MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 55c210e095fe70e459e30d3d3db7d201b50e0bee754c48214fe4e8c8705a7f0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Loki
Vendor detections: 5
| SHA256 hash: | 55c210e095fe70e459e30d3d3db7d201b50e0bee754c48214fe4e8c8705a7f0e |
|---|---|
| SHA3-384 hash: | 97c62a524003b48a7236496de713374800470f7f0475d435200e69348b1f4c240dd219c45207bde2f7ff20acb464b535 |
| SHA1 hash: | 0b6eabe3ab4f987abbefba25e76b243ee1c465be |
| MD5 hash: | e9708155cf360f44184cccad1cc03a1d |
| humanhash: | neptune-stairway-autumn-spaghetti |
| File name: | New Quotes.rar |
| Download: | download sample |
| Signature | Loki |
| File size: | 374'979 bytes |
| First seen: | 2022-06-23 07:22:51 UTC |
| Last seen: | Never |
| File type: | rar |
| MIME type: | application/x-rar |
| ssdeep | 6144:s+TmzpfVDMFpz5Z5M0Mn8cfRzdcLUYbVk796asxrleWLvADxS0ZClHbkSCwqgoDX:sXYH5Q0VcfRzdWzb6RQwWKxN0Hb67r |
| TLSH | T18F8423AF4DAE6355B2136C0482BE4FEBDA25B6336C0D343D40195F9F243F94AA98947C |
| TrID | 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1) |
| Reporter |  cocaman |
| Tags: | Loki rar |
cocaman
Malicious email (T1566.001)From: "Henry John <henry@wx6.fming.cfd>" (likely spoofed)
Received: "from hp0.wx6.fming.cfd (unknown [164.92.97.207]) "
Date: "Wed, 22 Jun 2022 17:58:15 -0700"
Subject: "REQUEST FOR QUOTE : OUR REF. NO. HAK/21451/2022"
Attachment: "New Quotes.rar"
Intelligence
File Origin
# of uploads :
1
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Threat name:
ByteCode-MSIL.Trojan.FormBook
Status:
Malicious
First seen:
2022-06-23 01:05:50 UTC
File Type:
Binary (Archive)
Extracted files:
8
AV detection:
18 of 26 (69.23%)
Threat level:
5/5
Detection(s):
Malicious file
Result
Malware family:
lokibot
Score:
10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://198.187.30.47/p.php?id=53483370875096238
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
exe Delivery method
Distributed via e-mail attachment
Dropping
Loki
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.