MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54f42da8259c446dcaa20a678a382301b319b3936c9d42fe50300d28f6c5939a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54f42da8259c446dcaa20a678a382301b319b3936c9d42fe50300d28f6c5939a
SHA3-384 hash: 9a5ef15069890efa4dc18d25161ac9b5238888fdf38413568bc1ea23a999f058e8c4b3ba157f827743b1e5180b7b5ae1
SHA1 hash: 4a577a89c89d5e641480a8b8c2dccd04ef810b98
MD5 hash: 3ca459375646fa36b18b24e3d4121ef0
humanhash: quebec-muppet-sink-magazine
File name:Payment SWIFT.doc
Download: download sample
Signature Loki
Create hunting rule
File size:76'288 bytes
First seen:2020-05-01 13:41:34 UTC
Last seen:Never
File type:Word file doc
MIME type:application/msword
ssdeep 768:H7SXcxAL4Gsp8m8WR+AYnVyRQ2zysrmwE4K7B4Ap/uCwTYtr06MMj:HHxM42Pk3ysqr7PZuCnr7j
Threatray 40 similar samples on MalwareBazaar
TLSH 0873AE10B686CE5AF1AA45358EE7CAEA373D3C189D12C31732197F1EBCB52758606B42
Reporter abuse_ch
Tags:doc GuLoader Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: bluemind-etu.univ-mayotte.fr
Sending IP: 193.54.33.153
From: Micheal <pago@etudiant.univ-mayotte.fr>
Subject: Payment
Attachment: Payment SWIFT.doc

doc->GuLoader->Loki

GuLoader payload URL:
https://nilemixitupd.biz.pl/MOKGLG/MEJMKQY.exe

Loki C2:
http://157.52.211.247/private/Panel/five/fre.php

GuLoader payload URL (Loki):
https://nilemixitupd.biz.pl/Choko/build_qugnudNQFX187.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
MiscreantPunch.EvilMacro.AODBWSRBMS.UNOFFICIAL
Create hunting rule

MiscreantPunch.EvilMacro.DL.170224.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Macro-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Document-Word.Downloader.Obfuse
Create hunting rule
Status:
Malicious
First seen:
2020-05-01 16:35:11 UTC
File Type:
Document
Extracted files:
23
AV detection:
14 of 30 (46.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kt2c3kbftrcg3svcbjtyuobdagzrtm4tnsouf7sqgagsr5wfsona._file
Verdict:
malicious
Label(s):
guloader
Create hunting rule
Similar samples:
0a6caea4ce7bf55029e1f01895a6c653fb2c5166f76dafcf94956dd8915e4eab
Loki
10481c8ab9d363251e4d1aab4805df6d245621a5f10302fe5ed8cdd9f20bdc14
Loki
1cd2e3b696656354859e0ffdb5bca866fadf42f59c9e2da1c228e0b52fa5f368
Loki
30efd997c49aae97766539c72d72529b06f1e8522ea84e71758cde4ed1846921
Loki
443bc33e9d28fddd4229367cde23085b8d57549093ce8e991eb4753ce58c85fe
Loki
98c39c41a62349078a4b09ae665ed9945dd207b7c02b38fa58a639089721bc5e
Loki
b022be4adc35569368e23da7b344c4f9a4ce9efffaf1013d1fc778cb2b58f67f
Loki
c10808947a65d455863b0449c74a6cc2112fd8fd60dab90c0f51edddfad4cb3e
Loki
dda25996ab5b78fa63ab71aa304360374fe2eb6ded670c778b2c69d9fa1f1e40
Loki
ef8f03a25087eeab581d8439a0a19ba7148270d2210d479c1d6867fac69dc813
Loki
+ 30 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:SUSP_EnableContent_String_Gen
Create hunting rule
Author:Florian Roth
Description:Detects suspicious string that asks to enable active content in Office Doc
Reference:Internal Research
Rule name:win_alina_pos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_gootkit_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Word file doc 54f42da8259c446dcaa20a678a382301b319b3936c9d42fe50300d28f6c5939a

(this sample)

GuLoader

Executable exe c10808947a65d455863b0449c74a6cc2112fd8fd60dab90c0f51edddfad4cb3e

  
URLhaus
https://urlhaus.abuse.ch/url/355515/
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 c10808947a65d455863b0449c74a6cc2112fd8fd60dab90c0f51edddfad4cb3e
  
Dropping
MD5 dfe6c1affd6d78876e4cf01c7bea6e05

Comments