MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3cc1efea64d7e6952a57ce58fd01afed8fdcedc58b553bd9090c63ca8fa8bf89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3cc1efea64d7e6952a57ce58fd01afed8fdcedc58b553bd9090c63ca8fa8bf89
SHA3-384 hash: 9e0588d43ee29d74591f11f8db41240ead38d6fd91f6bc8e119cfad37fd0c86e32e3f738822df5bb2881da43e133c436
SHA1 hash: a378e1e8954f8f52c9b7758d053453bab377195e
MD5 hash: 27c90af6339784fbef780a27e49554a6
humanhash: east-golf-five-rugby
File name:TT Slip.exe
Download: download sample
Signature Loki
Create hunting rule
File size:410'112 bytes
First seen:2020-06-11 05:44:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:3NTfSdJgAE28ghgyxkCPdZXfTxY21Bms:1a62x1Ks
Threatray 2'857 similar samples on MalwareBazaar
TLSH 24947C0476917D8EC36E8DB6841329105BB1ADAB6E1BF3035CCB31DA517EFC60A51B8B
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: mm0.mmmpics.com
Sending IP: 86.105.1.121
From: Cash Management Operations <info@abiexport.icu>
Reply-To: Cash Management Operations <cash.management@cjcasht.info>
Subject: PENDING OUTWARD REMITTANCE(S) - Attached Transaction reference
Attachment: TT Slip.gz (contains "TT Slip.exe")

Loki C2:
http://sportsgroup-hk.com/five/bryt1/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/8859/
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-11 03:48:21 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hta672te27tjkksxzzmp2anp5wh5z3ofrnktxwijbrr4vd5ix6eq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
230ad9bffe97e0ee1f8f7cbf3c6cfa2d95211d859170ee19e3e2d9b8c1cc97b5
Loki
276c169d7b842d092da93f16ae55bda7b01b0ded9bb12166b4c6eddc1dc49462
Loki
33ebfd8e209828818c29eac889a86e84eba1e9f428dc839f3a2a2fb57ade8d22
Loki
6cb4b1c8e7a9db252978470e2971438bc9cb1e4036c6dfdeec7229af1f7d56b8
Loki
aa95e85eb00135c313991f118ed2157a8ff7a04a98edd9f39f138f8af249b9c8
Loki
bec49428d91505adca491651a2376e3d90e33091dad7c2b63a7db472d2a28e57
Loki
cacb7a0f02dc33257d647f0eedd40831b7feee5a0a40625a72ed50ee4682f341
Loki
dc2435622376b023e99e165f3615fcfdb35b8ed157af0ac2fcd3cdf8242592d8
Loki
e0b5a7aa2ae1c4df12a5fa90c2f68c615690a58d80af00ff60ed5d7ab30c2f46
Loki
e4efbdcde8db7352bdf2cb15677d4dea605e29e8fbcaf77f4aa0bd4d6a089117
Loki
+ 2'847 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/201109-zyh3y1vy4j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://sportsgroup-hk.com/five/bryt1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

zip 33c9a6a32a13a51ca4706ecc9ada03dc5d8a680270101ade992a77c04c1fdf98

Loki

Executable exe 3cc1efea64d7e6952a57ce58fd01afed8fdcedc58b553bd9090c63ca8fa8bf89

(this sample)

  
Dropped by
MD5 8922d589464f61b0547b56c922d7dc8b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 33c9a6a32a13a51ca4706ecc9ada03dc5d8a680270101ade992a77c04c1fdf98
Cape
Cape
https://www.capesandbox.com/analysis/8859/

Comments