MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89ed1483ade890ada1d088ca1c76a378ed83043fe2dfc877b69788a5857b375c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89ed1483ade890ada1d088ca1c76a378ed83043fe2dfc877b69788a5857b375c
SHA3-384 hash: 60b8a5446b47297702ac64a6e439b6e2c7701d7922741e6b2c97c1e48a5b7de27aa6b3fc6d27cc1f34b7870d8552a8da
SHA1 hash: 68bac1d99f2937acf8e588f9b52c5ba54cc04de9
MD5 hash: c6915177daf05150797282dd8a897642
humanhash: minnesota-mango-sweet-network
File name:00090330001853-Swift Advice.rar.exe
Download: download sample
Signature Loki
Create hunting rule
File size:552'608 bytes
First seen:2022-12-14 09:53:01 UTC
Last seen:2023-01-06 10:34:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e221f4f7d36469d53810a4b5f9fc8966 (118 x GuLoader, 28 x RemcosRAT, 21 x Formbook)
ssdeep 12288:jtoAXsmMsGtYzXV4mNNGEv4OJhdNFSI4fj+slnfoEi/:61mMsGazXTp4OTdNFRalnzo
Threatray 39 similar samples on MalwareBazaar
TLSH T16EC42259F6DAC063F405C9B60D63DCBBA63EAC872874251B72817B3EAD33253542B11B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9869e0f8d0f0f870 (4 x GuLoader, 2 x Loki)
Reporter Anonymous
Tags:exe Loki signed

Code Signing Certificate

Organisation:Mellemskolernes
Issuer:Mellemskolernes
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-17T20:05:01Z
Valid to:2025-08-16T20:05:01Z
Serial number: -667e2a4d0db2b091
Thumbprint Algorithm:SHA256
Thumbprint: e4b032ea58a69b8664c2f08124911ddd80907eb209e7c6b9444cc84b6a467353
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
guloader
Create hunting rule
ID:
1
File name:
00090330001853-Swift Advice.rar.exe
Verdict:
Malicious activity
Analysis date:
2022-12-14 09:54:03 UTC
Tags:
guloader
Link:
https://app.any.run/tasks/4b84ab67-b84d-47d2-9216-56beeff1e515

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/346201/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.64226100.32499.29947.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Creating a file
Delayed reading of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63999cff75655a0108eac27b/reports/cef41f7e-b861-4687-acfc-ed6b9f7445e7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a7161877-edaf-49bb-9808-1b0e06ff5a18
Result
Threat name:
Lokibot
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1134103
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect Any.run
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected Lokibot
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/89ed1483ade890ada1d088ca1c76a378ed83043fe2dfc877b69788a5857b375c/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-12-13 05:03:07 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rhwrja5n5cik3ioqrdfby5vdpdwygbb74lp4q55ws6eklbl3g5oa._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
32734437ca16d5bf5babbbe8dfe93dfdc953418dcd53cde0b7fe55b6c69fc3b4
Loki
6d43c96f1425abf6538f9b526b768f2fa284dcd9fec93e5b5cf001a4f83fdb89
Loki
8249e0dd2d6aa3dd84876d6624801ef02e8edc9e403b99b8e06d3a81e492df00
Loki
83cf1834c1ebc4ab37dcf0734120efadb2ca3354e28c0887aa2188f03de39a15
Loki
913172750585a6984011e58a573a38cd7ed051e2145690cf7a4b53b1ca49725c
Loki
ba99bed9890c619411129e8902aaaf4f65a68c77735a577f8a85428e4f4167e5
Loki
cee7147196a22b811bb317672f544d43d52140d6da8d2843550f8bdd05c08215
Loki
d46d42ee9797144da35c4b0eaf6599c8c9d5edc24afe88ac098bcda6cc20d1cb
Loki
+ 29 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221214-lwmchshf92/
Behaviour
Enumerates physical storage devices
Drops file in Program Files directory
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b3411c83-9379-4cac-9c6e-5bc416326386
Unpacked files
SH256 hash:
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
MD5 hash:
ca332bb753b0775d5e806e236ddcec55
SHA1 hash:
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
Link:
https://www.unpac.me/results/012d4d1c-eb7a-4d08-a2f3-b322c4b128c3/
SH256 hash:
89ed1483ade890ada1d088ca1c76a378ed83043fe2dfc877b69788a5857b375c
MD5 hash:
c6915177daf05150797282dd8a897642
SHA1 hash:
68bac1d99f2937acf8e588f9b52c5ba54cc04de9
Link:
https://www.unpac.me/results/012d4d1c-eb7a-4d08-a2f3-b322c4b128c3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/89ed1483ade890ada1d088ca1c76a378ed83043fe2dfc877b69788a5857b375c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

Executable exe 89ed1483ade890ada1d088ca1c76a378ed83043fe2dfc877b69788a5857b375c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/346201/

Comments