MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 600884bbd0faf410ec6b145cd918456803d0f0712055b195407ba8f1ec1a06e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 600884bbd0faf410ec6b145cd918456803d0f0712055b195407ba8f1ec1a06e4
SHA3-384 hash: 22281d3bd265a639ac3e9363df4a6b1e67a403edfa7dfefff60fc18849afbbddec4e5503a00b3c21b66d7b5e027fdbd0
SHA1 hash: aea306dd8f41a62e21fc5ebf01d82e4a347c1204
MD5 hash: 8bfeb5d1d37775c682466993d7011321
humanhash: network-cat-alaska-lamp
File name:Tax for this tax period is -702.23 AED.exe
Download: download sample
Signature Loki
Create hunting rule
File size:4'228'608 bytes
First seen:2021-02-11 10:06:40 UTC
Last seen:2021-02-11 11:58:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:93E34BFBlDz1EMn0/nuVGccO/aw5z7PBEgFMoDaZyb5oasu6GDgW3VT9cHBHlW57:VE3GBlDz1EMn0/nuVGccO/aw5z7PBEgs
Threatray 6 similar samples on MalwareBazaar
TLSH EE169157C244D534E82D53FC6464CCEA122EFEDBA6BBD42C690E7D89D633B08D81A4D2
Reporter abuse_ch
Tags:ARE exe geo Loki


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: tax.gov.ae
Sending IP: 45.137.22.41
From: fta-reg <fta-reg@tax.gov.ae>
Subject: VAT Return Submission (refund position)
Attachment: Tax for this tax period is -702.23 AED.gz (contains "Tax for this tax period is -702.23 AED.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Tax for this tax period is -702.23 AED.exe
Verdict:
Malicious activity
Analysis date:
2021-02-11 10:12:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0adaf90d-9508-43e1-939b-8a899a280ae7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Loki
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116779/
Detection(s):
SecuriteInfo.com.Artemis8BFEB5D1D377.11639.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/605711
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected aPLib compressed binary
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/600884bbd0faf410ec6b145cd918456803d0f0712055b195407ba8f1ec1a06e4/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-02-11 08:45:11 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=maeijo6q7l2bb3dlcronsgcfnab5b4drebk3dfkapoupd3a2a3sa._file
Verdict:
unknown
Similar samples:
59de9ae9cd929da5de69f6684abda312c49f342b9449a9e966f0a576f4c311e4
Loki
7579d907f11e31daadd189f27bb76ece470935be7d196e402030fae41615fca7
Loki
7d9db239a664291a5556c35a58dfc031f424dfab9fd78f5b3f3a02851bd0702e
Loki
b1e15b9a8dad8e09e6a44215449f0b4f9fb269f6e00a3106a520780e43c2efd8
Loki
e49ea9c326ce0cfcf7c4795428cda9d52da65c670a31748b1cb067b14d6a3c83
Loki
efee2d455066b0eb187ff041a99316ee1abe6a6d64a7dffb43fb821e9ab4e647
Loki
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210211-dbdyqh2tvj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Unpacked files
SH256 hash:
b2499a2af35b550fbe7f541a14ff1225e1202324f351eecf85de6c8e9fc7c27c
MD5 hash:
5e732e4265622675313195dead01047e
SHA1 hash:
359c710a93c2f58cdc2a45de8dd48a6884a70645
Link:
https://www.unpac.me/results/f630064b-2125-4f92-a38b-c766b47a589b/
SH256 hash:
600884bbd0faf410ec6b145cd918456803d0f0712055b195407ba8f1ec1a06e4
MD5 hash:
8bfeb5d1d37775c682466993d7011321
SHA1 hash:
aea306dd8f41a62e21fc5ebf01d82e4a347c1204
Link:
https://www.unpac.me/results/f630064b-2125-4f92-a38b-c766b47a589b/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

gz 75e1fbe0b14e28882e197d2d8c9c9935fec96bdf102a97ba30e6b350a502c443

Loki

Executable exe 600884bbd0faf410ec6b145cd918456803d0f0712055b195407ba8f1ec1a06e4

(this sample)

  
Dropped by
MD5 84b94272311aa057b55a6a73890ec62f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/116779/
  
Dropped by
SHA256 75e1fbe0b14e28882e197d2d8c9c9935fec96bdf102a97ba30e6b350a502c443

Comments