MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b6bb1afefd752b5a272a0cf54fd6690171713fae7b852caec6beaa0e2f0f0e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 3


Intelligence 3 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b6bb1afefd752b5a272a0cf54fd6690171713fae7b852caec6beaa0e2f0f0e9
SHA3-384 hash: 87a9a9c65712230bd9d74f95e3cca9d8b1e64444a2350ba108149f1f4728cf88d74d0e82f1d6541f21d895042ee7ba7b
SHA1 hash: 481c002006313b986e0dc4a46f7f69b02ada7d19
MD5 hash: 4397fd256c2b1ef5122c0855b17f17f9
humanhash: monkey-timing-cup-single
File name:RFQ-HES 70054.exe
Download: download sample
Signature Loki
Create hunting rule
File size:90'112 bytes
First seen:2020-05-22 07:24:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5b0da6c1de945a710ef5ef13e4b8e91c (4 x GuLoader, 1 x Loki)
ssdeep 768:e/Fy81fQD4QHxvfvKuB97BgSwt9HjMV4M6qeqNKRabSj/l0Z21NfTHhh:e1iD40v6uB9BRUjMl6hzVfTH
Threatray 340 similar samples on MalwareBazaar
TLSH 45933C51F0A8DCA5DA450FB38E24869422EFFC331D154F0B3ACA362D39776A5782536A
Reporter abuse_ch
Tags:exe GuLoader Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: cloud-a7d9cc.managed-vps.net
Sending IP: 174.136.29.77
From: HIN MING WEI<info@globalsources.cf>
Subject: Aw: Business order RFQ-HES70054
Attachment: RFQ-HES 70054.rar (contains "RFQ-HES 70054.exe")

GuLoader payload URL:
http://ratamodu.ga/~zadmin/iclient/hermlk_qDqnTQXx228.bin

Loki C2:
http://egamcorps.ga/~zadmin/lmark/herm/mode.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.GenKryptik.EKZP.19935.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 03:08:15 UTC
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
271ef3c1d022829f0b15f2471d05a28d4786abafd0a9e1e742bde3f6b36872ad
Loki
32c2766ee799eeffcfdff37dc5a1237b1c152f36b7108c4bd13c082db2d46423
Loki
3712c1a9e9ab864ee28897d0802179db4a2f664f61629f1154437640be377530
Loki
6972fcf47a2db0c5ce7cd905bd12cbbc5155e98f57e1362a8b1a3c94177a2419
Loki
7b0eeeb2adc3fe44102752fbe9a4ed08b3e3bf07fe633f9c3f4ab67eafb6e0aa
Loki
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
Loki
c523252072f5911950614d6a91d16036b0128c10458f05a4ab0b7a3221780c1a
Loki
d5132d40838a12d557fdcea3492cbe6775330dc7298bb806b076011816fe1f36
Loki
d83429370b6d814b6ff67dd1736424db4e11e39ee745867f09c98f49fae4e1fc
Loki
eecaf5677c5c21d268261eef35a819549dda3c454e9b60e368070aa3bfd2f54c
Loki
+ 330 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-4ghw3jqywa/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

rar 093768049aa0359d4f5cd35d7e1a477c077ed7b52de97d8091193a5b1f9c254f

Loki

Executable exe 3b6bb1afefd752b5a272a0cf54fd6690171713fae7b852caec6beaa0e2f0f0e9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/361061/
  
Dropped by
MD5 bef9e9f829ddb11131876e706776c981
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 093768049aa0359d4f5cd35d7e1a477c077ed7b52de97d8091193a5b1f9c254f

Comments