MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e6d691ce07204deefd9cbcc9c310bbc6c2e89c8361ca09e7ed1da4c01b2ad04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e6d691ce07204deefd9cbcc9c310bbc6c2e89c8361ca09e7ed1da4c01b2ad04
SHA3-384 hash: 51adc01b3ce65d01970b5afd321f3937571606188e45eb035c0a5428800938e0423c1ad3409ec1a3cd44693683b50b65
SHA1 hash: 4abc5ce4b9efc69c8d78279bf94b8e237c0614c7
MD5 hash: ec5dbab7a41c69f9bcb9acc0b09a9429
humanhash: california-comet-blossom-cat
File name:CG_INV_202066.exe
Download: download sample
Signature Loki
Create hunting rule
File size:845'824 bytes
First seen:2020-07-09 07:55:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e335e0f383b17202864efb975d29d538 (14 x AgentTesla, 6 x Loki, 3 x AZORult)
ssdeep 24576:ukAVCi74LofeHXecQmiDXeO4D/QivpEQR:uiiuo2Oq4XeOO/Qep5
Threatray 1'529 similar samples on MalwareBazaar
TLSH 5C058C22B3904833D0631A3D8D1B6778992ABE522EE8BA4B7FF55C4C5F396403935397
Reporter abuse_ch
Tags:Endurance exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: 142-4-22-49.unifiedlayer.com
Sending IP: 142.4.22.49
From: Accounts Dept <accounts@confidencegroup.co>
Subject: Payment Schedule
Attachment: CG_INV_202066.iso (contains "CG_INV_202066.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/23556/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Reading critical registry keys
Launching a service
Creating a file
Changing a file
Replacing files
Connection attempt
Sending an HTTP POST request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Stealing user critical data
Detection:
lokibot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4e6d691ce07204deefd9cbcc9c310bbc6c2e89c8361ca09e7ed1da4c01b2ad04/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 07:57:06 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jzwwshhaoicn536zzpgjymilxrwc5coigyokbht62hneyansvuca._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
00561595f71768d7555b2a39fc0fd39819640b8b08af4302ba03bf8b3dffa8b2
Loki
20004cf75c3ffef4a7cb3784b631eb74b93e9abe27509169d96094904e40f66e
Loki
393563ba21c2c9349e3a0be9712ba9b9911297485360881d100775ff4ba2fd33
Loki
3f9b394a7976d85b59f2c81c635f6d2674db5e99dec5b5d71c4d1a12b41fc185
Loki
6c9062063d700d3e92e11e32aaba58615b06313b04dbc67d3a2f9a1e8b4a0e12
Loki
76e0ef504371de843a6197e948a1a1dfe3f8e87e25ff8e2ee5f6648daff0e0c6
Loki
8787d71a3a429d5d3050e351e241721f56576470457a31da410785bc696236b8
Loki
bb6cfee282efc5fa0e2dd8de410f4f7b9e684a3378244948589516d9ffaa81ad
Loki
bbcb85929cfc7f9761b8bbbd06f473b2ad14b885e1cc2874c2f94d14af2b0b6a
Loki
f9e2dd756af048e97443fedcca614a9ef3ff969c10287856bf8c3e05abb881e1
Loki
+ 1'519 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/200709-nqtwrkfxfn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Lokibot
Malware Config
C2 Extraction:
http://79.124.8.8/plesk-site-preview/chongelctricals.com/http/79.124.8.8/adamsn/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

iso f13ba654fe59123e702c34c414a97687d748853aef0e75e48ce878e1c270a173

Loki

Executable exe 4e6d691ce07204deefd9cbcc9c310bbc6c2e89c8361ca09e7ed1da4c01b2ad04

(this sample)

  
Dropped by
MD5 73ac61660a02b005d9c315be8058e244
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/23556/
  
Dropped by
SHA256 f13ba654fe59123e702c34c414a97687d748853aef0e75e48ce878e1c270a173

Comments