MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70ad3fad1485d52219ce9b1758f68d4acd6f81cae05be07f1c02fe5b6d38673b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70ad3fad1485d52219ce9b1758f68d4acd6f81cae05be07f1c02fe5b6d38673b
SHA3-384 hash: 5c9fe84f33959b3e442cf14b31d3eafd4f0d7bae6925930bdb407c38ab4a32a8d4647bba056157780803bded09be7d02
SHA1 hash: 6539e43714c7568f36a8457d03132ad558b91233
MD5 hash: 55bb086b1369463e917c82941f259ee7
humanhash: cold-delta-sodium-potato
File name:TNT Express Notification.zip
Download: download sample
Signature Loki
Create hunting rule
File size:878'803 bytes
First seen:2020-04-02 06:23:01 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:WqBr1KHY4Il2uOq4uDFPqutPkEOawjQ4OQgthmklV/Izv+TIh/258fltfc6CxtcS:7lw4zfrCSPWVurlV/g+Y3xC0HO6K55
TLSH F91533F366B90346CE4F683707FA66F05A78119971EAB86577C605D9A88CC1E3B23C1C
Reporter abuse_ch
Tags:COVID-19 Loki zip


Avatar
abuse_ch
COVID-19 themed malspam distributing Loki:

HELO: host.s102host.com
Sending IP: 206.225.80.195
From: TNT Customer Care <customerservice.sg@tnt.com>
Subject: Your shipment was returned to our office!!! BECAUSE OF COVID-19 OUTBREAK(TNT Express Notification)
Attachment: TNT Express Notification.rar (contains "TNT Express Notification.exe")
Attachment: TNT Express Notification.zip (contains "TNT Express Notification.exe")

Loki C2s:
http://supergeorgia.ge/ged/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27684.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AutoIT-87.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Stealer.19347.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Cklmpdq
Create hunting rule
Status:
Malicious
First seen:
2020-04-02 06:35:37 UTC
File Type:
Binary (Archive)
Extracted files:
27
AV detection:
19 of 47 (40.43%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ocwt7liuqxksegootmlvr5unjlgw7aok4bn6a7y4al7fw3jym45q._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

zip 70ad3fad1485d52219ce9b1758f68d4acd6f81cae05be07f1c02fe5b6d38673b

(this sample)

Loki

Executable exe 61a34452d0fe45c9ca538fae20e355c89d2d104b5dc8f50ca46be2d1e59e83c4

Loki

rar db2dbea06f6f9a4bdfaba3ec310873ddc76a5984e02529bb87565426823bf585

  
Dropping
MD5 6504420451757781bdba1e4e417d8a9d
  
Dropping
SHA256 db2dbea06f6f9a4bdfaba3ec310873ddc76a5984e02529bb87565426823bf585
  
Dropping
Loki
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 61a34452d0fe45c9ca538fae20e355c89d2d104b5dc8f50ca46be2d1e59e83c4

Comments