MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4118da509f4aace1799d5880924a4101d8ed8ee746e0a03a7f47f3cec76eaf58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4118da509f4aace1799d5880924a4101d8ed8ee746e0a03a7f47f3cec76eaf58
SHA3-384 hash: 28c8e9baf89491fbc3c16dfb779545fe06925a220d5165815a454528f83831ab3dd31324d0572f068993dcf2a68dc7a2
SHA1 hash: 97ebfce6b3c377f30575671759a07ca2eafee3bf
MD5 hash: af7d94c9cceb106dc5241eeee0f413ee
humanhash: football-one-hydrogen-hawaii
File name:win32(4).exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'222'656 bytes
First seen:2020-04-27 06:42:19 UTC
Last seen:2020-04-28 11:42:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 507453c0d8846af4389ebe9f6a8d5c53 (1 x Loki)
ssdeep 24576:Buc7xn1Au68iS0iArfI3MKzbZc6e7Ccms7eRQ7qOU/j:scF1AuX0xrOMCc6e7CLRQ7qZ
Threatray 1'520 similar samples on MalwareBazaar
TLSH FF452202F254BC31C54C04388635EDA15E222DA95A64D41C3A5EF6AD62F37D33DEAE2F
Reporter oppimaniac
Tags:Loki

Intelligence

File Origin
# of uploads :
3
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

SecuriteInfo.com.BScope.TrojanDownloader.Deyma.29920.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-04-27 06:31:07 UTC
File Type:
PE (Exe)
Extracted files:
105
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iemnuue7jkwoc6m5lcajessbahmo3dxhi3qkaot7i7z45r3ov5ma._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0491093e9a1ffcff88b06be9028e050c7fda1f70d4c7021bea12fef8cc78fe8f
Loki
1891aa213067db003fc4f6376853c50d740fb24dc5d1eda92bb2f0a429b4891b
Loki
355b58ec78627d48f3f9ac33a989bfcffa6c81cd9015acb53c024bc7c9681165
Loki
3a2ffd78111d04ce8986e867c0ed71f258e814b302868faa887fa6138cfb8827
Loki
53edc68ef8a890aac3c8f6fe8c72e1a8cf5057c600a3f85d12b99b59b05e47be
Loki
76e0ef504371de843a6197e948a1a1dfe3f8e87e25ff8e2ee5f6648daff0e0c6
Loki
7eb32bdb92a9768dfc8f30f22365aaac0d57931a77bffd71eb928f72dcdeab1e
Loki
a4429d0165e0b0c5e3b7840303bed826a9de8122d824622656d9ae9d6e396eea
Loki
ab2b30ab80cc9b916fa2885d0e223ff2b8a0ed619a0cdf795f5ca2f967d76837
Loki
ccdcef588215cb5bba1f6877e96d9dc3f83ef7a9bbdedd88235d8e6dbe3c4016
Loki
+ 1'510 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe 4118da509f4aace1799d5880924a4101d8ed8ee746e0a03a7f47f3cec76eaf58

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/351791/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play MultimediaWINMM.dll::PlaySoundW
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments