MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a839f83dfbd33d028d9761d10eda4fdb2d1f724caa2e374f8008ce22a652400. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 4

Intelligence 4 IOCs YARA 4 File information Comments

SHA256 hash:	7a839f83dfbd33d028d9761d10eda4fdb2d1f724caa2e374f8008ce22a652400
SHA3-384 hash:	ff20e893a338ee3d5f3ec0426b3427cd6a82f1b4795eabc87c4720bce7ed585cbece5e1f4d85fa799fc954f4766469dd
SHA1 hash:	59ae2d872fd070a9419016968b6c374e42b7a84a
MD5 hash:	8014edace5ddf05649e14ab9b2768ac1
humanhash:	indigo-emma-freddie-yellow
File name:	8014edace5ddf05649e14ab9b2768ac1.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	361'211 bytes
First seen:	2020-06-22 06:18:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep	6144:pPCganN1lEsZ7+iczlRFc/FB1+MIK/lr+odgpbW9NvAAhPSh5FIzf8F5:nanZEsdB+l3c/HI0Z+46W9NIAxIC8
Threatray	620 similar samples on MalwareBazaar
TLSH	627412085B40C4AADB2D16B0553AE63777EDCC1212C1BB472FD0AA5FFE190DE4A0F996
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Loki C2:
http://t-mk.me/ig15/fre.php

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/12398/

Detection(s):

PUA.Win.Downloader.Soft32downloader-6691270-0

PUA.Win.Adware.Browserio-6725861-0

SecuriteInfo.com.Artemis162931E90DCF.4593.UNOFFICIAL

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7a839f83dfbd33d028d9761d10eda4fdb2d1f724caa2e374f8008ce22a652400/

Threat name:

Win32.Trojan.CryptInject

Status:

Malicious

First seen:

2020-06-22 06:20:06 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pkbz7a67xuz5akgzoyorb3ne7wznd5zezkrog5hyacgoektfeqaa._file

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://tria.ge/reports/200624-g66zl69tn2/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Loads dropped DLL

Enumerates VirtualBox registry keys

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Lokibot Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Lokibot in memory
Reference:	internal research

Rule name:	win_lokipws_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	win_lokipws_g0 Create hunting rule
Author:	Slavo Greminger, SWITCH-CERT

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/12398/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample