MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 504cd8dcf16b6e6b55271ef9bcd8603916ec5f81fdeb0615e3c970954d50a7f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 504cd8dcf16b6e6b55271ef9bcd8603916ec5f81fdeb0615e3c970954d50a7f0
SHA3-384 hash: 5ca648dc9db2c0b8e79941f0ac90d77ba5f869215fd10323a1b009ae64ee8de97d3b47f0baa8469f2a7f28a2287227d6
SHA1 hash: a0cbdfd17a72896948b01bbf11ab97e2c5956d93
MD5 hash: 8e2867efea4e5156caf39a2cf80f2376
humanhash: may-oscar-carolina-maryland
File name:loki.exe
Download: download sample
Signature Loki
Create hunting rule
File size:192'512 bytes
First seen:2020-05-19 06:11:59 UTC
Last seen:2020-05-19 07:13:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2a98659e59f16a6e12a86e07e70c10b3 (1 x Loki)
ssdeep 3072:EsUQZHNAJ+Hqm+7gXZRSS1dt7RyGK2s6JE4:EsUQZHk+H/BXzSq7jKf6JE
Threatray 252 similar samples on MalwareBazaar
TLSH 33142905F6E0F42BD9F98EFE07E69AB594DA2C7A5901E74379007F2F36F1980A060536
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: cloud-a7d9cc.managed-vps.net
Sending IP: 174.136.29.77
From: HEC-Sales<info@globalsources.cf>
Subject: Re: Hyundai Engineering 판매 주문 및 도면-RFQ
Attachment: HEC20200518.img (contains "loki.exe")

Loki payload URL:
http://ratamodu.ga/~zadmin/iclient/hermlk_qDqnTQXx228.bin

Loki C2:
http://egamcorps.ga/~zadmin/lmark/herm/mode.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.Injector.EMAB.28135.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-19 04:44:00 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kbgnrxhrnnxgwvjhd343zwdaheloyx4b7xvqmfpdzfyjktkqu7ya._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
2b7498abb82bfc105fb641bc1b9e9da602bfeefb252dd8d16d7c1e4fbc3a4668
Loki
2ea5a4fb25528051254f255dc64913ca7d4faa1ecba2f40a55b536f871624fb9
Loki
5ff77cfc952a63f6c75709db72ca3ddd2b362bf416bb454957f3b8bfdbaafd50
Loki
67aa5b86db90b286266d57324824825453a9db72b15414ee064dbf01085d00b4
Loki
814cf0cf90c5b99f4bf827ca64e5c7c55d73e036b9e8646f0d6031444a90fe63
Loki
a3c9b063a2e0b2543b34146f01d970f5ea721fac3fccc95bf1afdac5a56164e9
Loki
bb2faadcbc0d7c66a84bb763e34cc811194f21a2222541a62fd1c0d9d3ce6c42
Loki
c882cc422e4039600b31e53e369f05b29dc9dd38cab76facef8a42adc8d326b3
Loki
ddf6f04276c1d976e62e199e6c928fb7a3d7aaec455a1859f8d8f605c89ffc64
Loki
e0c1fb97e28bc9944bc045ee772dd8da34a985a9e410764734eacdb35429cd1b
Loki
+ 242 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-5hfn4jkeqe/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent state file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

rar 764d4cc93262929170edf0d83947280497614854cf608b3319af5a1602563cd0

Loki

Executable exe 504cd8dcf16b6e6b55271ef9bcd8603916ec5f81fdeb0615e3c970954d50a7f0

(this sample)

  
Dropped by
MD5 6d59c3b86db4c8817b595fd65a536f2a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 764d4cc93262929170edf0d83947280497614854cf608b3319af5a1602563cd0

Comments