MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77c155dec91e95418d92156933299c5230623cdd2301651a335a28dbcc8e7d3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77c155dec91e95418d92156933299c5230623cdd2301651a335a28dbcc8e7d3a
SHA3-384 hash: 9b4f866960e7830d718a5a99b1b3d8999bc3e389a33267e39433bc65799b3226c73611c8f3a5af2f1e27132959d7f358
SHA1 hash: 0ec139e5269c91a9ca54d3bd0710edf9cb99e980
MD5 hash: 24c9a60da3297304e3bbf529832bce01
humanhash: emma-quiet-video-november
File name:8a83f02411ea93962b23bbaa9cd29e9a.exe
Download: download sample
Signature Loki
Create hunting rule
File size:106'496 bytes
First seen:2020-04-08 23:26:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0239fd611af3d0e9b0c46c5837c80e09 (250 x Loki, 1 x Heodo)
ssdeep 1536:czvQSZpGS4/31A6mQgL2eYCGDwRcMkVQd8YhY0/EqfIzmd:nSHIG6mQwGmfOQd8YhY0/EqUG
Threatray 1'472 similar samples on MalwareBazaar
TLSH 58A32A42B2A5C030F7B74DB2BB73A5B7857E7C332D22C44E9352459A14215E1EB7AB13
Reporter abuse_ch
Tags:exe GuLoader Loki


Avatar
abuse_ch
Payload dropped by GuLoader from the following URL:
http://shalomadonai.com.br/rcky_encrypted_1D7EC20.bin

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.naKocTb-6331389-1
Create hunting rule

Win.Trojan.Autoit-7057849-0
Create hunting rule

Win.Trojan.Autoit-7057866-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-04-08 23:35:32 UTC
File Type:
PE (Exe)
AV detection:
30 of 31 (96.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o7avlxwjd2kuddmscvutgkm4kiygepg5emawkgrtliunxteopu5a._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
09e967e35d3f03784901577e89322f008ed33c6b26453256d5b2492cab996c8d
Loki
199528b69b42d1af70f525973be5e53bcd16c19b39a117cfaa27ba1a515723f8
Loki
3d611ca54f64546327d9bc6993662d5058a7f07fa8e16b81fc7ee6ff60d952f2
Loki
814b0968761c0dbd4a43208cd82d150aa6608538abb845561257687ed9cd0524
Loki
9322b0f3acdb180dc3ff81c0cf648b26c294caddcb550a18296941d302519274
Loki
96ff361eeb8ab440652d1cbb8b28146f8dd9ee8cf9885f84ff4592b2551da57f
Loki
a702e991a5cf37a366df45fe22e62035795de3d38a36b87c17403c4283abf369
Loki
ec8bb56bd664de90b06d8219ac5b1326da2875a0b0c255befbd8553b0b5c4cfb
Loki
eec64be092d3bd6ac2f32cbbc1bb4f50b373200d8431ae7f62a02834afbe7aef
Loki
f94e8615fb3b739ab3ad8ec81511b5439a72d4e865a5f9975aa524ac6036d3c2
Loki
+ 1'462 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_lokipws_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

zip 933209274ed4f7eeb6884135bcab8a531f1447468e213dc8b2d8198c5c6b8de0

Loki

Executable exe 1224967aa7aa8b416aae37b76dc075255948fcf66a6986a880dd00f0ca17737e

Loki

Executable exe 77c155dec91e95418d92156933299c5230623cdd2301651a335a28dbcc8e7d3a

(this sample)

  
Dropped by
MD5 8a83f02411ea93962b23bbaa9cd29e9a
  
Dropped by
MD5 50e796f1ada156fdc5edd6009a37f7a2
  
Dropped by
GuLoader
  
Dropped by
SHA256 1224967aa7aa8b416aae37b76dc075255948fcf66a6986a880dd00f0ca17737e
  
Dropped by
SHA256 7c5ac8878c4840159ba177cfb118c6ba7cc90eb71033785338290305eefa8ef3
  
URLhaus
https://urlhaus.abuse.ch/url/337185/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::freeaddrinfo
WS2_32.dll::getaddrinfo

Comments