MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 a7f3940d70cb5db4273a53459dbcd2ca876b792d89d78f1b0966320dbb11791d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Loki
Vendor detections: 6
| SHA256 hash: | a7f3940d70cb5db4273a53459dbcd2ca876b792d89d78f1b0966320dbb11791d |
|---|---|
| SHA3-384 hash: | 2f85e432e92291bf739a24990492cdf739480bf09cbfdfbd6aa915364e5f4dac52e2f850ad35719ccb3040cd5854a5b5 |
| SHA1 hash: | ee68cb5876ca5b1a5b2e35d8a03f67b9d12c044b |
| MD5 hash: | d25417e033e4321ee783fbf73018faf0 |
| humanhash: | november-delta-king-north |
| File name: | SWIFTTxKvK59EA3_31202205.rar |
| Download: | download sample |
| Signature | Loki |
| File size: | 581'099 bytes |
| First seen: | 2022-06-01 07:46:47 UTC |
| Last seen: | Never |
| File type: | rar |
| MIME type: | application/x-rar |
| ssdeep | 12288:JfwgvPDSwB/mffuIWsFl9AgIsBb4HGj9u4SDDiLwj9:Jwz0GWAl9AgJ5yGHMIe9 |
| TLSH | T178C423A9F652DD8744B73385FB295F8E05D34DF681EE6040F77C59E0E88B68880A419F |
| TrID | 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1) |
| Reporter |  cocaman |
| Tags: | Loki rar SWIFT |
cocaman
Malicious email (T1566.001)From: ""Accounts @ Nido" <accounts@nidoworld.com>" (likely spoofed)
Received: "from nidoworld.com (unknown [45.137.22.101]) "
Date: "31 May 2022 20:27:26 +0200"
Subject: "Re: PO-22-23-00445 - Target Hydrautech Pvt. Ltd - Dated 31.05.2022"
Attachment: "SWIFTTxKvK59EA3_31202205.rar"
Intelligence
File Origin
# of uploads :
1
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Threat name:
Win32.Trojan.Woreflint
Status:
Malicious
First seen:
2022-06-01 07:47:08 UTC
File Type:
Binary (Archive)
Extracted files:
2
AV detection:
18 of 40 (45.00%)
Threat level:
5/5
Detection(s):
Malicious file
Result
Malware family:
lokibot
Score:
10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://198.187.30.47/p.php?id=6965501981164365
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
0.90
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
exe Delivery method
Distributed via e-mail attachment
Dropping
Loki
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.