MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e7757f18ae0c6aeac44ed49de53657e81d46474c75c431b291e3e5712b94045. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	4e7757f18ae0c6aeac44ed49de53657e81d46474c75c431b291e3e5712b94045
SHA3-384 hash:	7dceaad7fd518e8cc30e43163f2bf83c478e2d50fc2822c0973689dbd6a3d7f6a62afaa2e3fcbaecb0beb0ee4a5fe3a3
SHA1 hash:	73c694ae25f7fdbbeb3d5afe8a87473586d5498c
MD5 hash:	63ac8eea2f1472de99277790c2792b61
humanhash:	nitrogen-ten-massachusetts-virginia
File name:	DHL Shipping Documents
Download:	download sample
Signature	Loki Create hunting rule
File size:	356'352 bytes
First seen:	2020-04-06 09:43:12 UTC
Last seen:	2020-04-06 10:55:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	86a34eb978c0c97f3870fd3c77ca53fa (1 x Loki)
ssdeep	6144:ZjTeYoYh5m2H/5JMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM+MMMMMMMMMMMMMP:xUYh5l/MMMMMMMMMMMMMMMMMMMMMMMMp
Threatray	1'331 similar samples on MalwareBazaar
TLSH	A0740951B680F8E6CED54D736E2ADD704B12BCFCE105656632DC3E5F39FA9B22240292
Reporter	abuse_ch
Tags:	COVID-19 exe GuLoader Loki

abuse_ch

COVID-19 themed malspam distributing GuLoader->Loki:

HELO: mxserver7-out10.masterweb.com
Sending IP: 103.25.223.243
From: Asia_DHL | Express <dhlexpress.billingid@dhl.com>
Subject: DHL Shipping Documents, Invoice and AWB/ Service impact due to\x0a COVID-19 outbreak
Attachment: DHL Shipping Documents.gz (contains "DHL Shipping Documents")

GuLoader payloed URL (Loki):
https://beeps.my/tz/b2_build_encrypted_1E75CB0.bin

Loki C2:
http://audiosv.com/b2/Panel/fre.php (45.252.248.29)

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Packed.Noon-7650558-0

Win.Malware.Generic-7650850-0

Gathering data

Threat name:

Win32.Trojan.Androm

Status:

Malicious

First seen:

2020-04-06 03:34:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 31 (83.87%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jz3vp4mk4ddk5lce5ve54u3fp2a5izduy5oeggzjdy7foevzibcq._file

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

gz 580fa8aa467a041f098469b1648ee05237d5c9fb9da1298a76e263f6910f1b2f

Loki

exe 4e7757f18ae0c6aeac44ed49de53657e81d46474c75c431b291e3e5712b94045

(this sample)

Loki

exe de8255aed7b8c2e2c2ee91226af189ba6cc0deb25e1f6cee579bb92e41da6816

URLhaus

https://urlhaus.abuse.ch/url/335606/

Dropped by

MD5 0ec0ec3b92f6c8282db8a3e0291159f1

Dropped by

SHA256 580fa8aa467a041f098469b1648ee05237d5c9fb9da1298a76e263f6910f1b2f

Dropping

Loki

Dropping

MD5 97b5033aa51cc3f06bb37760bcc4431a

Dropping

SHA256 de8255aed7b8c2e2c2ee91226af189ba6cc0deb25e1f6cee579bb92e41da6816

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 de8255aed7b8c2e2c2ee91226af189ba6cc0deb25e1f6cee579bb92e41da6816

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
VB_API	Legacy Visual Basic API used	MSVBVM60.DLL::__vbaObjSetAddref MSVBVM60.DLL::EVENT_SINK_AddRef MSVBVM60.DLL::__vbaLateMemCallLd MSVBVM60.DLL::__vbaErrorOverflow

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample