MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 61a34452d0fe45c9ca538fae20e355c89d2d104b5dc8f50ca46be2d1e59e83c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Loki
Vendor detections: 4
| SHA256 hash: | 61a34452d0fe45c9ca538fae20e355c89d2d104b5dc8f50ca46be2d1e59e83c4 |
|---|---|
| SHA3-384 hash: | 24f74728791b770d241bb5f26fc84bdfba4f35727ad7f7f9be53aac5c768c84766ee47ce9906e3736e4ca5cc54374d72 |
| SHA1 hash: | d0f18a91bbe75577ba293e822cbebb9df91a6e6f |
| MD5 hash: | 6504420451757781bdba1e4e417d8a9d |
| humanhash: | lamp-undress-may-saturn |
| File name: | TNT Express Notification.exe |
| Download: | download sample |
| Signature | Loki |
| File size: | 1'305'088 bytes |
| First seen: | 2020-04-02 06:23:12 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT) |
| ssdeep | 24576:eCdxte/80jYLT3U1jfsWarwVuFlV/OWYbbCcHOBrNQ:3w80cTsjkWarwUDl1cHgq |
| Threatray | 2'195 similar samples on MalwareBazaar |
| TLSH | 9255CF2273DDC371CB669173BF6977012EBF78650630B85B2F880D7DA950162262DBA3 |
| Reporter |  abuse_ch |
| Tags: | COVID-19 exe Loki |
abuse_ch
COVID-19 themed malspam distributing Loki:HELO: host.s102host.com
Sending IP: 206.225.80.195
From: TNT Customer Care <customerservice.sg@tnt.com>
Subject: Your shipment was returned to our office!!! BECAUSE OF COVID-19 OUTBREAK(TNT Express Notification)
Attachment: TNT Express Notification.rar (contains "TNT Express Notification.exe")
Attachment: TNT Express Notification.zip (contains "TNT Express Notification.exe")
Loki C2s:
http://supergeorgia.ge/ged/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Intelligence
File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Androm
Status:
Malicious
First seen:
2020-04-02 02:00:26 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
25 of 30 (83.33%)
Threat level:
2/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Similar samples:
+ 2'185 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| AUTH_API | Manipulates User Authorization | ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::CopySid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::GetAce |
| COM_BASE_API | Can Download & Execute components | ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoCreateInstanceEx ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal |
| MULTIMEDIA_API | Can Play Multimedia | WINMM.dll::mciSendStringW WINMM.dll::timeGetTime WINMM.dll::waveOutSetVolume |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetAclInformation ADVAPI32.dll::GetSecurityDescriptorDacl |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW |
| WIN32_PROCESS_API | Can Create Process and Threads | ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateProcessW ADVAPI32.dll::CreateProcessWithLogonW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetDriveTypeW |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CopyFileExW KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW IPHLPAPI.DLL::IcmpCreateFile KERNEL32.dll::CreateFileW |
| WIN_BASE_USER_API | Retrieves Account Information | KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LogonUserW ADVAPI32.dll::LookupPrivilegeValueW |
| WIN_NETWORK_API | Supports Windows Networking | MPR.dll::WNetAddConnection2W MPR.dll::WNetUseConnectionW |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW |
| WIN_USER_API | Performs GUI Actions | USER32.dll::BlockInput USER32.dll::CloseDesktop USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::FindWindowW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.