MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ba260d53db88ea6ae79af42f97eaa2e22c5fcb0f3e788057ef6e5dc40cd3060. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ba260d53db88ea6ae79af42f97eaa2e22c5fcb0f3e788057ef6e5dc40cd3060
SHA3-384 hash: 06f78254c0ec760bd681a45b5c20d5079528aa0c47c669e1473b71e5648b83273e30bc96cadc32042c1f1397c50a6672
SHA1 hash: f22e6ae0b83115e9c299743902834013fb1587e8
MD5 hash: edacb669432a5a21020d81aff93b4e52
humanhash: monkey-echo-delta-juliet
File name:jack2604_2nd_ig1_9cr17.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'250'304 bytes
First seen:2020-04-27 08:40:45 UTC
Last seen:2020-04-29 11:56:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3df7748ce3c31c44638648d67d943984 (1 x Loki)
ssdeep 24576:TDN9AGF/b69l9aTnv0UKJG5dyV45JS5rjdn8Yjkvh:TB6GFDISv0HJG5YUmhn0
Threatray 1'489 similar samples on MalwareBazaar
TLSH 1145123FA80A2103EC607CBF67137B9A06A65D3A6E3D851DECA5BC69C1B83532547317
Reporter Racco42
Tags:exe Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-04-27 10:44:00 UTC
File Type:
PE (Exe)
Extracted files:
30
AV detection:
25 of 30 (83.33%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=forgbvj5xchknltzv5bps7vkfyrml7fq6ptyqbl663s5yqgngbqa._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0491093e9a1ffcff88b06be9028e050c7fda1f70d4c7021bea12fef8cc78fe8f
Loki
1891aa213067db003fc4f6376853c50d740fb24dc5d1eda92bb2f0a429b4891b
Loki
355b58ec78627d48f3f9ac33a989bfcffa6c81cd9015acb53c024bc7c9681165
Loki
3a2ffd78111d04ce8986e867c0ed71f258e814b302868faa887fa6138cfb8827
Loki
4118da509f4aace1799d5880924a4101d8ed8ee746e0a03a7f47f3cec76eaf58
Loki
53edc68ef8a890aac3c8f6fe8c72e1a8cf5057c600a3f85d12b99b59b05e47be
Loki
7eb32bdb92a9768dfc8f30f22365aaac0d57931a77bffd71eb928f72dcdeab1e
Loki
a4429d0165e0b0c5e3b7840303bed826a9de8122d824622656d9ae9d6e396eea
Loki
ab2b30ab80cc9b916fa2885d0e223ff2b8a0ed619a0cdf795f5ca2f967d76837
Loki
ccdcef588215cb5bba1f6877e96d9dc3f83ef7a9bbdedd88235d8e6dbe3c4016
Loki
+ 1'479 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 2ba260d53db88ea6ae79af42f97eaa2e22c5fcb0f3e788057ef6e5dc40cd3060

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetAce
MULTIMEDIA_APICan Play MultimediaWINMM.dll::PlaySoundW
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments