MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 500ae25cf76e0cc069f42128aeb1a96072b6d0281a6ed2ff6d0b0a26b4e9556a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Intelligence 1 File information 3 Yara 3 Comments

SHA256 hash: 500ae25cf76e0cc069f42128aeb1a96072b6d0281a6ed2ff6d0b0a26b4e9556a
SHA1 hash: e8f8b4370462b75cb122b19dfeb789eab65ee31e
MD5 hash: cd205803dd3103d4f891d5dfcc55fd92
File name:Purchase Order.exe
Download: download sample
Signature Loki
File size:357'888 bytes
First seen:2020-05-23 11:18:33 UTC
Last seen:2020-05-23 11:46:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:pk3nHkFqaT0IWjAGgLfrb7za7W/brkHgiU1hpaA:ZT4SfbHaE/Igl1hpaA
TLSH E974292D575ADFA4E96EF27901C510818306F8EF1EE9A31B9F85F1858D1281CCFE5B82
Reporter @abuse_ch
Tags:exe Loki

Malspam distributing Loki:

Sending IP:
Subject: Purchase Order
Attachment: Purchase Order.gz (contains "Purchase Order.exe")

Loki C2:


Mail intelligence
Trap location Impact
Global Low
IT Italy Low
# of uploads 2
# of downloads 22
Origin country FR FR
VirusTotal:Virustotal results 39.73%
ReversingLabs :No data

Yara Signatures

Rule name:Lokibot
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Author:Julian J. Gonzalez <>
Description:Rule to detect the presence of SQLite data in raw image

File information

The table below shows additional information about this malware sample such as delivery method and external references.



Executable exe 500ae25cf76e0cc069f42128aeb1a96072b6d0281a6ed2ff6d0b0a26b4e9556a

(this sample)

Delivery method
Distributed via e-mail attachment