MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87435dd1a14d8a428088bcca64f19da8c6d7cc9d6a1c0cbc70cee30df36dbd25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87435dd1a14d8a428088bcca64f19da8c6d7cc9d6a1c0cbc70cee30df36dbd25
SHA3-384 hash: fd1be07912c1ddd078cda30451b28490008a4f21bb985a69b60e6fcb675c0d6baf23cf96daad889d1bab14181a5f8f54
SHA1 hash: 1fdbf99f82001781bfb49c2c7703a9d308aac17c
MD5 hash: 9b3743512802c59c1481db10ecebf8a9
humanhash: juliet-thirteen-massachusetts-green
File name:Salary_slip.exe
Download: download sample
Signature Loki
Create hunting rule
File size:599'040 bytes
First seen:2020-05-11 13:07:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 94ac44d361a5151c3b27c7d1a876a7f3 (14 x AgentTesla, 4 x Loki, 1 x NetWire)
ssdeep 12288:MExUfsAmpzpc+sK2gnnqovUVuqgQJV59m69SDkwhx6pQ:NGfM18WnMVuvk59195whxz
Threatray 1'489 similar samples on MalwareBazaar
TLSH 73D49E22F6B04437C13316FE4D5B57686926FE513928E94E2BE4DD4CAF3B68139262C3
Reporter abuse_ch
Tags:exe Loki


Avatar
abuse_ch
Malspam distributing Loki:

HELO: sadana.dua.rumahweb.com
Sending IP: 103.253.212.215
From: Personalia <recruitment@antam.id>
Subject: PaySlipEmail M1
Attachment: Salary_slip.rar (contains "Salary_slip.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Artemis85EBAC484AE7.32433.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 08:25:19 UTC
File Type:
PE (Exe)
Extracted files:
395
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q5bv3unbjwfefaeixtfgj4m5vddnpte5nioazpdqz3rq343nxusq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
241659c06558629c97bc41cf40ac52124f10b969d5c2c5c3820ee8f4cfc99552
Loki
3552b7385b710b24ba5f643226a26b22a48c7b3f1a64f55bd044981b7ee46015
Loki
7b5294de28e02b4e0761778ca38ec8ee9b7770c3931912acd757e42e5a21a69f
Loki
85fae09c728982b41695a32e986eb3e5974899946c89e5ee74c88611253bdf82
Loki
89f5207d0dff332f1707f2511b033b383f445cfef01d02189df767258cbeb491
Loki
a405789e39eadf0915988ea3dec8ebc8f3bf7cc5ff14866600e0a35b473c4273
Loki
b8548946fc96a88d34f38da2d319bd507dbc6e5a7295800abfba4b34c0671e7d
Loki
bb38e95df7744e8e568b3e518b6cb6ebf8da11c6f77f4b6ed4f4835c9be54cb5
Loki
d404a04c648fc2966698a40775202d64e252e088aabcf0c447debbd3e347682f
Loki
d7ad8d33106a13111a1ad34620f269d77f5968aa6057228d54c5559a0c97ce24
Loki
+ 1'479 additional samples on MalwareBazaar
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot spyware stealer trojan
Link:
https://tria.ge/reports/201109-vr53sjn9te/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Lokibot
Malware Config
C2 Extraction:
http://198.23.200.239/~boxing/.tcsogb/gi'v.php/XVnWcAOzQGZJq
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

rar 84f790d3001a31818512aa7f5343bb0a1c3b529408b5668831f788a4801b10df

Loki

Executable exe 87435dd1a14d8a428088bcca64f19da8c6d7cc9d6a1c0cbc70cee30df36dbd25

(this sample)

  
Dropped by
MD5 9d1b0d8c538574ced9d2450304bdd3e1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 84f790d3001a31818512aa7f5343bb0a1c3b529408b5668831f788a4801b10df

Comments