MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a89cf5f25c8c7b346abd782db98b6ab1764c11514ae90e9978aff0b17e00e2e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a89cf5f25c8c7b346abd782db98b6ab1764c11514ae90e9978aff0b17e00e2e5
SHA3-384 hash: e8481bb319b315da3b30b85b7ff648f7471cb0c4c280a00b39955841c85c71fffbfc30e0de2bc372c99104d78d030065
SHA1 hash: cb59d18866c52e11bf7ba51b80d95247c71d1790
MD5 hash: 920363392b115b4cf5e9e1a3b7c6b90f
humanhash: paris-johnny-foxtrot-violet
File name:Maerskline Shipping Documents.rar
Download: download sample
Signature Loki
Create hunting rule
File size:428'043 bytes
First seen:2022-07-04 08:27:51 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 12288:Cdz8KUCs5Mb/L1HCosA6ZlNEEo9P4AV/e5l:WiCEMRCosvZvE/P4Sk
TLSH T1AC94231EC5385218A1DF30B2F36504BBBDD7329963B60CBE50CF88F22A46D9696F6845
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Reporter cocaman
Tags:Loki Maersk rar Shipping


Avatar
cocaman
Malicious email (T1566.001)
From: "Maersk Line <maersk@mv31.ffeizi.cfd>" (likely spoofed)
Received: "from hp0.mv31.ffeizi.cfd (unknown [207.154.207.238]) "
Date: "Sun, 03 Jul 2022 20:53:56 -0700"
Subject: "Bill Of Lading For Current Shipment"
Attachment: "Maerskline Shipping Documents.rar"

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a89cf5f25c8c7b346abd782db98b6ab1764c11514ae90e9978aff0b17e00e2e5/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-07-04 01:56:32 UTC
File Type:
Binary (Archive)
Extracted files:
7
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vcopl4s4rr5ti2v5paw3tc3kwf3eyekrjluq5glyv7ylc7qa4lsq._file
Result
Malware family:
lokibot
Create hunting rule
Score:
  10/10
Tags:
family:lokibot collection spyware stealer suricata trojan
Link:
https://tria.ge/reports/220704-kc3dysfffl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
Malware Config
C2 Extraction:
http://198.187.30.47/p.php?id=10316882234268616
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Loki

rar a89cf5f25c8c7b346abd782db98b6ab1764c11514ae90e9978aff0b17e00e2e5

(this sample)

Loki

Executable exe a4bb6e9c41c7d7f5b782355f7fb056f44fe66ad6ebd0d589b7941b8905e219d8

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 a4bb6e9c41c7d7f5b782355f7fb056f44fe66ad6ebd0d589b7941b8905e219d8
  
Dropping
Loki

Comments