamAV PUA.Win.Downloader.Soft32downloader-6691270-0
SecuriteInfo.com.Artemis162931E90DCF.4593.UNOFFICIAL
CERT.PL MWDB Detection:n/a
Link: https://mwdb.cert.pl/sample/226b79cad9023ec26eb75a41422d76109a87c88a6879001f1901276d4d952a1b/
ReversingLabs :Status:Malicious
Threat name:Win32.Trojan.Injector
First seen:2020-06-30 09:40:38 UTC
AV detection:23 of 31 (74.19%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   1/10
Malware Family:n/a
Link: https://tria.ge/reports/200630-81pqpmcces/
Tags:n/a
VirusTotal:Virustotal results 26.39%

Yara Signatures


Rule name:Lokibot
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information


The table below shows additional information about this malware sample such as delivery method and external references.

e06c1a4e4f3600eaf42a9caa8c635a1a

Loki

Executable exe 226b79cad9023ec26eb75a41422d76109a87c88a6879001f1901276d4d952a1b

(this sample)

  
Dropped by
MD5 e06c1a4e4f3600eaf42a9caa8c635a1a
  
Delivery method
Distributed via e-mail attachment

Comments