MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8bd9ea17addea0996201542e1cd4564ba1ec875ef78cbecb2fd5d15005e48191. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8bd9ea17addea0996201542e1cd4564ba1ec875ef78cbecb2fd5d15005e48191
SHA3-384 hash: 93cd0d05bf8fb2a4ccd6f90a8319164fa7406a960ced6093750931d741d0fa50d535402d20696ef83189941c6aba6130
SHA1 hash: 30923a5e1095895d4aedaeb1cc8851abb6d20e22
MD5 hash: 59cf91575c285c9c3983b52e48401c85
humanhash: uncle-social-nevada-mike
File name:Swift Copy.gz
Download: download sample
Signature Loki
Create hunting rule
File size:25'789 bytes
First seen:2020-03-30 12:05:02 UTC
Last seen:Never
File type: gz
MIME type:application/gzip
ssdeep 768:2r9pe3XeuDqW9fTqFjuvAFFg+OpoBlLAKCAxL2eArZ:2rDSuYqW0FjuvAFF5uoBBA4R2trZ
TLSH 48C2E1BB98752270979DCA449F9F2B3E4B26BC1521081045875D342CEDF8BEF8CB9B94
Reporter abuse_ch
Tags:COVID-19 GuLoader gz Loki


Avatar
abuse_ch
COVID-19 themed malspam campaign distributing GuLoader->Loki:

HELO: merbabu.indocorp.com
Sending IP: 202.51.253.120
From: Eva farikhah <eva.ferikhah@fedex.com>
Subject: Fwd: Customer Letter FedEx- TNT -Service Adjustment due to COVID19
Attachment: Swift Copy.gz (contains "Swift Copy")

GuLoader payload URL (Loki):
https://drive.google.com/uc?export=download&id=19fcd-noyYBeZstMRhEOUUDitXJ9wfj0-

Loki C2:
http://audiosv.com/wp-admin/user/cc/Panel/fre.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.VBGeneric-7646201-0
Create hunting rule

Win.Dropper.Remcos-7647550-0
Create hunting rule

Win.Trojan.Ponystealer-7648176-0
Create hunting rule

Win.Dropper.Remcos-7683428-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Frs
Create hunting rule
Status:
Malicious
First seen:
2020-03-30 12:35:28 UTC
File Type:
Binary (Archive)
Extracted files:
7
AV detection:
22 of 47 (46.81%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rpm6uf5n32qjsyqbkqxbzvcwjoq6zb2666gl5szp2xivabpeqgiq._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

gz 8bd9ea17addea0996201542e1cd4564ba1ec875ef78cbecb2fd5d15005e48191

(this sample)

Loki

Executable exe bed06510d878aedc81671ebf83fb2dd246f88de58514124d166e0831b4d9c4d0

  
URLhaus
https://urlhaus.abuse.ch/url/331961/
  
Dropping
MD5 66c82e23c32df5689c852749a9903c8a
  
Dropping
SHA256 bed06510d878aedc81671ebf83fb2dd246f88de58514124d166e0831b4d9c4d0
  
Dropping
GuLoader
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 bed06510d878aedc81671ebf83fb2dd246f88de58514124d166e0831b4d9c4d0

Comments