MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 745f4c8779d5d06a11961abfe988f02954f4d4484bd45b625a07773fc19dabe6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Loki
Vendor detections: 6
| SHA256 hash: | 745f4c8779d5d06a11961abfe988f02954f4d4484bd45b625a07773fc19dabe6 |
|---|---|
| SHA3-384 hash: | 54b8631eeacb3de9180ebabea23f772429b6a5a2daa8c324c455af90e42d3c3b4ea5253683793a7f473816e178270975 |
| SHA1 hash: | 0755c442d70d0029bcfd7d37042334259611dc77 |
| MD5 hash: | ef1c2cef13b8996a4ec493c7a958e274 |
| humanhash: | winner-nevada-nevada-alpha |
| File name: | angebotsanfrage.pdf.zip |
| Download: | download sample |
| Signature | Loki |
| File size: | 288'740 bytes |
| First seen: | 2021-10-05 10:23:23 UTC |
| Last seen: | Never |
| File type: | zip |
| MIME type: | application/zip |
| ssdeep | 6144:Lm7K0CzAF/z72YlzXNcOcqdWL7C9grClWG9P7pttEH:Lm20qAJ7plrNcDqdWL7C9+ClWG9P77i |
| TLSH | T1F154236597E91CE7C68A2DA23C9A88C95F4EACF43484235C07C279FFD4738A02A56D53 |
| Reporter |  targodev |
| Tags: | .NET exe Loki zip |
targodev
Recieved via E-Mail, impersonating the current President of the Humboldt-University in Berlin, Germany (including the sender mail). It is written in syntactically perfect german but with a few grammar quirks. Also the content of the message seems strange / somewhat implausible. The mail praises the recipients company with a request to fill out the attached invoice and to offer the best price to the Humbolt-University. Pressure is kept up by asking the recipient to answer within 3 days (recieved 05.10.2021, asked to answer by 08.10.2021).==== Mail Headers ====
Return-Path: <REDACTED_SENDER_A>
Received-SPF: None (mailfrom) identity=mailfrom; client-ip=62.201.172.24; helo=shout01.mail.de; envelope-from=REDACTED_SENDER_A; receiver=<UNKNOWN>
Authentication-Results: 'REDACTED_A'; dmarc=none (p=none dis=none) header.from=hu-berlin.de
Authentication-Results: REDACTED_A;
dkim=pass (2048-bit key; unprotected) header.d=mail.de header.i=@mail.de header.b="7Mb4dms4";
dkim-atps=neutral
Received: from shout01.mail.de (shout01.mail.de [62.201.172.24])
by REDACTED_A (Postfix) with ESMTPS id 6E1B2981833
for <REDACTED_B>; Tue, 5 Oct 2021 10:53:29 +0200 (CEST)
Received: from postfix01.mail.de (postfix03.bt.mail.de [10.0.121.127])
by shout01.mail.de (Postfix) with ESMTP id 428E01004AA
for <REDACTED_B>; Tue, 5 Oct 2021 10:53:22 +0200 (CEST)
Received: from dovecot05 (dovecot05.bt.mail.de [10.0.121.115])
by postfix01.mail.de (Postfix) with ESMTP id C8937801C2
for <REDACTED_B>; Tue, 5 Oct 2021 10:53:21 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mail.de;
s=mailde202009; t=1633424001;
bh=ylVrySoj3b+cm744Tk18V7DBIo253h+EDGAFO+u7tVw=;
h=Date:From:To:Subject:Reply-To:From;
b=7Mb4dms44toBNi+ihrViecLlPn520VWqBs896Ew1t7hLAJ+10gAU7MBIEDVEtFCYV
i5JVATE6UzALjBxTvlXwf3nsDBpVnX3qZhw4lMzRGzxJ1rFsqri+ODvoibKC4+WzdL
XXwJRaISkEqFNgi4hDONnQZwRpKFrBR2BpNsFQEMCLGOZTAQnGnKNeqzZgcFxy+GIy
r5Wl/mgGeN4t+72qErfJ7GzCYVRNHQG7C5A44aWOeE7cIUdWmT/GneSCB0hs+5f6LA
awQEzwkBCoiToqhBJaxYzTiW/zPcdCZE87tSiz0qHTHtEnDFbQbl5fSZbtePju6QRp
1X7uqHMX6SsEQ==
X-Sieve: Pigeonhole Sieve 0.4.24.2 (aaba65b7)
X-Sieve-Redirected-From: REDACTED_C
Delivered-To: REDACTED_C
Received: from director03 ([10.0.121.146])
by dovecot05 with LMTP id sBjDCoESXGG8agAAAP82Bw
for <REDACTED_C>; Tue, 05 Oct 2021 10:53:21 +0200
Received: from localhost ([10.0.121.146])
by director03 with LMTP id oOiFCoESXGFcIAAAUyPkog
; Tue, 05 Oct 2021 10:53:21 +0200
X-Original-To: REDACTED_C
Authentication-Results: mxpostfix02.mail.de; spf=none (mailfrom) smtp.mailfrom=hu-berlin.de (client-ip=217.65.97.131; helo=west.ikron.hu; envelope-from=REDACTED_SENDER_A; receiver=<UNKNOWN>)
Authentication-Results: mxpostfix02.mail.de; dmarc=none (p=none dis=none) header.from=hu-berlin.de
Authentication-Results: mxpostfix02.mail.de; dkim=none; dkim-atps=neutral
Received: from west.ikron.hu (expurgate03.bt.mail.de [217.65.97.131])
by mxpostfix02.mail.de (Postfix) with ESMTP id C74338015B
for <REDACTED_C>; Tue, 5 Oct 2021 10:53:20 +0200 (CEST)
Received: from [217.65.97.131] (helo=west.ikron.hu)
by mx03.mail.de with ESMTPS (eXpurgate 4.32.0)
(envelope-from <REDACTED_SENDER_A>)
id 615c1278-6d2c-0a0078cb0019-d9416183e400-3
for <REDACTED_C>; Tue, 05 Oct 2021 10:53:13 +0200
X-Envelope-To: REDACTED_D
[REMOVED_SEVERAL_MORE_X-ENVELOPE_HEADERS]
MIME-Version: 1.0
Date: Tue, 05 Oct 2021 11:52:45 +0300
From: =?UTF-8?Q?Humboldt-Universit=C3=A4t_zu_Berlin?=
<REDACTED_SENDER_A>
To: undisclosed-recipients:;
Subject: =?UTF-8?Q?Angebotsanfrage_=28Humboldt-Universit=C3=A4t_zu_Berlin?=
=?UTF-8?Q?=29_05/10/2021?=
Reply-To: REDACTED_SENDER_A, REDACTED_SENDER_B,
REDACTED_SENDER_C@abv.bg
Message-ID: <10ee08472bcccddd93151369b0147e06@hu-berlin.de>
X-Sender: REDACTED_SENDER_A
Content-Type: multipart/mixed;
boundary="=_35ea40a6443731f915292262d658481c"
X-Virus-Scanned: clamav-milter 0.102.4 at west
X-Virus-Status: Clean
X-purgate-ID: 153031::1633423993-00006D2C-C506565F/7/0
X-purgate-type: dangerous.attachment
X-purgate-size: 444094
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: dangerous
===================
I've redacted personal information because I don't want to dox anyone. REDACTED_SENDER_A and REDACTED_SENDER_B relate to the president of Humboldt-University. REDACTED_SENDER_C is a russian-sounding name. I left in any information about Humboldt-University and its president, which are publically available.
==== Mail Content ====
Humboldt-Universität zu Berlin
Unter den Linden 6, 10117 Berlin, Germany
+49 30 2093-REDACTED
Guten Morgen aus der Humboldt-Universität zu Berlin
Wir haben gute Bemerkungen über Ihr Unternehmen erhalten. Prof. Dr.-Ing.
Dr. Sabine Kunst, Präsidentin der Humboldt-Universität zu Berlin, laden
Sie ein, Ihren kommerziellen Vorschlag für unser Schulbudget 2021
einzureichen (Anlage).
Geben Sie uns so schnell wie möglich die besten Preise. Stellen Sie
sicher, dass Ihr Angebot vor dem 08. Oktober 2021 eintrifft. Wenn wir
Ihr Angebot erhalten haben, besuchen wir Ihr Unternehmen für weitere
Gespräche. Finden Sie den Anhang, lassen Sie es uns sofort wissen, wenn
Sie weitere Informationen benötigen.
Danke und viele Grüße.
Prof. Dr.-Ing. Dr. Sabine Kunst
Präsidentin der Humboldt-Universität zu Berlin
Unter den Linden 6, 10117 Berlin, Germany
Email: REDACTED_SENDER_A
Telefon: +49 30 2093-REDACTED
_______________________________________________________________
Haftungsausschluss! Bitte drucken Sie diese E-Mail nur aus, wenn es
unbedingt erforderlich ist!
Diese Nachricht (einschließlich aller Anhänge) ist Eigentum der
humboldt-universität zu berlin und enthält vertrauliche Informationen,
die für eine Person und einen bestimmten Zweck bestimmt sind und
gesetzlich geschützt sind. Wenn Sie nicht der beabsichtigte Empfänger
sind, müssen Sie diese Nachricht löschen und Sie darüber informieren,
dass jegliche Offenlegung, Vervielfältigung oder Verbreitung dieser
Nachricht sowie jegliche diesbezügliche Handlung strengstens untersagt
ist.
Virenfrei www.avast.com
==================
Intelligence
File Origin
# of uploads :
1
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
obfuscated packed
Result
Verdict:
MALICIOUS
Link:
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2021-10-05 10:24:12 UTC
AV detection:
18 of 27 (66.67%)
Threat level:
5/5
Detection(s):
Malicious file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.