MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 500ae25cf76e0cc069f42128aeb1a96072b6d0281a6ed2ff6d0b0a26b4e9556a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 1 File information 3 Yara 3 Comments

SHA256 hash: 500ae25cf76e0cc069f42128aeb1a96072b6d0281a6ed2ff6d0b0a26b4e9556a
SHA1 hash: e8f8b4370462b75cb122b19dfeb789eab65ee31e
MD5 hash: cd205803dd3103d4f891d5dfcc55fd92
File name:Purchase Order.exe
Download: download sample
Signature Loki
File size:357'888 bytes
First seen:2020-05-23 11:18:33 UTC
Last seen:2020-05-23 11:46:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:pk3nHkFqaT0IWjAGgLfrb7za7W/brkHgiU1hpaA:ZT4SfbHaE/Igl1hpaA
TLSH E974292D575ADFA4E96EF27901C510818306F8EF1EE9A31B9F85F1858D1281CCFE5B82
Reporter @abuse_ch
Tags:exe Loki


Twitter
@abuse_ch
Malspam distributing Loki:

HELO: yogshaexports.com
Sending IP: 23.19.58.125
From: sharma@yogshaexports.com
Subject: Purchase Order
Attachment: Purchase Order.gz (contains "Purchase Order.exe")

Loki C2:
http://obimmaa.ir/todsay/Panel/five/fre.php

Intelligence


Mail intelligence
Trap location Impact
Global Low
IT Italy Low
# of uploads 2
# of downloads 22
Origin country FR FR
ClamAV SecuriteInfo.com.Trojan.Siggen9.48933.30283.30529.UNOFFICIAL
VirusTotal:Virustotal results 39.73%
ReversingLabs :No data

Yara Signatures


Rule name:Lokibot
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 500ae25cf76e0cc069f42128aeb1a96072b6d0281a6ed2ff6d0b0a26b4e9556a

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments