MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 944bb4d04a51cf5ece6698bdca3adc570983bbf2d41fa4bff327eb7fa0706688. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 944bb4d04a51cf5ece6698bdca3adc570983bbf2d41fa4bff327eb7fa0706688
SHA3-384 hash: 5c533f55d849467d7f425239948a23111c745b4ea16e0acbc4fa11119068f49a54326295199e6cce62a9597883a56a7f
SHA1 hash: 38757fe7306ee237f5d87132083bbb5494846278
MD5 hash: e4dda6a79402ab140234d2f1f8e2a35c
humanhash: delaware-winner-beer-low
File name:Scan06_pdf.exe
Download: download sample
Signature Loki
Create hunting rule
File size:608'768 bytes
First seen:2020-04-21 07:11:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 576456269f5d2a55be41b990ba7cae04 (3 x Loki, 1 x AgentTesla)
ssdeep 12288:JgOdoGRmJnRojvmWsNfPeU3rLXetqzau3q38Wu1H+n39Ux:GuoGInRoiWsJeKLXcq1yu1mUx
Threatray 1'478 similar samples on MalwareBazaar
TLSH 8DD49E32F2E08433C162167D4C5B5668A93AFD103D295D4A2BE41D4CAF396CD39EB29F
Reporter jarumlus
Tags:Loki

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Ulise-7687324-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Stealer.28391.13173.708.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-04-21 00:52:00 UTC
File Type:
PE (Exe)
Extracted files:
61
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=srf3juckkhhv5ttgtc64uow4k4eyho7s2qp2jp7te7vx7idqm2ea._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
1ee2d9fef707b1bbe459083114c784e6950c11ec9cd36d367d1588d3930ec4f5
Loki
2516fe6075e9d7ee9446bc47745288fab68c86b5e2aeec94f34ee532f5ea6d89
Loki
7a7438886a3a9e9ca3b2187509ee26856f7befb671bd8a9fd35502c8e07d00f5
Loki
7b5294de28e02b4e0761778ca38ec8ee9b7770c3931912acd757e42e5a21a69f
Loki
7ff2908578c1928b92bc21a812246bc7e76d571f6f5282234ece68f472f01a46
Loki
85882eb547fe7cdfa1dc1ac5287ba40cd0580254d0df76b06f43d892dc701e95
Loki
b69c69a4e61c0aa4eb601eae795266fcfec4c4e691142afe306289fb2a8fa69a
Loki
b8548946fc96a88d34f38da2d319bd507dbc6e5a7295800abfba4b34c0671e7d
Loki
c659ef91b7e46bf83528543fd14dfb2a117a2a12df4258f8025f98888c79c97f
Loki
e63f29324ba77f9c16f9d079c7fbf7235b71d8a1011e9dc0d4004f63381ab228
Loki
+ 1'468 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_lokipws_g0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments