MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82ad3e5d52c6b6b26f56ff7863ed572ffb09de0701635dabce5923768453438b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Intelligence 2 File information 3 Yara 3 Comments

SHA256 hash: 82ad3e5d52c6b6b26f56ff7863ed572ffb09de0701635dabce5923768453438b
SHA3-384 hash: ab46bddd6cb9d4b1d5a44007e7eabf252439553b8dcf9781c79de5529fd4867467513060bb8b71bc7c76e94fc305b549
SHA1 hash: bd16c795a6e876363c90ffa7908606ed4605221b
MD5 hash: 63e6327e7fc65e4fdb8836589881d7e8
humanhash: tennis-fix-salami-texas
File name:gunzipped
Download: download sample
Signature Loki
File size:210'432 bytes
First seen:2020-06-30 08:58:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 3072:gRcWWEudlnROqYoG97BIKSTSyy2bJ4qASNVdu3KwHykRqRe2+0PznzIKTDLV:0DWxwX7uKSJylqZNV+BDcRBZzIG
TLSH 04248C3813688723E5B9ABB4916928100FB1653F3852E77CBE5475CB79627D08633E3B
Reporter @abuse_ch
Tags:DHL gunzipped Loki

Malspam distributing Loki:

Sending IP:
From: Formal Delivery Clearance Support (DHL) <>
Subject: Electronic invoice generated by DHL Express_Invoice 30-06-2020: Air Waybill no 13042500307
Attachment: DHL AWB 13042500307_pdf.gz (contains "gunzipped")

Loki C2:


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 31
Origin country FR FR
CAPE Sandbox Detection:Loki
CERT.PL MWDB Detection:lokibot
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Kryptik
First seen:2020-06-30 09:00:07 UTC
AV detection:17 of 31 (54.84%)
Threat level:   5/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:lokibot
Tags:trojan spyware stealer family:lokibot
VirusTotal:Virustotal results 13.89%

Yara Signatures

Rule name:Lokibot
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Author:Julian J. Gonzalez <>
Description:Rule to detect the presence of SQLite data in raw image

File information

The table below shows additional information about this malware sample such as delivery method and external references.



Executable exe 82ad3e5d52c6b6b26f56ff7863ed572ffb09de0701635dabce5923768453438b

(this sample)

Dropped by
MD5 cbc1570dd8315877d7f05e206f11d067
Delivery method
Distributed via e-mail attachment