MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab2b30ab80cc9b916fa2885d0e223ff2b8a0ed619a0cdf795f5ca2f967d76837. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab2b30ab80cc9b916fa2885d0e223ff2b8a0ed619a0cdf795f5ca2f967d76837
SHA3-384 hash: 1d5e4beade620048ebbdaa7d88b83288a1d573e20723e1eb5de1bc7af447d7a74e89dd135943e70626956eeedae972bd
SHA1 hash: 1610d184b622d2724b1826d163511d614397c2f1
MD5 hash: f9f6cbb12a6c6044e47f74d8b06fd10e
humanhash: high-wolfram-one-quiet
File name:vbc(16).exe
Download: download sample
Signature Loki
Create hunting rule
File size:921'600 bytes
First seen:2020-04-27 06:41:52 UTC
Last seen:2020-04-27 08:49:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b7ce6e9cc534608b3c4428d6a1d7e029 (1 x Loki)
ssdeep 24576:qe6vh0pyhUSuog7lKG79X4nWVV0lh7BbMJ:qeynhUrZlKcImqhVMJ
Threatray 1'488 similar samples on MalwareBazaar
TLSH F41512A2F4A07C36C61450781431DE905E247DF4AAC2DA6C362E77AE6AF368339C1F57
Reporter oppimaniac
Tags:Loki

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

SecuriteInfo.com.BScope.Trojan.Yakes.2301.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-04-27 06:35:38 UTC
File Type:
PE (Exe)
Extracted files:
86
AV detection:
26 of 30 (86.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vmvtbk4azsnzc35crboq4ir76k4kb3lbtign66k7lsrpsz6xna3q._file
Verdict:
malicious
Label(s):
lokipasswordstealer(pws)
Create hunting rule
Similar samples:
0491093e9a1ffcff88b06be9028e050c7fda1f70d4c7021bea12fef8cc78fe8f
Loki
1891aa213067db003fc4f6376853c50d740fb24dc5d1eda92bb2f0a429b4891b
Loki
2ba260d53db88ea6ae79af42f97eaa2e22c5fcb0f3e788057ef6e5dc40cd3060
Loki
355b58ec78627d48f3f9ac33a989bfcffa6c81cd9015acb53c024bc7c9681165
Loki
3a2ffd78111d04ce8986e867c0ed71f258e814b302868faa887fa6138cfb8827
Loki
4118da509f4aace1799d5880924a4101d8ed8ee746e0a03a7f47f3cec76eaf58
Loki
53edc68ef8a890aac3c8f6fe8c72e1a8cf5057c600a3f85d12b99b59b05e47be
Loki
7eb32bdb92a9768dfc8f30f22365aaac0d57931a77bffd71eb928f72dcdeab1e
Loki
a4429d0165e0b0c5e3b7840303bed826a9de8122d824622656d9ae9d6e396eea
Loki
ccdcef588215cb5bba1f6877e96d9dc3f83ef7a9bbdedd88235d8e6dbe3c4016
Loki
+ 1'478 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Lokibot
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Lokibot in memory
Reference:internal research
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_lokipws_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Loki

Executable exe ab2b30ab80cc9b916fa2885d0e223ff2b8a0ed619a0cdf795f5ca2f967d76837

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/351792/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play MultimediaMSACM32.dll::acmDriverDetailsA
WINMM.dll::PlaySoundA
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::WSASocketA

Comments