MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89f5207d0dff332f1707f2511b033b383f445cfef01d02189df767258cbeb491. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89f5207d0dff332f1707f2511b033b383f445cfef01d02189df767258cbeb491
SHA3-384 hash: dcd53458e8d8b18dca3d47978fde9d89fe4f29e1185e65fa0340ad1c338adcdba4857f7e3df3468ec650e6de5b1313ba
SHA1 hash: d49c327ef53ad5f6c171442239d354f9bcac1078
MD5 hash: 8787f735a14f0672d4c2f4a1d78404d5
humanhash: south-oscar-cup-enemy
File name:Attached-scan5500_pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:1'020'928 bytes
First seen:2020-04-10 11:39:25 UTC
Last seen:2020-04-10 20:34:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 60413524c347373cf487078cadddb576 (4 x RemcosRAT, 3 x Loki, 3 x AgentTesla)
ssdeep 24576:xCAd9LxjhH70lCnAm7Qe8rPW9KookRgwYtci:xT4bmBKProokGw5i
Threatray 1'467 similar samples on MalwareBazaar
TLSH DD259E22F6929873C1331A7D9D4B97A4983AFE002D7859463FF91E8C6F396823C191D7
Reporter jarumlus
Tags:Loki

Intelligence

File Origin
# of uploads :
3
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Remcos-7662488-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Siggen2.46761.4057.2023.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-10 06:53:06 UTC
File Type:
PE (Exe)
Extracted files:
31
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rh2sa7in74zs6fyh6jirwaz3ha7uixh66aoqege565tsldf6wsiq._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
1605653f82f11b2142c15aa911538d510450a727275ffe42099b63e3da002089
Loki
2516fe6075e9d7ee9446bc47745288fab68c86b5e2aeec94f34ee532f5ea6d89
Loki
7a7438886a3a9e9ca3b2187509ee26856f7befb671bd8a9fd35502c8e07d00f5
Loki
a405789e39eadf0915988ea3dec8ebc8f3bf7cc5ff14866600e0a35b473c4273
Loki
b69c69a4e61c0aa4eb601eae795266fcfec4c4e691142afe306289fb2a8fa69a
Loki
b8548946fc96a88d34f38da2d319bd507dbc6e5a7295800abfba4b34c0671e7d
Loki
c659ef91b7e46bf83528543fd14dfb2a117a2a12df4258f8025f98888c79c97f
Loki
d61ad898156a0a55f4c1fc94d1c1e50edaac189c7b961371d2e5f7d2585969ed
Loki
dad34e99649f1ccf1683912125fee03f3b1353f828ba33facb8fe5ab5e8a8df6
Loki
e63f29324ba77f9c16f9d079c7fbf7235b71d8a1011e9dc0d4004f63381ab228
Loki
+ 1'457 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_lokipws_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WinExec
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetFileAttributesA
kernel32.dll::FindFirstFileA
kernel32.dll::GetTempPathA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments