MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d611ca54f64546327d9bc6993662d5058a7f07fa8e16b81fc7ee6ff60d952f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d611ca54f64546327d9bc6993662d5058a7f07fa8e16b81fc7ee6ff60d952f2
SHA3-384 hash: fe6b6879e885536ab7e2b1bbf3ded5c9e924897d4065be1f69716b3c34633da3e5c6d4ba19102d035ef9c6023c68beb0
SHA1 hash: cee33cfb8ad0380d6aaa1272e3a1e5474f2d5b59
MD5 hash: d7e5cae47982fe6cee9a60426d9b6e1a
humanhash: wolfram-oklahoma-stairway-mango
File name:Remittance ADVICE.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'139'712 bytes
First seen:2020-05-29 06:17:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:htb20pkaCqT5TBWgNQ7abu0XneiqWUWJLPtZ6A:yVg5tQ7abfnCWUWB35
Threatray 2'338 similar samples on MalwareBazaar
TLSH 4D35CF1373DE8361C7B25273BA15B701AE7F782506B5F96B2FD8093DE920122521EA73
Reporter jarumlus
Tags:Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-28 23:02:06 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
22 of 31 (70.97%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0adecb6f10ce532902f8c9fcd67682beb29f07cb3a6c791443cbb4991ded905b
Loki
2a3c60d816836bf1cecb31f34d4eaf5b93976c123364538d5b8e22e9272e1269
Loki
4c85122f83c69509a94932fa916aed7c8d8096463dbee29ccdbe3abdbd492b6a
Loki
6cae16bed5ff47f64986860e163db4499ca5a75e12e36a334a092d3865249bf1
Loki
79129af7eeae9ebb06e1e77ceb732e24565771282c1381b15a3f19721936b84c
Loki
a4c9485c1fc597e651e339316265c457865812f656b5cbc3595bdf54f8eb6623
Loki
acd12da4b4032af20f766c6a2e26b837bcfd543fd01031fb0a9e4812ef66d103
Loki
c4e11fc875cebd67365c8db078cd7ff8b93b9583c7f34b3e098a94ef1c2b2326
Loki
dfeb957fc25e4102bf74a28e214d8ad5488d85b552824e0cd1f3c856f3a62acc
Loki
f8c717a1fca0f3576696362cd50b99713931e9290aefa07ecf4e6935125723a2
Loki
+ 2'328 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/201109-qdxfvw4tcs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://superson.ga/Bobby/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

zip 9bb06a021a4881d899889e8144323fd17763fb49abd9ced9faaafbdc35ab5f40

Loki

Executable exe 3d611ca54f64546327d9bc6993662d5058a7f07fa8e16b81fc7ee6ff60d952f2

(this sample)

  
Dropped by
MD5 0a381c851b0f13d18bcd5efe6352eec3
  
Dropped by
SHA256 9bb06a021a4881d899889e8144323fd17763fb49abd9ced9faaafbdc35ab5f40
  
Delivery method
Distributed via e-mail attachment

Comments