MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42217b4e40567409993424ddc9beeae7a006952c31dda90d85b3a7cd67c6fa7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	42217b4e40567409993424ddc9beeae7a006952c31dda90d85b3a7cd67c6fa7a
SHA3-384 hash:	d788ec47fa0e37c5b6217eb5378d2c08d34a54f48392852b9280c1435e941639dd858fcbb7657814521d4ff39686c8a7
SHA1 hash:	6a861a95c6c9479a597201d537422be8bdb5e7d0
MD5 hash:	b6af2df161521f04e9faad76b23492f5
humanhash:	eleven-cup-grey-louisiana
File name:	New Quotes.rar
Download:	download sample
Signature	Loki Create hunting rule
File size:	562'318 bytes
First seen:	2022-06-21 06:33:06 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	12288:KqTGB6mayUhqKwwAJJoZAnui4trh0mP2cnqnqgzbPgc0MHc0/bcGxptFRe0K:R/wKwUZAnurh/22BgzTn0S3b5ZFE
TLSH	T10EC4239B1A50CD6ABA4225C0094ACF90D2E45D392CF2FECC315CD5BA3E86F7D81D5A6C
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter	cocaman
Tags:	Loki rar

cocaman

Malicious email (T1566.001)
From: "Henry John <henry@wx15.fzhou.cfd>" (likely spoofed)
Received: "from hp0.wx15.fzhou.cfd (unknown [137.184.6.57]) "
Date: "Mon, 20 Jun 2022 18:58:56 -0700"
Subject: "REQUEST FOR QUOTE : OUR REF. NO. HAK/21451/2022"
Attachment: "New Quotes.rar"

Intelligence

File Origin

# of uploads :

# of downloads :

158

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/42217b4e40567409993424ddc9beeae7a006952c31dda90d85b3a7cd67c6fa7a/

Gathering data

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=iiqxwtsakz2atgjueto4tpxk46qanfjmgho2sdmfwot42z6g7j5a._file

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection spyware stealer trojan

Link:

https://tria.ge/reports/220621-hbrjyscabn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Lokibot

Malware Config

C2 Extraction:

http://198.187.30.47/p.php?id=53483370875096238
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/42217b4e40567409993424ddc9beeae7a006952c31dda90d85b3a7cd67c6fa7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.