MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b1df4cb218093a57a5646f0d6ece41d548fae6cce51d90d1540686d747069b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b1df4cb218093a57a5646f0d6ece41d548fae6cce51d90d1540686d747069b6
SHA3-384 hash: 455fda52bc1fb4edbdc2a9fdaf03c23e1b78135750d13bb3412829ea3d2e925953a18aff71737b65acf036093d0ec33e
SHA1 hash: de252b93e3973af6b256aa59d5b92ad7553ab07b
MD5 hash: 36bf2bd62487253ced42da7e7fa35320
humanhash: thirteen-happy-gee-minnesota
File name:Wire Payment.exe
Download: download sample
Signature Loki
Create hunting rule
File size:316'472 bytes
First seen:2020-08-18 11:39:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 24f4223e271413c25abad52fd456a9bc (21 x GuLoader, 15 x Loki, 10 x AgentTesla)
ssdeep 6144:3HfYbMx+ToiiRTtpxHKQEKu2yGlvGeXk1R0l36oLIpiK:3vw8i03gGl+G80CF
Threatray 53 similar samples on MalwareBazaar
TLSH B164135093D5C063C395CD746EB6F1BBABAACF2A59529B0787C03F8C3473560BA6B106
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: secretariavirtual.es
Sending IP: 89.140.72.157
From: "MENUEL, Karine"<nak@naksystem.com>
Reply-To: <kmenu@kidilizgroup.com>
Subject: AW: wire confirmation
Attachment: Wire Payment.rar (contains "Wire Payment.exe")

Loki C2:
http://modevin.ga/~zadmin/lmark/gld/mode.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47744/
Detection(s):
PUA.Win.Adware.Browserio-6725861-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.ObfusRansom.bc.6542.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Sending a UDP request
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b1df4cb218093a57a5646f0d6ece41d548fae6cce51d90d1540686d747069b6/
Threat name:
Win32.Trojan.CryptInject
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 09:48:33 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nmo7jszbqcj2k6swi3ynn3hedvki7ltmzzi5sdivibug25dqng3a._file
Verdict:
suspicious
Similar samples:
088999945f71cb731f4fa4d6e73591ecdf1829306a6dca66be75947fc0c8d00b
Loki
198d05241ee46346a622e687e628fbdbe7185db3a206eaa7883b5f18f0095de2
Loki
44b2a6748bfe73b0e4515854def74fbd816ffa56842e3b544438cb34a249a41c
Loki
46a8cd49147840874de19fba4807e2780189fa7e81b58fe01013b69f6aca34ac
Loki
574244157302423f04971fb2c348a4ae598a67b15f1a2edda0b2ea3cfcc0a4d9
Loki
60952b7b0b3edeb47b07f1d2a0fb87856b165550e47c605c4ef4fb1da699a332
Loki
a89c531ad157965de03cf15ab2783f0b24e6db0981556a7bf5ad8fe5c7d66ef5
Loki
b5bcbfe8ba02879ac963d4f9ed48203c934e80edb58b814129ad836544f2c3a3
Loki
d87e7752ee36b46b902d88317b5c5b172927760a4f171c95f812991ec62ae963
Loki
dc7336231300fc46c3be07afe1cb721f1b1a98f0a4a13029d9bfcabea5619259
Loki
+ 43 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
spyware trojan stealer family:lokibot
Link:
https://tria.ge/reports/200818-qc4erhfz2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
Reads user/profile data of web browsers
Blacklisted process makes network request
Lokibot
Malware Config
C2 Extraction:
http://modevin.ga/~zadmin/lmark/gld/mode.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b1df4cb218093a57a5646f0d6ece41d548fae6cce51d90d1540686d747069b6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

rar 9a588f0bf5a29cb6f90a0369afaa385e24a0caac1e774ed4162399745704d63b

Loki

Executable exe 6b1df4cb218093a57a5646f0d6ece41d548fae6cce51d90d1540686d747069b6

(this sample)

  
Dropped by
MD5 7f09f9b5c90f1866087db0cf0c0029e9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9a588f0bf5a29cb6f90a0369afaa385e24a0caac1e774ed4162399745704d63b
Cape
Cape
https://www.capesandbox.com/analysis/47744/

Comments