MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d8fc608e438fa407e73ad8e18d0978e83afb07894dddac811385d317c106336. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Loki

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	7d8fc608e438fa407e73ad8e18d0978e83afb07894dddac811385d317c106336
SHA3-384 hash:	64c1e983ea6ab02271b5acda76bf83125d040ee0d1f70753ad6a863ffe49563a63d25ba519f1b32a1ddf6578deae97d4
SHA1 hash:	61bde70fe5e0145c9615ab7d9791bee91bf4b139
MD5 hash:	59fb38ca9000d5553a9d1ddf9015eb40
humanhash:	harry-zulu-salami-london
File name:	INVOICES.exe
Download:	download sample
Signature	Loki Create hunting rule
File size:	1'197'056 bytes
First seen:	2020-07-06 08:22:23 UTC
Last seen:	2020-07-06 09:06:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	24576:r1NzDB/jawvR4i0Yl0zSHsecrfkFuOyr7Og:5r/PR94w/y/Og
Threatray	1'531 similar samples on MalwareBazaar
TLSH	DA45BF80D6088CA6FC0D4B35D8778C38425BBE7BAC79E10E295DB6650FB73C2A466D17
Reporter	abuse_ch
Tags:	exe Loki

abuse_ch

Malspam distributing unidentified malware:

HELO: n3.syzefxis.gov.gr
Sending IP: 95.211.208.25
From: Faiyaz Sayyed <dke.t.perivalontos@n3.syzefxis.gov.gr>
Subject: RE: R-131 INVOICES
Attachment: INVOICES.gz (contains "INVOICES.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/21365/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.UTO.28339.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Launching the default Windows debugger (dwwin.exe)

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7d8fc608e438fa407e73ad8e18d0978e83afb07894dddac811385d317c106336/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-07-06 08:24:08 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pwh4mchehd5ea7ttvwhbruexr2b27mdysto5vsarhbotc7aqmm3a._file

Verdict:

malicious

Label(s):

lokipasswordstealer(pws)

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/200706-mp1d213eka/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Program crash

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

gz eca356b9d04b47636e92e696eebdc4d38ab2207641608a0b1a1af4d957a20f14

Loki

exe 7d8fc608e438fa407e73ad8e18d0978e83afb07894dddac811385d317c106336

(this sample)

Dropped by

MD5 514da573538e257e5730b87849833f47

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 eca356b9d04b47636e92e696eebdc4d38ab2207641608a0b1a1af4d957a20f14

Cape

https://www.capesandbox.com/analysis/21365/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample