MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48c3140af609dd80eb8a7900561ef9229409d9b01447dce4a43b8dabc04dc2d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 15 File information Comments

SHA256 hash:	48c3140af609dd80eb8a7900561ef9229409d9b01447dce4a43b8dabc04dc2d5
SHA3-384 hash:	ff1aaf92cd10a3c18ffc031ad8228bf399d1d15bcbc9a23ab3c5ede2992a140d2b14578c4d93c695e6ad5d93107d72c9
SHA1 hash:	26f233a8102135aff6edf305b48195fe1c9e7d72
MD5 hash:	45b9e2bd053cafc0442a7e18c8ce50aa
humanhash:	earth-minnesota-november-cat
File name:	Bank Slip pdf.zip
Download:	download sample
Signature	Loki Create hunting rule
File size:	575'218 bytes
First seen:	2025-02-25 01:46:18 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	12288:/3BNiI12uj7GPWM1POJHb2SLjfkDWuMhZm7GfEkVseyT2xYY:ZNpzuPn1mcS3kaBnm7QVsrK
TLSH	T13BC42320EE877173BE9F1571A8EEA3C9C849D64AF35C3A056492AD6B3093C3510B35E7
Magika	zip
Reporter	cocaman
Tags:	Loki zip

cocaman

Malicious email (T1566.001)
From: ""Lara Chen" <lara@cyberinf.com>" (likely spoofed)
Received: "from alter.cyberinf.com (alter.cyberinf.com [193.222.96.87]) "
Date: "24 Feb 2025 17:45:00 -0800"
Subject: "RE: Outstanding SOA Remittance"
Attachment: "Bank Slip pdf.zip"

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://94.156.177.41/sss1/five/fre.php	https://threatfox.abuse.ch/ioc/1430093/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Bank Slip pdf.exe
File size:	736'776 bytes
SHA256 hash:	9f259eea8c8508b1b3c77ebde3441e0c8618e253739e4ce469a93d9fd33264af
MD5 hash:	4e4108ccf43fde81b96e2606d38628a0
MIME type:	application/x-dosexec
Signature	Loki

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Foxhole.Zip_fs3391.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67bd211ba0fd713c335caa7f

Tags:

underscore injection micro shell

Result

Verdict:

Suspicious

File Type:

PE File

Link:

https://app.docguard.net/48c3140af609dd80eb8a7900561ef9229409d9b01447dce4a43b8dabc04dc2d5/results/dashboard

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

invalid-signature obfuscated obfuscated packed packed packer_detected signed stealer vbnet

Link:

https://www.filescan.io/uploads/67bd219660f4b4f0724be126/reports/b61797cf-31eb-4d02-998c-90c766ef7c77/overview

Verdict:

Suspicious

Labled as:

Mal/DrodZp

Link:

https://www.hybrid-analysis.com/sample/48c3140af609dd80eb8a7900561ef9229409d9b01447dce4a43b8dabc04dc2d5

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/48c3140af609dd80eb8a7900561ef9229409d9b01447dce4a43b8dabc04dc2d5

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Score:

72%

Verdict:

Malware

File Type:

Result

Malware family:

lokibot

Score:

10/10

Tags:

family:lokibot collection discovery execution spyware stealer trojan

Link:

https://tria.ge/reports/250225-f8ce7ayp12/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Lokibot

Lokibot family

Malware Config

C2 Extraction:

http://94.156.177.41/sss1/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/48c3140af609dd80eb8a7900561ef9229409d9b01447dce4a43b8dabc04dc2d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Suspicious_Latam_MSI_and_ZIP_Files Create hunting rule
Author:	eremit4, P4nd3m1cb0y
Description:	Detects suspicious .msi and .zip files used in Latam banking trojan campaigns.

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)